Installing e-Business in a DMZ Environment

For security reasons, Web servers are typically installed outside of an organization's primary network in a perimeter network or demilitarized zone (DMZ). In this configuration, the Web server is located on either a different domain or in a workgroup separate from the domain of the database server. However, this model prevents an organization from using a domain-level trusted user to run an e-Business site, which is Aptify's recommended approach for e-Business. Since the domain user is not valid in the DMZ, the user cannot be authenticated.

Below is the Aptify's recommended approach for establishing an e-Business web server on a different domain or workgroup from the Aptify database using the mirrored accounts approach, which uses a pair of a local trusted user accounts to host the e-Business site. The process involves the following steps:

• Step 1 - Establishing Cross-Domain Communication
• Step 2 - Creating a Trusted Windows User Account
• Step 3 - Adding a Local Database User to Aptify
• Step 4 - Installing e-Business
• Step 5 - Testing the Setup and Troubleshooting Tips
• Step 6 - Final Setup and Installation Notes

Step 1 - Establishing Cross-Domain Communication

In order to support communication between an Aptify database server and Aptify e-Business web server across domains, there must exist a means of communication between the two domains such that the IP address of each domain can be resolved.

Typically, a domain name system (DNS) will house and mange this information, however, if no DNS server exists, at a minimum a host file must exist on one of the servers that associates a static IP address with the domain of the other server. For instance, the hosts file, typically found in C:/Windows/System32/drivers/etc may contain syntax similar to the following:

For this step, confirm that the domains can communicate and that the required DNS server or host file configuration are in place. Also, you may also want to identify at this point which ports you need to open to allow the web server and database server to communicate. At a minimum, you will need to allow SQL server traffic to pass between the two systems.

Step 2 - Creating a Trusted Windows User Account

For this step, create a local machine trusted user account on the database server. You can do this from the Local Users and Groups area of the Computer Management dialog, which can be launched from Start > Control Panel > Administrative Tools.

During the e-Business installation, Aptify will automatically create a mirrored account on the Web server. This is a corresponding local user account on the Web server that shares the same username and password as the database server's local user. This user on the Web server will run the Microsoft IIS Application Pool used by the e-Business site.

For example, assuming the database server's name is database_server, the local user account you would create would be named something like database_server\ebizuser. Then, during installation, the e-Business setup program would automatically create a corresponding local user on the Web server named web_server\ebizuser (assuming the Web server's name is web_server). The e-Business setup program will assign the web_server\ebizuser account with the appropriate privileges on the Web server to run the e-Business site (as defined by your organization's security policies).

For future reference, the terms web_server, database_server, web_server\ebizuser and database_server\ebizuser will be used to describe the name of the web server, the name of the database server, the local account on the web server, and the local account on the database server, respectively.

The reader of this document should be familiar with the general and administrative functionality of Aptify as well as the business requirements of their organization. This level of knowledge is required to fully understand the possible impact of any modification with respect to the performance of the product as well as the modification's effect in accomplishing the organization's needs.

Step 3 - Adding a Local Database User to Aptify

1. Log in to the database server and launch the Aptify Desktop client using a system administrator account.
   • The creation of users should be performed using the Desktop client. The Aptify User Administration wizard is not supported in the Aptify web interface.
   • If you have not previously installed the Aptify Desktop client on your database server, you will need to do that first. You will only be able to add the database server's local user as an Aptify user by running the Aptify Desktop client on the database server directly. See Installing the Aptify Desktop Client. 
2. Launch the User Administration wizard from the Users service.
3. In step 1 of the wizard, select the Windows Integrated Security (recommended) option to specify that you are creating a trusted user account.
4. In step 2 of the wizard, select the database_server local computer from the Domain drop-down list, and from the Account list, select the ebizuser account you created earlier.
   • The Domain drop-down list in the User Administration wizard only identifies the local machine and its associated workgroups and domains. Therefore, only the local machine appears in this field. This is why you need to create the user by running the Aptify Desktop client directly on the database server. 
5. Complete the User Administration wizard to create a user account for the database_server\ebizuser user.
   • Note that this user must be assigned a valid user license to successfully communicate with the database server.
   • Configure the account with the appropriate privileges to conduct e-Business activity. The specific permission set required for the e-Business user depends on the type of user activity that will be conducted on your website.
   • Also, link the account to an Employees record in Aptify (such as a new -Employees record named "Web User"). 
6. If you do not want the Aptify Desktop client installed on the database server, you can now uninstall it. See Uninstalling the Aptify Desktop Client.

Step 4 - Installing e-Business

For this step, install e-Business on the web server. If feasible, Aptify recommends that you have the web server on the same domain as the database server during installation and initial testing. This helps eliminate the DMZ as a variable if you encounter any problems launching the site after initial installation.

Follow these instructions:

1. Log in to the web server that will host the e-Business site.
2. Install the Aptify Desktop client on the e-Business server. See Installing the Aptify Desktop Client.
3. Download the e-Business installation ZIP file to a folder on the computer and unzip its contents.
   • You need to run the installation program locally on the computer; you should not run it over the network. 
4. Review the installation models described earlier in this chapter and select the model that is appropriate to your installation. 
   • Aptify e-Business supports several installation options, such as installing e-Business to a new Sitefinity site, installing e-Business to an existing Sitefinity site, and installing e-Business for another Content Management System (CMS), such as Ektron CMS400.NET.
   • The specific instructions you need to follow vary depending on where you want to install e-Business. 

