Post Install Steps
After completing the Sureview installation you must perform the post install steps including:
1) Configure the tiers for HTTPS
Perform the following steps to configure the tiers for HTTPS:
a) V2 UI
If the Server Prerequisites were correctly provided before the install of Sureview including the installation and validation of a SSL certificate on port 443 of the App and Device Tier Servers then there is nothing more to do for V2 as it will already be available on https://YourAppServer/. If those pre-requisite steps were missed then go back and do them now.
b) Device Tier
The Device Tier services need some additional configuration to set them up for SSL as described below
c) V1 UI
If being used, the V1 UI requires some additional post-install setup to get it working for HTTPS as described below
2) Secure the UI to Penetration Testing standards
Perform the following steps to secure the UI to penetration testing standards:
a) HTTPS redirection
HTTPS redirection must be configured to redirect users that access the UI via the insecure "http://" URL to the secure "https://" URL so they don't send confidential information over the network in clear text such as their password when logging in. The steps for this are described below.
b) Data Service security
The data service requires some configuration changes to secure it to penetration testing standards. The steps for this are described below.
3) Add the server's external name to the Hosts file
If you are using NLB or SSL you must add the external name of the server (i.e. "Sureview.mydomain.local") to the Hosts file pointing to 127.0.0.1
This means that:
- When using NLB, the components of the server will talk directly to itself instead of going out on the network which may introduce latency
- You can perform local testing using a browser on the server using the same name as externally and using https:// without getting errors about the domain being incorrect due to using "localhost"
4) Log in to the UI and set system settings
The initial login is "user" and "Passw0rd" for logging in to the V1 Login and V2 Login screens
The following system settings must be set in the user interface after install:
a) License
In the V1 UI, go to System->Licensing, choose the "globe" top level and then enter the license key provided by SureView for this Sureview install.
b) Filestore
In the V1 UI, go to System->File Stores and add the path to the Filestore that will be used for audited media storage. Note: The Filestore folder must exist. (It won't be automatically created)
c) Endpoints
In the V1 UI, go to System->Endpoints and set the following values then click "Save" (NOTE: these assume you have set everything for HTTPS as per steps #1 and #2 above):
- Proxy address: https://YourDeviceTierHostname:8000
- Reports address: https://YourAppTierHostname/ReportsService
- Audit address: https://YourDeviceTierHostname:4531
- Device service address: https://YourDeviceTierHostname
5) Set up Database Federation (optional)
If you are using multiple Sureview systems and intend to connect them in Federated deployment please contact SureView for support with setting this up
Device Tier Service HTTPS Configuration
(Note this requires a valid certificate to be installed on the server before proceeding - for information on adding a certificate and checking validity see the Pre-Installation SSL Certificates Support Page)
1) Device Server
By default the Device Server listens on port 80 and a configuration change is needed to make it also listen on 443.
- Run the following command to edit the Device Server's config file:
notepad "C:\Program Files (x86)\Immix Cloud\DeviceServer\SVDevices.exe.config"
- Search for the following text:
<add key="PortSSL" value="0" />
and change it to the following to make it listen on port 443 for HTTPS:<add key="PortSSL" value="443" />
- Save the file
- Restart the service with the PowerShell command for the new config to take effect:
Restart-Service -Name SVDevices
**For Multi-tier configurations you may need to manually bind the certificate to 443 for the device service to be able to use it. You can check if a certificate is bound using:-
netsh http show sslcert
If will need to have an entry listed for 443. If not you will need to add this using the below command:-
netsh http add sslcert ipport=0.0.0.0:443 certhash=YourCertHash appid=`{5bfe1d7c-ffa2-4c91-b070-a279adaebff8`}
2) Audit Service (changes required for V1 only)
The Audit service automatically listens on ports 80 and 443 which is used by V2, but also listens on port 4531 for V1. To use SSL in V1 you must switch port 4531 to be HTTPS.
