Running the Encompass Server Under IIS by wuxiangyu


									Running the Encompass Server Under IIS
Overview                                                   routers), helps prevent users outside of your local
                                                           network from inappropriately accessing the computers
Beginning with version 1.5, Encompass supports the
                                                           within. Without a firewall, a computer connected to the
ability to host the Encompass Server within Microsoft’s
                                                           Internet is much more vulnerable to attacks from
Internet Information Services (IIS) Web- server
                                                           hackers, worms, an so on.
software. By running the server within IIS, you can
allow your users to use the full functionality of the      Ellie Mae strongly recommends that both your
Encompass application from anywhere on the Internet        Encompass Server and, if installed on a separate
using industry standard protocols that pass through        machine, your SQL Server reside on computers
most firewalls.                                            located behind a firewall. Both of these services are
                                                           intended to allow users to connect and then retrieve or
Additionally, by leveraging the security features within
                                                           update data, making them particularly vulnerable to
IIS, corporations can ensure secure communications
                                                           attack. Despite the security built into both products, a
between their remote Encompass clients and the
                                                           firewall adds another layer of protection against
Encompass server using industry-standard encryption.
                                                           unauthorized access to your data.
                                                           If it is your intent to expose the Encompass Server to
Prerequisites                                              the Internet by running it under IIS, you must properly
                                                           configure your firewall to permit traffic for this server to
Before installing the Encompass Server under IIS,          pass through. The sections below address issues
verify that the computer that will host the service        related to firewall/router configuration to assist you in
satisfies the following minimum requirements:              properly configuring your system. However, you may
• The operating system must be Windows 2000,               need to consult your system administrator or your
 Windows 2003, or Windows XP Professional.                 firewall/router’s setup guide to apply the proper
• The computer must have version 5.0 or later of IIS
 installed for Windows 2000/XP and version 6.0 or
 later installed for Windows 2003.
                                                           Installing the Encompass Server
• You must have a registered domain name (e.g. or static, external IP address         The Encompass Server can run in two different modes:
 by which external users can connect to your Web           Windows Service Mode
 server.                                                   In this mode, the server runs as a Windows service.
• IIS must have at least one Web site defined and that     This configuration is appropriate for companies that will
 site must be configured to support “HTTP Keep-            only access the Encompass Server from within their
 Alives” (by default, this option is enabled).             local area network (LAN).
• To use secure, encrypted communication between           IIS/Hosted Mode
 client and server, you must install a valid SSL certif-   When running under IIS, the Encompass Server can
 icate (see, “Using IIS Securely”).                        take advantage of industry-standard protocols (HTTP,
                                                           SSL) to ensure secure communications from anywhere
NOTE: It is strongly recommended that you use
                                                           on the Internet.
Windows 2000 or Windows 2003 for your Encompass
server when using IIS. Using Windows XP Professional       You can install the server with the default settings, or
will limit the server to hosting at most five concurrent   specifically configure the Web site and/or virtual root to
Encompass users.                                           which the server is installed. The default options should
                                                           be sufficient in most cases and will install the server
                                                           into the Encompass virtual root.
Firewalls & Routers                                        Once the server is installed, users must specify the
Most companies, and many individuals with broadband        server’s URL when logging in to Encompass to connect
connections, use a hardware-based or software-based        to the server. Because the Encompass Server is
firewall and/or router to control data flow between the    hosted within a Web server (IIS), it has a URL just like
Internet and their internal, private network (LAN). A      any other Web site or Web page. If installed with the
firewall (including those built into may broadband         default options, access the Encompass Server using
                                                           the URL https://<yourcompanydomain>/Encompass.