5. Follow the instructions for the installation model you selected. When specifying the e-Business user, enter the local database user you created earlier (that is, database_server\ebizuser).
   
   

   You must enter (and re-enter) the correct password for the e-Business user. Aptify uses this password to create the mirrored account on the web server. If the passwords do not match, parts of the site may load, but the site will be unable to communicate with the Aptify database.

    

6. Configure the remaining installation options as required by your selected installation model, following the instructions in that topic.

During installation, the e-Business setup program does the following:

• Creates a local machine user on the web server (such as, web_server\ebizuser) that uses the password you provided for the database_server\ebizuser. Aptify automatically assigns the necessary permissions for this user to run the e-Business site.
• Creates a Microsoft IIS Application Pool on the web server. This application pool is run by the web_server\ebizuser account.
• Configures the website's web.config file to use the database_server\ebizuser account to enable access to the Aptify database.
• Assigns the database_server\ebizuser account to the e-Business Security Key, which is used for encrypting/decrypting web user passwords.

Step 5 - Testing the Setup and Troubleshooting Tips

Launch a browser and navigate to the e-Business site, for instance, http://localhost/ebusiness. Verify that web menus are visible on the page. Then create a new web user account, or log in as an existing user, and confirm that the site functions as expected.

If the site does not load with a 503 error, confirm that the mirrored account was created on the Web server. If not, you can create the local user manually on the Web server (similar to the steps in Step 2 - Creating a Trusted Windows User Account). Be sure to use the same password for the mirrored account that you specified for the local account on the database server.

If the site loads but you cannot log in or create a new user, you may not have entered the correct password for the e-Business user during installation. Try resetting the password in the following locations:

• On the database server, reset the password for the local e-Business user account from the Windows Computer Management dialog.
  
  
  On the Web server, reset the password for the local e-Business user account from the Windows Computer Management dialog. Use the same password that you entered for the e-Business user on the database server.
• On the web server, reset the password for the local e-Business user account in the e-Business application pool, within IIS. Use the same password that you specified in the other two locations. Follow these steps:

1. 1. On the web server, launch the Microsoft Internet Information Service (IIS) Manager.
   2. Browse to the Application Pools and open the advanced settings for the AptifyEBusiness pool.
   3. In the Advanced Settings dialog, select the Identity field and click the ellipsis button that appears.
   4. In the Application Pool Identify dialog, select the Set... button.
   5. Re-enter the user name and password for the local machine's e-Business user (such as, web_server\ebizuser).
       
   6. Save your changes and restart IIS.

Step 6 - Final Setup and Installation Notes

If you installed and tested the e-Business site while the web server was on the same domain as the database server, detach the web server from the domain and install it in the DMZ, attaching it to either a workgroup or another domain.

After moving the web server to the DMZ, repeat your tests to confirm that the site functions correctly and that you can log in and create new web users.

Keep in mind the following points:

• As described in Step 1 - Establishing Cross-Domain Communication, you will need to open up any applicable firewall ports to allow the web server in the DMZ to communicate with the database server on the internal network.
• Aptify strongly recommends that you use HTTP over a Secure Socket Layer (SSL) to secure the e-Business site's content that cannot be accessed without logging in first. This will create an HTTPS site for non-public content.

Note Concerning Component Art Control in e-Business 5.5

The Aptify Web Menu control leverages the menu control provided by ComponentArt in ComponentArt.Web.UI.dll. e‐Business 5.5 provides an updated version of this control in several ASP.NET versions. The installation process will deploy the ASP.NET 4.0 version of ComponentArt.Web.UI.dll to the website’s bin directory.

ASP.NET 4.0 is required to install e‐Business 5.5 and Aptify recommends that all new e‐Business 5.5 sites run ASP.NET 4.0. However, if you are updating an existing site that is running under an
earlier version of ASP.NET, you need to copy the appropriate version of the ComponentArt.Web.UI.dll (found under the ComponentArt Control folder of the APTIFY_550_eBiz_UPDATE distribution file) to the site’s bin directory, overwriting the existing version, to update to the latest ComponentArt version. Also, if your site’s application pool is not using ASP.NET 2.0, you can select another version of the ComponentArt.Web.UI.dll that matches your site’s .NET version.

See the readme.txt file in the Web Site Updates > Component Art Control folder of the APTIFY_550_eBiz_UPDATE distribution files for more details.

Note Concerning the Sitefinity Integration Web Service in e-Business 5.5

For e‐Business 5.5, the Aptify Sitefinity Web Service supports Sitefinity version 4.4. However, Aptify still provides the 3.7 version for existing 3.7 sites if needed. See the readme.txt file in the Web Site Updates > Sitefinity Web Service folder of the APTIFY_550_eBiz_UPDATE distribution files for more details.

Note Concerning the Starter Message Templates in e-Business 5.5

For e‐Business 5.5, the Aptify Messaging service includes starter templates that are populated with Aptify specific details. As a result, Aptify suggests users review, test, and update the message templates and check that message part links refer to the correct records and their PartIDs before use. For additional details on this please refer to the Important Notes and Issues section of the Aptify e-Business 5.5 Release Notes.