|
Follow the instructions below if you are using:
•Windows Server 2008 - IIS7 •Windows Server 2008R2 - IIS7.5 Note that there may be minor differences in the windows displayed when installing 7 or IIS 7.5. However, the same server roles and features need to be installed in both cases.
Ensure you have met the required prerequisites before you start.
Accelerus Web is a multi-layered application that runs inside Microsoft’s Internet Information Services ().
Teachers use a web browser to communicate with the Accelerus Web site application. This fetches pages to display, and also handles messages about changed data, eg results, from the user. The Accelerus Web site application in turn communicates with the Accelerus Web service layer to retrieve the actual data from the database and to save changes to the database.
In most cases, these two layers will be hosted on the same server as a single application. If required, they may be hosted on separate servers, eg if a school had particular security requirements or had very heavy server demands.
|
To configure IIS effectively requires some understanding of how web requests travel around the network. It’s not too difficult!
First, just like most people have an address to which you can send them a letter, all computers on a network have an address to which you can send them a network message. This address is called an IP address. IP addresses are number sequences like 10.0.0.8. Every computer on a network has one IP address, and sometimes more than one. To get a network message to any computer, it is sent to the appropriate IP address.
The problem is that when we want to send a message to a computer to do something, such as fetch a web page, we can have difficulty remembering these odd numeric sequences. We prefer words. So, we give computers names, names like reports.school.edu.au. These are called domain names, or host names. Great for us; but the computer still wants numbers. Hence the Domain Name System (). This system takes a domain name and converts it to an IP address. So now we and computers are both happy.
But, somewhere, there needs to be a list of all those host or domain names and their matching IP address. This would be quite a list if it were all in one place, but it is shared all through the internet, and within each school’s or business’ network.
In each school network, there is usually a Domain Name Server that knows about all the computers at the school and how to convert their names to their corresponding IP address. It also knows that if it cannot convert a name to an IP address, it can contact other servers outside the school that might be able to help.
Sometimes the name is incorrect, and no match can be found. Sometimes, the name is only valid within a school and doesn’t work at home. In either case, the DNS will come up with an error, which is usually displayed inside the user’s browser.
|
To be able to retrieve a web page from a web server, the user’s request must get to the correct server. This means a message must be sent from the user’s computer to the server computer, addressed to the server’s IP address.
The user will enter an address, or Uniform Resource Location (), into the browser. For example, http://server.school.edu.au/reports.
The browser reads this URL and decodes it to say: using the HTTP protocol, which is an agreed way for two computers to communicate, go to the server with the domain name server.school.edu.au and display the web page associated with reports.
Using the Domain Name System, described above, server.school.edu.au will be converted to an IP address. If the browser can find a way to convert the domain name to an IP address, it will send the message to the computer at that IP address. The computer then has to do something with the message.
If the conversion is successful and the server is running and listening for messages, the server will respond so that the user sees a web page.
If the browser cannot find a way to convert the domain name to an IP address, it will display an error message. This would occur, for example, if the teacher was at home and tried to connect to reports.local from their browser, because reports.local is only resolvable to an IP address from within the school network.
|
Once the user’s request for a web page has made it to the web server by following the IP address, the server has to decide what to do with it.
On the server, a program called Internet Information Services (IIS) will be running. Its job is to hand out web pages, pictures and other data to users who request them.
In a simple IIS setup, there will only be a single website hosted by the server. In this case, it doesn’t really matter what the user entered into the host name of the URL; if the message request is received by the server, the server will reply with the main web page.
The key to IIS responding with the correct web page is that the user’s request is delivered to the correct port number using the correct protocol.
So, what is a port and a protocol?
•A port number works with the IP address to more accurately determine where to send a network message. Whereas the IP address determines the computer to which the message will be sent, the port number specifies which web program or application on that computer will actually receive and respond to the message. IIS is usually configured to listen on port 80. •A protocol is a set of standards that software developers agree on that defines what can go into a web request message. The main protocol for websites is the Hyper Text Transfer Protocol or HTTP. Therefore, as long as IIS is configured to listen for web messages on the correct port and is expecting the correct protocol, the web pages from a single site running on IIS can be sent back to the user’s browser.
