Configuring a Web Server for IIS for Better Performance and Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

to get started by name again it's Kyle I'm here with my colleague Mike Mike is our subject matter expert is going to be monitoring the questions and we'll be helping out at the end or any technical problems so to start let's talk about what a webserver is and how a web server interface with cachet to start I have this drawing up here if you ever come into Cambridge you will see this drawing on mega whiteboard it's something we explain a lot when you have a request coming to cachet via the web it starts with some clients this is difficult as err doesn't have to be though the browser connects to the web server here the web server will load some libraries that we that is inter systems has written called the CSP gateway then notice everything up here in blue is things that emphasis on zones so the web server has to be configured to pass requests on the PFD gateway which then it sells me to be configured to pack two passes for us onto the caching server and then everything I'm slowing right back the arrows are pointing one way but they really probably budget both so the architecture here is pretty simple and we're going to go through now the demonstration is going to show a very simple but correct and intersystem supported way to set up a a is web server so when we get this moved over to my screen here excellent hopefully you all can see this now I'm going to do my very best here to not do that a common trope you see on cooking shows where they put something in the oven and then pull out something that's much more pretty at the end but I do need to do it for a couple of things specifically installing the CSP gateway DLL and installing IAS the reason is some of these require a restart of the Machine and I don't think what that could be particularly happy with me talking about an op and it's boring so here's my desktop I have on this already installed Ensemble I guess that's another thing I'm pulling out at the oven I haven't omble installed this what we're about to show you today works the same whether it's ensemble or healthcare or cachet you'll hear me use these terms interchangeably as it turns out it doesn't matter so first things first we would need to install is this is Windows 10 and we're using I is I believe 7.5 but as it turns out the steps here are pretty much exactly the same as long as you're on a reasonably recent version of Windows by that I mean XP or later so to install I start by going to the control panel you can get there in your favorite way I'm using Cortana from here we go to programs and features and then you want to click this here to turn Windows Features on or off one suppose populate you want to click this for Internet Information Services as you can see I already have okay moreover the CSV gateway has been installed you can grab the CSP gateway downloader from WRC and resistance comm or you can contact with WRC and and we'll grab it for you here are the HP gateway modules stalled in CI net plug CSP gateway oh you can also run the CSP gateway only Installer from your big cache installer or in topmost or whatever you use to install for your system and that's that's the beginning of the easy part right this is pretty easy too so let's look at the poll here looks like some of you was gonna ask before those going to patchy nice something other than anything and that's okay we're going to teach you alright so let's start configuring I is to start we're going to pull it up I want to once again use this nifty search feature so I don't they click through a whole bunch of a bunch of menus so here is is hang on a camera there we are here's is we're going to look at a couple of things but till the first thing we have to do is register the CSV gateway modules with is so is knows how to pass requests on to the modules do that we go to unsurprisingly modules now this is a native module so to put this in you have to click and configure native modules and register we're going to call it CFP gateway because that's what it is and for the path we're going to go CIN it plugs CSP gateway it remembers this from the time I did this in the dry run but this is just the CSP gateway folder in the INF pump folder and we're going to click CSP MS DLL and click OK and click OK you see a pop up here so now is knows what the CSP gateway is so now we have to tell it how to pass request over to the CSP gateway to do that we're going to come over here to site we only have one site that's a default web site you can see there's a quick aside right here it is listening on port 80 that's the default port for HTTP request and we're going to add a virtual directory for CSP this is because we want this to work for only requests that have slash CSP in the URL after after the host so we're going to add virtual directory the alias is going to be /c it's going to be CSP and the path - you see the physical path actually doesn't matter because we're not going to serve any files off of this but we're going to point it at the CSV gateway drive anyway because if we do eventually want to serve static files off of this is install we want it to be in the place we expect so we're going to a CI net Pub CSV gateway and okay so that sets up our virtual directory next step is to tell is that in this virtual directory to pass request to the CSV gateway so you do this by going to handler mappings and we're going to add a new module mapping were because everything in in the CSP record records is going to be passed off to Kashuk we're going to put everything that is star into our CSP gateway module that we just configured we don't need an executable path and we're going to call this yes the Gateway I think then we call it wild for a wild card mapping now the first there's a couple of things that trip people up when they do this this is the first one if you do have this request restrictions button here which is due on I is seven or eight you do need to click this and make sure you unclick this invoke handler only if