I have a Shibboleth service provider (SP) served by a web farm with no outbound internet access (for security reasons). The web farm forwards authentication requests to the shibboleth daemon running on a computer that does have outbound internet.
Because of this separation, I'd like to minimize the installation on each box in the web farm. I have the following questions:
Is it possible to xcopy-deploy Shibboleth to the web farm, rather than using the installer? If so, what are the minimum files in addition to the isapi_shib.dll?
If using the installer on each server in the web farm is necessary, what folders/files can be removed post-installation? (For instance, I see I can disable the "Shibboleth 2 Daemon" service...)
And by-the-way I am using using http://www.testshib.org for integration testing.
Related
I have an existing Windows Service application that can run as a service or as a console application. It can be build x32 or x64.
It will by configuration file try to use a ip address and a port number.
Once it has that it will accept and send SOAP messages back and forth and service the requests.
The question is can this be deployed to Azure in a webapp framework, where scaling to meet increases in customer load is automatic. If not what implementation would work, moving from what I have?
Azure Web Apps (web sites) are not going to let you install a Windows Service, as that requires admin-level access to install.
You'd either need to run your Windows service in cloud services (web/worker roles, which are stateless Windows Server VMs) or Virtual Machines (where you have full VM access).
Alternatively, you'd need to extract your service code (pulling it out of the service shell) and run it in a different way. How you do this is up to you, but Web Apps provide certain features (such as Web Jobs) which may fit your model.
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.
I have a SharePoint web application that has some custom web parts that consume an asmx web service. This service talks to an Oracle 10g database. Currently, the service is hosted on the application server in its separate web site (and port). I think I should host it on the front end servers under the _vti_bin folder to automatically achieve high availability and load balancing of the service calls. Would you recommend this "enhancement"?
Please notice that the asmx service is configured to run in a 32 bit app pool since oracle client, which it uses, is 32 bit software. I think then I can’t just have it under _vti_bin, I may need to have it in its own virtual directory under the SharePoint application’s IIS web site and configure that VD to run in a separate 32 bit app pool. Will that work out? Will I still achieve the HA and LB benefits knowing that Windows NLB is used?
Another related question; should the service be hosted on the WFE in the first place? It hits an external database which I could think of as a middle tier service that can be kept on the application server(s); one more server to be added soon
What are the permissions needed for running delegated deployments, using MSDeploy, targeting a Windows 2003 Server / IIS 6.0 ?
EDIT: this is a duplicate of ... How to allow non-admin user to deploy web applications on IIS 6 using web deploy
IIS6 can't be published to directly via Web Deploy, so you will need to use Web Deployment Agent. Once you have setup the agent, the endpoint address should look something like this:
http://myserver/MsDeployAgentService
Note this is not an HTTPS address and does not explicitly specify a port. Also, the account publishing to this endpoint must have admin rights on the server (nasty, but necessary). Finally, make sure the "Web Deployment Agent Service" is actually running because it's not set to start automatically by default.
Webdeploy is very convenient from Visual Studio 2010. Today I am using it to publish my project via a remote deploy agent (http://x.x.x.x/MsDeployAgentService) to a production web server facing Internet.
Although administrator password is required, is it a good practice to leave http://x.x.x.x/MsDeployAgentService accessible to everyone or should I care more about the security of this subpath so that it cannot be accessed from Internet?
If I need to allow deployment only from certain internal URLs, how do I secure the deployment agent service?
It seems pretty secure as a few shared hosts are using it for their clients.
Security note
Set it up so that you are using IIS managers and not Windows Logins.
There is an implicit restriction on what IIS managers can do, rather than Windows, and passing out Windows logins means access via RDP to the server (usually)