However, in reality, most IIS servers will be looking after multiple websites. So when a request from a user comes in, how does IIS know to which website it should pass the message? This is where bindings come in.
A binding specifies a protocol, a port number and, optionally, a hostname. Each website in IIS must have at least one binding set on it for it to be accessible. IIS compares the details of the incoming request with the bindings set on each website, chooses the website with the best match and passes the message to that website.
Each website binding in IIS must specify a unique set of protocol, port and host name. Otherwise, it would be ambiguous as to which website a message is for.
It is possible to set the bindings on different websites to listen on different ports, or use different protocols, but doing so can make it difficult for users. This is because browsers will send messages to port 80 unless told otherwise. Using a different port number will require the user to type in that number as part of the URL entered into the web browser. But it can also impact on whether the web page requests will even get to the server. This is because firewalls can be configured to throw away messages addressed to ports other than port 80.
The alternative to specifying different ports and protocols for different websites is to specify different host names. Host names are optional, but very useful. However, some care is required when configuring them.
|
When a browser sends a web page request to IIS, even though it gets delivered to the IP address, the message still contains the details of the host name that was entered into the browser’s address bar.
IIS can use this host name to correctly serve the right web page.
Consider a school that has an internal domain name of reports.local that translates to the IP address of 10.0.0.8. It also has an external domain name, reports.school.edu.au, that goes through a firewall, but also ends up at 10.0.0.8. An IIS server that is running on the 10.0.0.8 computer could receive web requests from different users with a host name of either reports.local, reports.school.edu.au, or 10.0.0.8. Each of these three host names could be set in bindings to bring up a different website: an intranet for teachers on reports.local; a public website on reports.school.edu.au; or a technical web statistics page on 10.0.0.8. Alternatively, a single website could be configured such that each of the three bindings is associated with the one web site. This would mean a user would receive the same web page regardless of whether they were inside or outside the school.
There are many ways web applications can be configured on a school network and the information given here must be considered in relation to your school’s own security and server requirements.
|
|
When configuring Accelerus Web, schools need to decide:
•Will Accelerus Web will be the only website on the server? OR
•Will Accelerus Web be an additional website on a server that already has other websites configured? OR
•Will Accelerus Web be in a folder under an existing website? Having a single server dedicated to Accelerus Web is the most ideal. It gives the best performance and can be stopped and started without impacting any other websites at the school. However, schools may need to configure firewalls, add additional public DNS records and be able to afford a dedicated server.
If a school is going to share Accelerus on a server with other websites, the decision is then whether it will be a separate website, or a folder in an existing website.
A separate website enables Accelerus to operate independently. It can be started and stopped separately from other websites. For example, some schools turn off Accelerus Web while printing. The downside of an additional website is that it needs a unique binding. This could be done via a port number or a different host name. However, host names must be configured carefully so that both internal and external access is possible. This may require firewall configuration and/or public DNS records to be created.
The third option is to use an existing website and create a folder within it for Accelerus. This is quick to set up as the firewall has already been configured and teachers should already have appropriate access to it. They simply need to include the folder name in an existing URL, eg www.school.edu.au/reports. The downside to sharing a website is that it cannot be stopped independently and there is an increased security risk due to it being shared. However, if it already provides secure access for teachers, it can be a good way to go.
|
Accelerus Web has been configured so that, when a user browses the Accelerus Web site and logs in, the logged in session will not timeout until the user logs off or closes the browser. Closing only the browser tab will not force the user to be logged off. This is independent of the Accelerus Web service or site application pool idle timeout and ensures any changes made to results are saved before a user logs off or closes the browser.