First you need to change the URL ACL to allow the service user to listen on HTTPS instead of HTTP via the following commands:
netsh http delete urlacl url=http://*:4531/
netsh http add urlacl url=https://*:4531/ user="YourDomain\YourServiceUser" listen=yes
Then you need to set your certificate on port 4531 via the following commands:
netsh http add sslcert ipport=0.0.0.0:4531 certhash=YourCertHash appid=`{5bfe1d7c-ffa2-4c91-b070-a279adaebff8`}
Finally you need to edit the Audit service's configuration:
- Open the Audit service's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Audit\SVAudit.exe.config"
- Search for the following text:
<add key="Protocol" value="http" />
and change it to the following to make it use HTTPS instead:<add key="Protocol" value="https" />
- Save the file
- Restart the service with the PowerShell command for the new config to take effect:
Restart-Service -Name SVAudit
3) Alarm Responder Service
- Open the Alarm Responder's service's config file:
notepad "C:\Program Files (x86)\Immix Cloud\AlarmResponder\SVAlarmResponder.exe.config"
- Search for the following text
<security mode="None">
and change it to (note the capital "T")<security mode="Transport">
- Search for the following text
<endpoint address="http://localhost/Data/SVDataSvc.svc"
and change it to (note the added "s" in "https://")<endpoint address="https://YourCertificateHostname/Data/SVDataSvc.svc"
- Save the file
- Restart the service with the PowerShell command for the new config to take effect:
Restart-Service -Name SVAlarmResponder
V1 HTTPS Configuration
(Note this requires a valid certificate to be installed on the server before proceeding - for information on adding a certificate and checking validity see the Pre-Installation SSL Certificates Support Page)
1) V1 Data Service
The V1 Data Service configuration needs to be changed to make it use HTTPS:
- Run the following command to edit the Data Service's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Data\web.config"
- Search for the following text
<security mode="None">
and change it to (note the capital "T")<security mode="Transport">
-
Search for the following text
-
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
- and change it to
-
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
-
Search for the following text
-
<serviceMetadata httpGetEnabled="true" />
- and change it to
-
<serviceMetadata httpsGetEnabled="true" />
- Save the file (changes to web configs are applied automatically)
2) V1 Web UI
The V1 Web configuration needs to be changed to make it use HTTPS:
- Run the following command to edit the Web UI's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Web\web.config"
- Search for the following text (note there are multiple "<binding name=" entries so make sure you have the correct one)
<binding name="BasicHttpBinding_ISVDataService" ...
and change it to (note the capital "T")
<security mode="None"><security mode="Transport">
- Search for the following text
<endpoint address="http://localhost/Data/SVDataSvc.svc"
and change it to (note the added "s" in "https://")<endpoint address="https://YourCertificateHostname/Data/SVDataSvc.svc"
- Save the file (changes to web configs are applied automatically)
3) V1 Reports Service
The V1 Reports Service configuration needs changing to make it use HTTPS:
- Run the following command to edit the Report Service's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Reports\web.config"
- Search for the following text (note there are multiple "<binding name=" entries so make sure you have the correct one)
<binding name="BasicHttpBinding_ISVDataService" ...
and change it to (note the capital "T")
<security mode="None"><security mode="Transport">
- Search for the following text
<endpoint address="http://localhost/Data/SVDataSvc.svc"
and change it to (note the added "s" in "https://")<endpoint address="https://YourCertificateHostname/Data/SVDataSvc.svc"
- Save the file (changes to web configs are applied automatically)
4) Views UI
If you are using Views you also need to change some config settings in the Views UI to use HTTPS:
- Run the following command to edit the View UI's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Web\Views\web.config"
- Search for the following text (note there are multiple "<binding name=" entries so make sure you have the correct one)
<binding name="BasicHttpBinding_ISVDataService" ...
and change it to (note the capital "T")
...
<security mode="None"><security mode="Transport">
- Search for the following text (note there are multiple "<binding name=" entries so make sure you have the correct one)
<binding name="BasicHttpBinding_IViewService" ...
and change it to (note the capital "T")
...
<security mode="None"><security mode="Transport">
- Search for the following text
<endpoint address="http://localhost/Data/SVDataSvc.svc" ...
and change it to the following (note the added "s" in "https://")
<endpoint address="http://localhost/ViewData/ViewService.svc" ...<endpoint address="https://YourCertificateHostname/Data/SVDataSvc.svc" ...
<endpoint address="https://YourCertificateHostname/ViewData/ViewService.svc" ... - Save the file (changes to web configs are applied automatically)
Web UI HTTPS Redirection
(Note this requires a valid certificate to be installed on the server before proceeding - for information on adding a certificate and checking validity see the Pre-Installation SSL Certificates Support Page)
HTTPS redirection should be set up so that users who go to the Web UI URL via "http://" are automatically sent to "https://" so they do not send their password across the network in clear text. This is achieved via the URLRewrite tool (will already installed as part of the prerequisites, if you are missing it you can download it manually) and a configuration change to the Web UI.
- Run the following command to edit the Web UI's config file:
notepad "C:\Program Files (x86)\Immix Cloud\Web\web.config"
- Search for the following text:
</system.webServer>
and add a new blank line above it, then paste the following text into that line (so it is inside the <system.webServer> element):
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite> - Save the file (changes to web configs are applied automatically)
- Now go to the UI via http:// and you will be automatically redirected to https://
NOTE: In order for this to work the ''Require SSL'' needs to be unticked in SSL settings under ''Default Web Site'' in IIS and Client Certificates set to ''Ignore''
V2 Data Service Security
The following changes should be made to secure the V2 Data Service to penetration testing standards:
- Run the following command to edit the Web UI's config file:
notepad "C:\Program Files (x86)\Immix Cloud\API\appsettings.json"
- Search for the following text:
"CORSAllowOrigin":null
and change it to the following, entering your domain name covered by your certificate:
"CORSAllowOrigin":"https://*.yourdomain.com"
- Search for the following text:
"SessionCookieSecure":"False"
and change it to the following:
"SessionCookieSecure":true
- Save the file and restart IIS to apply the settings
Comments
0 comments
Please sign in to leave a comment.