                                                                        Running the Encompass Server Under IIS        1
For example, if you registered the domain name                 This option allows clients within your LAN to continue to refer to your Web server, then             to use the less secure (but higher-performing) HTTP
users would log in to Encompass by entering                    protocol while users outside the LAN must use into the                    HTTPS.
Server field on the Encompass User Login window.
                                                              • Configure IIS to require SSL connections to your Web
                                                               site or just to the Encompass application. (Refer to
                                                               the IIS documentation for more information).
Using IIS Securely                                             This option instructs IIS to reject connections that do
When running under IIS, the Encompass Server can               not use HTTPS. It can be configured so that it only
take full advantage of the secure communications               affects the Encompass application. If your Web
features built into the Web server. Establishing and           server is used to host other static pages or Web appli-
using a secure connection to any Web server (usually           cations, the second option provides greater flexibility
by using a URL that starts with the prefix “https”)            since the control is much more granular.
requires that the Web server have a Secure Sockets
Layer (SSL) Certificate installed. This certificate
provides both client and server the information required
to make a secure, trusted connection that prevents
                                                              Maintaining your Encompass
eavesdropping.                                                Server
If your company does not already have an SSL certif-          During installation, the Server Configuration Wizard
icate, you must first purchase one from one of several        automatically creates and configures a virtual root
certificate authorities that are authorized to generate       within IIS into which the Encompass Server compo-
Internet SSL certificates. Two of the most popular            nents are installed. By default, these files are installed
certificate authorities are VeriSign Corp.                    to the \Inetpub\wwwroot\Encompass folder on the drive
( and Thawte (,               where IIS was installed. It is important that you do not
but any registered certificate authority is acceptable.       modify or move any of these files – doing so will likely
The certificate authority will charge a fee to issue the      cause the Encompass Server to fail.
certificate and should provide instructions for installing    Additionally, great care should be used if you attempt to
the certificate onto your IIS server.                         modify the properties of the Encompass virtual root
When a client communicates with a Web server, it              using the Windows Internet Services Manager.
generally does so using the standard HTTP port (port          Improperly modifying these configuration settings can
80 by default). Secure communications however, occur          result in the Encompass Server failing to run or
over a separate port called the HTTPS port (port 443 by       respond to requests.
default). Therefore, if your Web server sits behind a         If you believe that your Encompass Server is not
firewall or router that filters incoming Internet traffic,    functioning properly, re-launch the Server Configu-
you must ensure it is properly configured to allow            ration Wizard and choose the option to repair your
incoming traffic on these ports to pass through to your       installation. Repairing the server requires the server to
Web server. Contact your system administrator or              be completely shut down, forcing all users to be logged
consult your router’s documentation for information on        off and any unsaved data to be lost. Ensure that all
how to allow Internet traffic through on these ports.         client sessions are closed prior to repairing the server.
The final step in using Encompass securely over the           Because the server runs as a Web application within
Internet is to ensure that when users connect to              IIS, it starts automatically the first time a request is
Encompass, they use a URL that specifies the secure           made to it (for example, with the first attempted login).
HTTP protocol, https. On the Encompass User Login             Because of this start-on-demand feature, the first login
window, the user must enter the secure URL of the             to the server will typically take longer than subsequent
Encompass Server in the Server field, for example,            logins. Note
that the client application must use the “https” prefix for   Once the server is started, the means by which to
the URL to obtain a secure connection. If the client          safely stop the server depends on the version of IIS you
uses the non-secure “http” protocol, the communica-           are running. When running IIS 5.x (the version
tions between client and server will not be encrypted.        supported by Windows 2000 and XP), you must
                                                              completely stop your Web server in order to safely shut
If you want to prevent users from connecting to the           down the Encompass Server. Under IIS 6.0, you can
Encompass Server without using the security provided          shut down the Encompass Server by using the IIS
by the SSL certificate, there are two options available.      Server Manager to stop the application pool associated
• Disable port 80 on your router or firewall so that          with the Encompass Web application. By default, this
    computers outside your LAN cannot connect to the          application pool has the name EncompassAppPool.
    server on the non-server HTTP port.