request is mapped to CSP requests are typically not files or folders and if you do not unsuccess box then the CSP gateway is not able to get the request is won't pass on the request then we click OK and then we click OK now you are pretty much done setting up is see close you guys it was easy now there's a hand now we still need to configure this see it's the gateway to talk to cachet and there's still a handful of gotchas that I could sort of purposely put in here to show some common problems so the next thing you do is you want to go configure the CSP gateway through the CSP gateway management page there are two ways to get there you can either have URL memorized which I do cuz I do this enough or you can get there the much easier way by going to the management portal going to system administration configuration CSP gateway management now I want to note that right here we're in the management portal through the private Apache when you see this five triple seven - typically you're through the private Apache in fact I'd like to ask another poll question right now for those of you who are hosting applications we're going to have that pop up if you would be so kind as to answer so this administration configuration CSP gateway management this is the CSP gateway manager for the private Apache to get to the CSP gateway management page for is that we're setting up all we have to do is remove the port and now we'll go through port 80 so as you can see we have had this that hasn't worked the if you look through this most likely causes you know it seems a little unclear does it exist does it not if you look here the request filtering module tells you that the request is for some reason being filtered this as it turns out is a default configuration option for some versions of ifs and so on people run into it so I will show you what that is now if we come to our default website and we look at our request filtering you can see right here is a big filter if we edit if we go to edit this this is a way that is has to filter requests based on extensions or HTTP headers both think we in this case the URL string in this case it's scans URL and says if it has slash bin slash don't serve it no we don't want this so we're going to move this it does not have any adverse effect when connecting to cachet so we remove that we will click this again to come back here and we will attempt to get back to this page I'm doing this actually through the keyboard the control shift R which is a hatch elicit refresh and will conserve the page up in fact this proves that our is configuration is correct so this is a very quick proof that that we've done it correctly now if you see it there on the red we have two warnings one can't write the configuration file the second can't recognize that log file so this is the sort of second guy you this is the second piece that people come that our classroom is commonly run into issues that Mike and I frequently deal with this is because the user that I is is running as does not have access to the CSP configuration the CSP gateway directory so to fix that we will come in here and we will go to our CSP gateway directory all right come back up a level here and we're going to right click this folder we're going to click properties we're going to go to security and we're going to go to edit we want to add a user and the user name is a is underscore I you SRS I think go check names here we actually don't want it to be in this this is the the inter systems domain when you're in the office we don't want this we want it to be on my on my local machine and you click OK and you can see that it's it's populated this properly what's with a domain name but yeah so we click OK and we are going to give full control to I as I users under ed to everything under the CSV gateway directory this will allow the IAF's user to modify the CSP configuration files and log files so we click OK okay we can close this down and we will refresh this once again the one visibility's you act yep the restart is get this to take effect so we're going to restart is it's really easy from the top level you just click restart takes a couple of seconds they go already done excellent so let's come back here we will do another refresh and you can see that the warning from Connell a great so now we can configure just be gateway to talk to cachet I can see that some of you are actually running cachet productions on the private Apache that's bad the reason that's bad actually I'll get into that before I finish this the reason is that is a the private Apache does not allow use of HTTPS so you have lack so you're kind of a little bit less security and is the private Apache does not scale well so hopefully after this you'll be able to configure is for yourself you'll be able to get on a real big web server give you a better performance you feel great all right so let's get into configuring the CSP gateway the first thing we want to configure is to tell the CSP gateway where cachet is to do that we need to give it server access we are going to make a new server local as a default that points to localhost that's gonna be right this time but that's you know let's let's do with the railway this is going to be I believe I called this instance and let ends rel and throw so we're going to call it and the route it is going to be enabled it is on localhost so we can keep that the same and the port is going to be the super server port the way to get that or I think the easiest way to get that is to go to the management portal and click about and it's really tiny but you can see it here it's 1972 so out of the default again the connection connection security here is you need to have a username with a password that knows how to connect to catch a in this case the typical user you want here a CSP system and you will need to know what's password and that's what all the configuration you need to do the rest of these care about logging and timeouts things like that so like just click stayed you can see server configuration saved and now we want to test