Skip to main content
Version: 4.3.0

Installing and configuring the SAS Proxy (optional)

Most organizations have a so-called DMZ (or demilitarized zone/perimeter network) which exposes the organization's external-facing services to a larger untrusted network (typically the Internet). A common scenario is to install the iCore Administrator application on a web server running in the DMZ, to allow access from an outside network.

However, due to security concerns it may be undesirable to allow incoming connections from the DMZ to the internal network, and since the Administrator normally needs to be able to establish connections to the iCore System Access Service (running on the internal network), this creates a problem.

A solution is provided by the System Access Service Proxy, or SAS Proxy. The service is installed in the DMZ, and is responsible for relaying traffic to the System Access Service on the internal network. Connections to the SAS Proxy are always initiated by the System Access Service, which means that no incoming connections from the DMZ to the internal network need to be allowed. Note however that connections from the internal network to the port at which the System Access Service Proxy is running must still be allowed.

This topic explains how to installconfigureupdate and uninstall the System Access Service Proxy.

Prerequisites

  • You need to install iCore Process Server on the machine where you want to run the SAS proxy. Installation and configuration of the SAS Proxy is done with PowerShell cmdlets.

Required Windows roles and features

The following features must be installed and configured in the operating system. If you are running Windows Server 2012 or later, the SAS Proxy installation scripts will automatically verify that the features are installed and offers to install them if they are not. On earlier versions of the operating system, this verification/installation must be performed manually.

  • Web Server (IIS)
    • .NET Extensibility 4.5
    • ASP.NET 4.5
  • .NET Framework 4.5 Features
    • WCF Services
    • TCP Activation
note

Windows 2008 R2 comes with only .NET Framework 3.5 available in the roles/feature selection of the Server Manager. Start by activating the features mentioned above, then install .NET Framework 4.5 manually. Furthermore, it may be necessary to run the ASP.NET IIS Registration tool to register the selected ASP.NET components with IIS. For example: 

C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet\_regiis.exe -ir -enable.

For more information, refer to the documentation for the ASP.NET IIS Registration tool on MSDN.

Pre-installation steps

Before you run the installation scripts, perform the following steps:

  1. On the computer running the SAS Proxy, decide which port(s) and IP address(es) you want to use for Net.TCP binding and HTTP binding.
    • If you are installing a new website, you need to specify the settings for both bindings during installation.
    • If you are installing an application, you only need to specify the Net.TCP binding.
    • The HTTP binding is only required to access IIS management functions, the endpoint is not used by the SAS proxy but needs to be in place in order for IIS to function correctly.
  2. Configure the server to accept incoming calls on the Net.TCP port from the computer running the iCore System Access Service.

By default, the SAS Proxy is installed without any security options such as certificate validation.

  • We recommend restricting access in the firewall to the Net.TCP binding of the SAS Proxy to only the computer running the System Access Service and the computer(s) running iCore Administrator.
  • You can configure additional security options (such as certificate authentication) manually in WCF by editing the configuration files of the applications. The details on how to do this configuration are however not included in this help file.

Installation

note

The PowerShell cmdlets for installation of the proxy service must be run from a 64-bit PowerShell console (if the operating system is 64-bit) with administrative rights.

  1. Open the PowerShell console.

  2. Import the iCore.Administrator.Configuration module which contains the SAS proxy installation cmdlets.

    To import the module

    To import the iCore.Administrator.Configuration module, run the Load-AdminModules.ps1 script from the correct Administrator version subdirectory, for example C:\\Program Files (x86)\\iCore Administrator\\{Version}\\Load-AdminModules.ps1. See also Directory structure.

  3. Run the SAS Proxy installation cmdlet (see iCore PowerShell cmdlets).

    • If you are installing the SAS Proxy in a new website, you do not need to enter the ApplicationName parameter.
    • If you are installing on an existing website, specify the name of the site in the SiteName parameter, as well as the name of the new application in the ApplicationName parameter.
    • Make sure to include the TemplateDirectory parameter (which specifies the location of the SAS Proxy template). Example: C:\\Program Files (x86)\\iCore Administrator\\{Version}\\SasProxy\\Template.
      tip

      For detailed information about the remaining parameters required for the cmdlet, type Get-Help Install-iCoreSystemAccessServiceProxy -Detailed.

Examples

The following command installs the SAS proxy in a new website named 'MySasProxy' and creates a new application pool named MySasProxy for the site (if it does not already exist). The HTTP binding listens on port 127.0.0.1:8080, and the Net.TCP binding listens on all available interfaces on port 11200. The content of the site is located in C:\SasProxy.

Install-iCoreSystemAccessServiceProxy `
-SiteName MySasProxy `
-AppPoolName MySasProxy `
-AppPoolCreationDisposition CreateIfNotExists `
-IPAddress * `
-HttpPort 8080 `
-NetTcpPort 11200 `
-PhysicalPath C:\SasProxy `
-TemplateDirectory "C:\Program Files (x86)\iCore Administrator\{Version}\SasProxy\Template" `
-Verbose

The following command installs the SAS proxy in an new application named 'MySasProxy', in an existing website named 'Default Web Site' and creates a new application pool named MySasProxy for the application. The Net.Tcp binding listens on the IP address 192.168.0.15 on port 11200. The content of the site is located in C:\inetpub\SasProxy.

