There are a couple situations where a customer would like to install the Portal and run it in a DMZ. Two of the more important ones include; use with the Live Maps Mobile app or exposing Dashboards to the outside world. This document will go thru the requirements for setup.
NOTES: Since each company is different and they follow their own security policies, this article will not cover them all. It will however cover a more common DMZ server setup. That being a stand-alone server that is not on a domain. If this is not your case, then you may need to adjust some of the parts of this article. If you would like assistance please contact firstname.lastname@example.org. Because of this situational setup there are going to be certain requirements that will be different that the normal setup. It also means that not all functionally will be available in the Live Maps Portal. Please read the rest of the document for details of the various requirements and Unsupported features for a DMZ setup.
- Processor - 2.8 Ghz or better
- 2 GB RAM
- 20 GB of available hard disk space
- .Net Framework 4.0
- ASP .Net 4.0
- IIS 7.0 or higher
IIS requirements( including those from standard IIS installation Noted from Server 2012 R2)
You will need a pre-existing web site in IIS setup prior to installation.
There are 2 different setups you can choose during the setup of the Live Maps portal. The key is all going to be based on how you want to reference the portal itself.
- For https://<Servername> - Then you will need to create an empty website in IIS before beginning the installation.
- For https://<Servername>/livemapsunityportal - Then you can install the portal in any existing website including the Default website with the standard IIS setup.
Other requirements for IIS include;
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- Health and Diagnostics
- HTTP Logging
- Static Content Compression
- Request Filtering
- Windows Authentication
- Application Development
- .NET Extensibility 4.5
- ASP.NET 4.5
- ISAPI Extensions
- ISAPI Filters
SQL - Because of the fact we are not on the domain with this setup, we must use a SQL User to authenticate. This means that your SQL database instances hosting your Operations Manager and DW databases must allow for mixed authentication. You will need to setup an SQL user that has a minimum of "db_datareader" access to both databases.
Compatible browsers: Internet Explorer V11 or greater, Chrome, Firefox. Should work with other browsers that support HTML5.
DNS requirements - We will still need to reference certain server locations from your internal environment. If the server doesn't have an internal DNS server to reference, then please add those references in the Hosts file of the Server. We will need the SCOM mgmt server and Operations Manager and DW database servers.
Firewall requirements - Access to SCOM server on port 5724. Access to Database servers on the port they are running on. Default is port 1433
STATIC URLs. - Because we are on a non-domain server, we will not be running the app pool under a domain user. This will make the use of Static URLs form this portal unavailable.
Download the latest version from the Savision Web Site located in www.savision.com/downloads.
1. Run the installer - either via a self-exe or via the ISO.
2. Click Advanced Installation.
3. Click on Install Live Maps Portal.
4. Click Next on the Welcome Screen.
5. Put a check mark in "I accept the terms of the License Agreement", and then click Next.
6. Leave the Authentication Method as Forms Authentication. This is important since the computer is not on the domain. Click Next.
7. Enter the Default Management Server you want this portal to connect to, then click Next. (NOTE: might need reference in Hosts file if you are unable to see it via DNS).
8. You can choose to participate in the Customer Experience Improvement, then click Next.
9. This is where you can choose the type if website you want to install. Pick Website if installing in an empty website, or Child Application if installing in an existing website. Then click on Find Sites. (NOTE: Default website is considered an existing website) In this KB article i am selecting Website as i had already setup an empty website ahead of time.
10. Use the drop down to select the empty website, and then CREATE NEW POOL... When creating the Pool, please give it a unique name that hasn't been used before. Believe it or not at this stage you can enter any information for the Username and password. Passwords, must be the same. We will change the pool identity later. Then click on Configure.
11. On the Performing Configuration dialog box, Click on Install, when the box becomes available. It will be grey at first.
12. Click on Finish.
Portal has been installed at this point, but there are several configuration changes that will need to be made. If you attempt to open the portal up at this stage it will most likely give you a 503 error.
Application Pool Changes
1. From the IIS Manger, go into Application Pools, and right click on the app pool running your new installation. Select Advanced Settings.
2. Find Identity and Click on the 3 dot button on the right.
3. Switch to a Build-in Account and select ApplicationPoolIdentity. Click on OK.
4. Change the Load User Profile to True.
5. Click on OK.
1. From IIS Manager, Under Sites, locate where Live Maps is installed. In the middle part, double click on Application Settings.
2. The parts that we will need to update will be all the ones starting with "Portal:"
3. Change Portal:SDKAuthentication to "WindowsCredentials".
4. Change Portal:SDKUser to the same user running the System Center Data Access service on the mgmt server.
5. For the Portal:SDKPassword, while you can add the clear text of your password here, it is recommend that you encrypt the password. To do that, navigate to c:\Program Files\Savision\Live Maps Unity Portal. Run the GenerateSecurePassword Powershell. You will be prompted for the password, and then it will copy text to your clipboard. Add this to the Portal:SDKPassword.
6. Change Portal:SQLAuthentication to "SQLCredentials".
7. Change Portal:SQLUser to the SQL Username.
8. For the Portal:SQLPassword, while you can add the clear text of your password here, it is recommend that you encrypt the password. To do that, navigate to c:\Program Files\Savision\Live Maps Unity Portal. Run the GenerateSecurePassword Powershell. You will be prompted for the password, and then it will copy text to your clipboard. Add this to the Portal:SQLPassword.
9. Right click in the Application Settings and select Add...
10. Add name "Portal:InDMZ" with a value of "true" then click on OK.
When you are done with this part, you should get something that looks like this.
It is recommended that you place an SSL Certificate for the Website, especially since you are exposing it to the outside world.
Static URLs are not supported with this setup. The reason for this is simple. All Static URLs are stored in SCOM. It is the app pool user that must have access into SCOM in order to retrieve the Static URLs. Since the app pool is running under the ApplicationPoolIdentity, that user is not part of the domain and can't have access into SCOM.