it no problem we go to test server connection take our server we can click connect easy as pie so now that we have our server connection working we need to tell the CSP gateway that URLs with certain [Music] expressions in them need to go there to do that we go to application access and for slash we will edit this application to go to 10 0 and save and back here again we're good the same thing for /c SP 2 and 0 and say ok so it's been about 19 minutes and I submit that right now we have successfully configured iSNS ESP gateway undoubtably you want to see it and that's no problem we can go back to the management portal here we can delete the port of the private Apache and you can see we are successfully serving up the management portal through our there are a big web server is it's done yeah the the setting up of this is in fact just as easy this is this is not a special it's not a special setup this is the setup that we've done here is the be easy one but it is fully supported it is entirely correct you know if you don't have any reason to if you're on a let me say like that if you're one of the people who is using the private Apache you can run this setup pretty quickly and this is great if you have a more complicated web application you probably need to have some sort of web admin so I'm going to I guess I'll leave this up for now but I think I can start taking questions Mike we looking tons of questions yes we have one that's come in right at the top can you just repeat the two reasons why you would not want to use the private Apache server in lieu of a full web server absolutely the two reasons are there is no released version of the private Apache that supports HTTP which means you have no security between the client and the web server and this is typically where you want to have your security this is oftentimes open to the world that's the first one the second is the the Apache server that we distribute is pretty stripped down and does not scale well it's not the full version of Apache so you can run into some performance problems using the private Apache in fact Mike and I can tell you we've seen many customers who have had problems that have stemmed from using the private of passion and trying to ramp up usage on it great question thank you okay another one is the CSP gateway that you configured on the is server different than the one for the private Apache or any other web server that's a good question it's kind of subtle the when you configure the CSP gateway you configure it per web server so configuring it for I is is different than configuring it for the private Apache in fact I can show you excellent so here is here let's see here so this is this is our CSP gateway for iis I'm going to do is I'm going to rip the URL here and I'm going to throw it in here to don't need this page anymore and I'm going to add the private Apache port and this is the CSP gateway configuration for the private Apache so the pages look exactly the same but they are different a couple ways you can tell this has Apache web server this says Microsoft web server you can see that here in server access we don't have that server we set up in iis here so I guess in summary the pages are the same but they are you're configuring two different things I hope that answered your question and misinterpreted we've got another one while you're on the CSP gateway page on your computer can you go to the application access yes I can screen wouldn't do it for I I say yes and just discuss why the difference between the applications at the top that are in black and the blue applications of course yes the in later versions of the CSP gateway I can't remember exactly what version this is got introduced the Gateway and cachet are aware of each other when you set up the server access so this is the gateway telling you which applications are defined for the server n0 so yeah the this is this is telling you which ones are defined and I believe you can actually edit these directly oh you can cool that's good you shouldn't be able to yeah it it for the most part you don't actually have to do anything with these do so I got spells at the em for a second all right yeah these are yeah so these are the the web applications to find on the server that's before the colon everyone was going to ask that it's what thought of that answer a little boy thoroughly that's right like what also got I we've got another one I don't remember if you covered this but can you discuss how to restrict access to the CSP gateway management page based on IP address oh yes I absolutely can that's a great question oh so yeah let's talk about configuring security for these pages the first thing you probably wanna do is go to default parameters here so the first one we want is one people to have a username and password to log in to this page and to do that you set it here now frequently you'll see people use the username CSB gateway but I find that really confusing so I'm going to call this user gateway manager so that it's very clear that this is a different user and our password is going to be AAA because that's really easy to type so now these pages are restricted to users who know this username and password you see when I try to click another link it pumps you back to this login page and you need to know it was hopefully I remember the username right and the password Oh oh and once you type the username right you're good to go now to restrict who has access right here in the system manager machines you can put the IP address for machines that you want to have access to these pages if you want everyone you can put star dot star dot start on star if you only want it to be you know one machine whatever you want to have here X you might you know this you could always get there if your localhost yes okay so I can actually save this and it's not going to matter because I'm local to the machine at the point where you are on the web server box you can change anything in like the configuration here is all written to if you show you the file in a CSV gateway this right