Version: 2024.3.2

DMZ / separate network

Exposing inPoint.Web and inPoint.Identity in a DMZ

If inPoint.Web and inPoint.Identity are exposed in a DMZ the communication to inPoint.Enterprise must be configured manually.

inPoint.Enterprise

You'll need to update this config file (default is here)
C:\Program Files (x86)\H&S Heilig und Schubert Software AG\Pam.Storage\Web\web.config

The communication needs to be secure, this is done using TLS either by using HTTPS or by using a special secured net.tcp connection. The server running inPoint.Web and inPoint.Identity must trust the certificate or the certification authority which created it.

https

The default port is 443, the communication can be inspected and forwarded by a firewall/proxy. The following endpoints and binding must be added/adapted.

Example of an URL: https://computer.domain/Pam.Web

IMPORTANT:
Make sure that the used name (full qualified or not) matches the certificate.

Binding Configuration

The binding configuration "wsHttpBinding_PamWCF_anonym" should be already existing in the list of bindings (if not add it):

<wsHttpBinding>
  <!-- other wsHttpBinding omitted for brevity -->
  <binding name="wsHttpBinding_PamWCF_anonym" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
    <readerQuotas maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxNameTableCharCount="2147483647" maxStringContentLength="2147483647" />
    <security mode="Transport">
      <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
      <message clientCredentialType="None" />
    </security>
  </binding>
</wsHttpBinding>

Endpoints

The endpoints should also be already existing, but the bindingConfiguration needs to be adapted from wsHttpBinding_PamWCF_wia to wsHttpBinding_PamWCF_anonym.

Endpoint for PamWCF

<service behaviorConfiguration="PamWCFBehavior_wia" name="Pam.WCF.PamWCF">
    <!-- other endpoints omitted for brevity -->
    <endpoint address="/wia" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_PamWCF_anonym" contract="Pam.WCF.IPamWCF"/>
</service>

Endpoint for Unify

<service behaviorConfiguration="UnifyWCFBehavior_wia" name="Pam.Unify.WCF.UnifyWcf">
    <!-- other endpoints omitted for brevity -->
    <endpoint address="/wia" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_PamWCF_anonym" contract="Pam.Unify.WCF.IUnifyWcf"/>
</service>

net.tcpa (SSL over TCP)

To configure net.tcp with SSL encryption instead of using windows security to protected the communication use net.tcpa in the URL. The default port is 808, the communication can not be inspected but only forwarded by a firewall/proxy.

The following changes must be done on the inPoint.Enterprise server.

Example of an URL: net.tcpa://computer.domain/Pam.Web

IMPORTANT:
Make sure that the used name (full qualified or not) matches the certificate.

Certificate

A SSL-Certificate must be existing on the server ('Computer Certificate' or 'User Certificate') and the private key must be readable by the worker-process of Pam.Web.

Allow read access on the certificate for the worker process

  • Open "Manage computer certificates" from the start menu or directly start 'certlm.msc'
  • go to personal and locate the certificate.
  • Use a right click and use All Tasks" and then "Manage Private Keys ...".
  • Click on add
    • change the location from the domain to the machine (if using the default user)
    • add the user name "IIS AppPool\Pam.web" (if using the default user for the worker-process)
    • allow Read for the added user
    • Close the dialog with OK

Behaviors

The certificate needs to be added to the two existing behaviours (the two behaviour must exist and the part "serviceCredentials" must be inserted). If possible use the subject (server name) of the certificate. More details about how to configure a certificate are written in the official documentation.

Here the certificate is saved as 'Computer Certificate' in the Personal folder and selected by the machine name.

<behaviors>
    <behavior name="PamWCFBehavior_wia">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="true" />
        <dataContractSerializer maxItemsInObjectGraph="2147483647" />
        <serviceAuthorization impersonateCallerForAllOperations="false" />
        <serviceCredentials>
            <serviceCertificate findValue="server.domain" x509FindType="FindBySubjectName" />
        </serviceCredentials>
    </behavior>
    <behavior name="UnifyWCFBehavior_wia">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="true" />
        <dataContractSerializer maxItemsInObjectGraph="2147483647" />
        <serviceAuthorization impersonateCallerForAllOperations="false" />
        <serviceCredentials>
            <serviceCertificate findValue="server.domain" x509FindType="FindBySubjectName" />
        </serviceCredentials>
    </behavior>
    </serviceBehaviors>
</behaviors>

Binding Configuration

The binding configuration "netTcpBinding_PamWCF_tcp_anonym" must be added:

<netTcpBinding>
  <!-- other netTcpBinding omitted for brevity -->
  <binding name="netTcpBinding_PamWCF_tcp_anonym" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
    <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
    <security mode="Transport">
      <transport clientCredentialType="None" />
      <message clientCredentialType="None" />
    </security>
  </binding>
</netTcpBinding>

Endpoints

The endpoints using the configuration must be added:

Endpoint for PamWCF

<service behaviorConfiguration="PamWCFBehavior_wia" name="Pam.WCF.PamWCF">
    <!-- other endpoints omitted for brevity -->
    <endpoint address="/tcpa" binding="netTcpBinding" bindingConfiguration="netTcpBinding_PamWCF_tcp_anonym" contract="Pam.WCF.IPamWCF" />
</service>

Endpoint for Unify

<service behaviorConfiguration="UnifyWCFBehavior_wia" name="Pam.Unify.WCF.UnifyWcf">
    <!-- other endpoints omitted for brevity -->
    <endpoint address="/tcpa" binding="netTcpBinding" bindingConfiguration="netTcpBinding_PamWCF_tcp_anonym" contract="Pam.Unify.WCF.IUnifyWcf" />
</service>

inPoint.Web

The connection setting how inPoint.Web connects to inPoint.Enterprise can be configured during the setup. If you need to change it later edit the registry

Using this path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\HS Europe\inPoint\Environment\default configure the URL to the rest of the server.

  • ServiceUrl: the URL to inPoint.Enterprise (use net.tcpa or https as prefix in the URL, this can be an internal name)
  • CoreUrl: the URL to inPoint.Core (this will always start with https, using the internal name)
  • WebUrl: the URL to inPoint.Enterprise (the external reachable server name)
  • IdentityUrl: the URL to inPoint.Identity (the external reachable server name)

Reverse Proxy

See the whole reverse proxy documentation for how to configure a reverse proxy and how to configure the inPoint.Enterprise server accordingly.