2     Running the Encompass Server Under IIS
Because the Encompass Server maintains session               Running Other Web Applications
information in memory for each connected client,
stopping the server causes all users to be effectively       with the Encompass Server
logged out. Once the server is restarted, users must log     The Encompass Server is built on top of Microsoft’s
out and log back in to Encompass in order to log back        .NET Framework and uses the .NET server extensions
in to the server. Additionally, client session information   to run within IIS. If you install the Encompass Server to
is maintained solely on the Encompass Server to which        an IIS Web server that is hosting other .NET-based
the client initially connected. Therefore, running           Web applications (such as ASP.NET and .NET Web
multiple Encompass Servers behind a network load             Services), there are certain restrictions to consider.
balancer (NLB) requires that client affinity is enabled on
                                                             The .NET server extensions introduced process
the NLB. This setting ensures that all subsequent
                                                             recycling to IIS 5.x (these features are built in to IIS
requests from the same client are directed to the same
                                                             6.0). Process recycling allows the server to monitor its
Web server.
                                                             own performance and, under certain conditions,
For the reasons explained above, it should be clear          automatically and transparently stop and restart .NET-
that any unexpected termination of the                       based applications running under IIS. However,
Encompass server can result in the loss of                   because the Encompass Server maintains session
unsaved data. Although the server has been                   information for the connected clients, recycling this
designed for perpetual uptime, a potential source            process would cause all clients to be immediately
of problems with unexpected termination of the               disconnected. Therefore, you must disable process
server comes from the fact that IIS runs the                 recycling on the computer on which the Encompass
Encompass server within a "managed" worker                   Server runs.
process. This worker process is designed to
                                                             For IIS 5.x, the process recycling settings are stored in
monitor certain core application and operating
                                                             the file, <Windows>\Microsoft.NET\
system files and, if they are modified, to automat-
                                                             Framework\v1.1.4322\CONFIG\machine.config. The
ically shut down the server and restart it. Unfortu-
                                                             Encompass Server Configuration Wizard automatically
nately, this behavior cannot be modified, so your
                                                             updates this file to disable process recycling as part of
only option is to ensure that the files monitored by
                                                             the server installation. However, these changes will
the process do not change.
                                                             affect all other .NET-based applications running on the
In particular, the IIS worker process monitors the           same server. If other Web applications require that
following sets of files:                                     process recycling features be enabled, install the
• All files in the Encompass Server's virtual root
                                                             Encompass Server on a different computer.
 (usually C:\Inetpub\wwwroot\Encompass)                      For users of Windows 2003/IIS 6.0, the process
• All files in the .NET Framework's CONFIG folder            recycling options can be set for individual application
 (C:\Windows\Microsoft.NET\Framework\v1.1.4322\C             pools within IIS. When installed under IIS 6.0, the
 ONFIG)                                                      Server Configuration Wizard creates a new application
                                                             pool named EncompassAppPool and disables process
Although it is likely (and strongly recommended) that        recycling for this pool only. Therefore, if you host other
you will never directly modify any of these files, other     .NET-based Web applications under IIS 6.0, you
software running on the server, in particular virus          should assign them to other application pools which
scanning applications, may open and/or update these          have the process recycling settings properly set for
files. If you are running a virus detection program such     those applications. Do not install another Web appli-
as Symantec's Anti-Virus or McAfee's VirusScan and           cation into the Encompass application pool.
you are experiencing unexpected termination of your
Encompass Server, you should configure the virus
detection software to bypass the directories listed
above. Failure to do so may result in the server             Connecting to the Encompass
unexpectedly terminating when the scan process               Server
touches any of these files.
                                                             To connect to your Encompass Server running under
                                                             IIS over the Internet, a user running the Encompass
                                                             client application must know the proper URL to use to
                                                             address the server. The Encompass Server’s URL has
                                                             the general format:

                                                                          Running the Encompass Server Under IIS      3
The <protocol> portion can take either the value “http,”
for non-secure connections, or “https,” for secure,
encrypted communications. The “https” option may
only be used if the Web server has a valid SSL certif-
icate installed as discussed above.
The <servername> element indicates the name of your
Web server as seen from the Internet. This may be a
name such as or an IP address,
such as
The <port> parameter is optional and can be used in
the rare event that your Web server is configured to
listen on a port other than the default. For “http”
connections, the default port is port 80. For “https”
connections, the default port is 443. For the client to
connect, all routers/firewalls between the client and the
server must permit traffic on the appropriate port.
The final element of the URL is the name of the virtual
root to which the server was installed in IIS. By default,
the Server Configuration Wizard installs Encompass
into a virtual root with the name Encompass. However,
using the manual configuration option, it is possible to
install Encompass into a different virtual root.
Any computer running Windows XP, 2000, or 2003 can
connect to an Encompass Server running within IIS.
Windows 98 is not supported as a client when the
server runs through a Web server. Windows 98 may,
however, be used to connect to a server running in
Windows Service Mode.

4   Running the Encompass Server Under IIS

To top