here is our CSP I and I and I want to open a live notepad so everything we're doing on these pages just writes things out to this file so if you can get on to to the web surfing machine you can change this file so you should be able to change these pages which you can so it's an excellent question somebody really should have covered like everything else yep one more can you talk about the difference between the CSP system cache a user and the account used to secure access to the Gateway management yes this is a that's a that's a good question and it's the reason I did not call the CSP system there are two sets of users in play here this user is a user you invent solely for accessing these pages that has nothing to do with the cache a server you can have this CSP gateway talk to multiple caches servers if you'd like and the user here is only to access these pages the one that we put into our server access it needs to be a user that you would find in your users list so we use CSB system because that's what we give it there for so they are wholly different which is why I strongly recommend when you are setting up security for this page you pick another user name here but do try to remember what it is otherwise you can get do you know it could be a hassle to get back in these pages which can make things a little trouble someone you need to edit some of your configuration in here but another really good question last one okay okay few more coming in of course the next question can you talk about upgrading the CSP gateway independently from the cache a version yeah actually updating the CSP gateway is super easy you can really just drop the DLLs into this folder and and that will that will work alternatively you can get the CSP gateway in scholar or you can get your full cachet and sample healthcare installer and run the CSP gateway portion of it and while that's going to do is replace most of these files it shouldn't it shouldn't replace your CSP this is your CSP ini file this guy here which has your configuration but if you want to be really safe about it you can always just save it off before you do the upgrade the upgrade is very quick I think you just need to reset is which as we SARS is very fast moreover the CSP gateway modules are backwards compatible down to I think about anything anyone's running I think you can pretty much always be on the latest CSP gateway version I wouldn't promise anything when you get down to like the four ones or the three twos of the world I haven't looked at that but it's always drawing a reasonably recent version you can use the latest the latest you use the Gateway modules okay next question and correctly when you set up the ESP gateway on is now allowing access to ensemble through port 80 Amaya can you talk about how to change the ensemble cube so that it opens its management portal shortcuts to that web server instead of the right Oh that is a really good question I don't know where that is you don't have to pop your head like the server manager you can change the wind ah yeah yeah that's a good plan doesn't work genius so we have my care guys so he's absolutely right the way you would do this is to go to a preferred server go to add edit you have to click yes told well I'm going to change so now here in this is enter L this is the the one we've been playing around with we clog edit and in the web server port we just put a t click OK click OK go to management portal easy as that yeah kept leave into thick of that stuff my head another great question you guys are awesome static files posted on I am I think it might be a little outside the scope of the basic configuration yes that is a little bit outside the scope we just discuss it in broad strokes you would want to you would have to put all your static content in on the web server so usually in the CSP gateway folder you have to put the CSP broker folder which is some some JavaScript files that describe how to do hyper event calls basically call back to the server on the fly and that has to come in here too and in IIF in here in your handler mappings instead of having just one you would have to have one for dot CLS excuse me 14.2 ls1 4z 14.2 SP and one for dot TX w those four will poured all of the normal extensions to the cache a server and the static file handler will pick up all of the static content that is JavaScript CSS pictures you know all that stuff will pick it up from this server setting up is beyond the scope of this it would take a little bit too long but it's a good question just one more expert HTTP con i inevitable this one was going to ask it has been suggested to me that for liability purposes I shouldn't show you guys how to do that the moreover that's definitely a thing I believe it's very simple to set up HTTP but if you do it and you should if your external to the world throughout the web make sure that you use something like TCP dump or Wireshark to ensure that your traffic is being encrypted typically it's just I think you need to tell the teller website to use HTTPS but I don't want to be responsible for it being wrong and then you know you guys tell on me then I showed you how to do it just a little too scared I'm not brave enough to do it but it should be it should be easy enough to it should be easy enough to set up and test you know don't freak out you can always ask Google that's what I do I'm in for details I mean look at Google for details sorry I don't didn't mean to be rude guys anything else or that's about it excellent that's wonderful man thank you all for showing up that was great you guys have amazing questions hopefully we'll get a chance to do some more of these and keep you guys more stuff if there any part in combats mic thanks alright guys thanks for coming thanks for watching see y'all later

Info

Channel: InterSystems Developers

Views: 4,125

Rating: undefined out of 5

Keywords: Webinar, IIS, Configuration, InterSystems, Sysadmin, performance, security

Id: luplow26i7c

Channel Id: undefined

Length: 35min 28sec (2128 seconds)

Published: Mon May 01 2017