Install-iCoreSystemAccessServiceProxy `
-SiteName 'Default Web Site' `
-ApplicationName 'MySasProxy' `
-AppPoolName MySasProxy `
-AppPoolCreationDisposition CreateNew `
-IPAddress 192.168.0.15 `
-NetTcpPort 11200 `
-PhysicalPath C:\inetpub\SasProxy `
-TemplateDirectory "C:\Program Files (x86)\iCore Administrator\{Version}\SasProxy\Template" `
-Verbose

Configuration

Once the SAS proxy is installed, you need to configure the System Access Service and the Administrator to use the new service.

Registering the SAS proxy in SAS

The System Access Service must be configured to establish and keep a connection open to the proxy service. The configuration can be done from the iCore PowerShell Console, or from a regular 32-bit (x86) PowerShell console. Note that the latter option requires that module iCore.PowerShell has been imported using the command Import-Module iCore.PowerShell.

For more information about the commands that can be used to inspect and modify the SAS proxy configuration, see iCore PowerShell cmdlets.

Examples 

The following command registers a proxy listening on the Website running at 192.168.0.15:11200, and refers to it with the name MyProxy.

note

The name is only used to reference the proxy in the local configuration on the machine running SAS. It does not need to correspond to the name of the Proxy application.

Add-iCoreSystemAccessServiceProxyEndpoint -Name MyProxy -HostName 192.168.0.15 -Port 11200

In the example below, the proxy is running in an application called MySasProxy on a server named MyDMZ on port 11200. Since it is already running in an application, you need to specify the full URI.

Add-iCoreSystemAccessServiceProxyEndpoint -Name OurProxy -Uri 'net.tcp://MyDMZ:11200/MySasProxy/SasProxy.svc'
note

 The System Access Service must be restarted for the configuration change to take effect. To restart the System Access Service, use cmdlet Restart-iCoreSystemAccessService.

Configuring the Administrator

If the Administrator site has not yet been installed, follow the installation guide, but use the endpoint of the SAS Proxy instead of the endpoint of the SAS as the SAS connection. Note that this endpoint must use the scheme net.tcp.

If the Administrator site is already installed, you need to manually add the endpoint to the SAS proxy to its configuration:

  1. Open the web.config file of the Administrator application, and locate the system.serviceModel/client section (this is where all SAS connections are listed).
  2. Add a new element, or modify an existing one, to point to the endpoint of the proxy server previously installed (see the below example).
<endpoint address="net.tcp://localhost:11200/SasProxy.svc"
name="Sas"
bindingConfiguration="SasDefaultBinding"
binding="netTcpBinding"
contract="iCore.SAS.Interfaces.ISystemAccessServiceProxy" />

Upgrade

The SAS Proxy must be upgraded whenever iCore Integration Suite is upgraded. The upgrade must be done from a 64-bit PowerShell console (if running on a 64-bit system) with administrative rights.

  1. Import the module iCore.Administrator.Configuration.
    To import the module

    To import the iCore.Administrator.Configuration module, run the Load-AdminModules.ps1 script from the correct Administrator version subdirectory, for example C:\\Program Files (x86)\\iCore Administrator\\{Version}\\Load-AdminModules.ps1. See also Directory structure.

  2. Run the SAS Proxy update cmdlet.
    • To update a specific SAS Proxy running in its own web site ("MySasProxySite"):
      Update-iCoreSystemAccessServiceProxy `
      -SiteName MySasProxySite `
      -TemplateDirectory "C:\Program Files (x86)\iCore Administrator\{Version}SasProxy\Template" `
      -Verbose
    • To update a specific SAS Proxy running in an application called 'MySasProxy' in the 'Default Web Site':
      Update-iCoreSystemAccessServiceProxy `
      -SiteName 'Default Web Site' `
      -ApplicationName 'MySasProxy' `
      -TemplateDirectory "C:\Program Files (x86)\iCore dministrator\{Version}\SasProxy\Template" `
      -Verbose
      ```
    • To update all SAS Proxy applications and sites on the machine:
      Update-AlliCoreSystemAccessServiceProxyApplications `
      -TemplateDirectory "C:\Program Files (x86)\iCore Administrator\{Version}\SasProxy\Template" `
      -Verbose

Uninstallation

The SAS Proxy must be uninstalled from a 64-bit PowerShell console (if running on a 64-bit system) with administrative rights.

  1. Import the module  iCore.Administrator.Configuration.

    To import the module

    To import the iCore.Administrator.Configuration module, run the Load-AdminModules.ps1 script from the correct Administrator version subdirectory, for example C:\\Program Files (x86)\\iCore Administrator\\{Version}\\Load-AdminModules.ps1. See also Directory structure.

  2. Run the SAS proxy uninstall cmdlet.

    • To uninstall a specific SAS Proxy running in its own website ('MySasProxySite') and also remove the application pool if it is not used by another application:
      Uninstall-iCoreSystemAccessServiceProxy -SiteName 'MySasProxySite' -RemoveAppPool -Verbose
    • To uninstall a specific SAS Proxy running in an application ('SasProxy') on the website 'Default Web Site', leaving the application pool if it is not used by another application:
      Uninstall-iCoreSystemAccessServiceProxy -SiteName 'DefaultWebSite' -ApplicationName 'SasProxy' -Verbose

See Also

iCore PowerShell cmdlets
iCore PowerShell Console

Technical architecture & Runtime

Services