There are two instances where a website session may timeout before changes are saved:
•The time for the user to receive and process a response from the server is longer than the receiveTimeout or the time for the server to respond to a request from the user is longer than the sendTimeout. The receiveTimeout and sendTimeout are set by default to one minute in the web.config file for the website. For a response to a request to take longer than one minute, the SQL server would be under significant load and require performance tuning. Alternatively, the SQL server connection may have been lost due to a network or server problem. If a send or receive timeout occurs the user will be alerted to the timeout and given instructions on how to proceed with minimal loss of results.
•The school uses or other threat management software as a portal into the school network which forces the portal to request a new login after a defined time.
Accelerus Web creates an authentication token for each user logged in to Accelerus Web. This token is stored in the Accelerus database. When a teacher is entering results via Accelerus Web, if a session is disconnected because of the portal timing out, with the user being prompted to log back into the school’s portal, Accelerus uses this token to avoid data loss. Where this occurs, Accelerus will alert the user and provide steps on how to minimise data loss. In this situation, the user may open another tab in the browser, log back into the portal, return to the original tab and save.
To reduce the frequency of this alert and therefore reduce the potential for losing results, consider the following:
•Extend the portal timeout on the school network; however, this of course may expose the school’s network to potential security threats. •Extend the portal timeout only for the Accelerus Web site so that when users are logged into Accelerus Web the portal does not timeout as frequently.
|
|
|
•Go to Control Panel and select Programs and Features. •Click Turn Windows features on or off.  •In the Server Manager window, while positioned on the Roles node, click Add Roles. •Add the Web Server (IIS) Role by ticking its checkbox, and then click Next. •Select the features to be installed in the Select Role Services window. ➢If prompted when adding features, click Add Required Role Services. ➢Ensure that the following are selected, these being required as a minimum by the Accelerus Web application: Web Server
®Common HTTP Features ▪Static Content ▪Default Document ▪Directory Browsing ▪HTTP Errors ▪HTTP Redirection ®Application Development ▪ASP.NET ▪.NET Extensibility ▪ISAPI Extensions ▪ISAPI Filters ®Health and Diagnostics ▪HTTP Logging ▪Request Monitor ®Security ▪Basic Authentication ▪Windows Authentication, if you intend to integrate Accelerus logins with Active Directory logins (see step 12) ▪URL Authorization ▪Request Filtering ®Performance ▪Static Content Compression Management Tools
®IIS Management Console ➢Click Next and approve the changes. •Add the Application Server role and click Next. •Tick HTTP Activation under Windows Process Activation Service Support, and then click Next. •Click Next until the role service is installed. •Close the Server Manager and the Control Panel's Programs and Features.
|
•Download AccelerusWebInstaller.exe from the Downloads > Latest Version page of the Accelerus website. •Double click AccelerusWebInstaller.exe and extract the folder therein – Semaphore.Accelerus.Web – to C:\inetpub\wwwroot, the provided by to store website files.
|
The remaining steps require you to use IIS Manager and be connected to the IIS server.
•Click Start, then Run, and in the Run box enter inetmgr. •Click OK and Internet Information Services (IIS) Manager will open.
|
In most cases there will already be a connection to the server listed in the Connections panel on the left-hand side.
•If there is a connection to the server displayed, click to expand it. OR
•If there is no connection to the IIS server listed, create a connection as follows: ➢Click the File menu and then click Connect to a Server. ➢In the Connect to Server box, enter the name of the server. If IIS is running on the web server, localhost may be used as an alternative name for the server. ➢Click Next. ➢Enter the name of the connection. The default name will usually suffice. ➢Click Finish. The new server connection will be displayed in the Connections panel.
➢Click to expand it.
|
|
If the IIS server has not yet been configured to host any websites, it will have a default website. If the default website is not being used, it is not required and should be removed, following the steps below.
•In the Connections pane, expand the server and the Sites. •If there is no website named Default Web Site, proceed to Step 5.
|
•In the Connections pane, expand the server, expand the Sites and expand Default Web Site. •If there are any folders, other than aspnet_client or the Accelerus Web folder extracted in Step 2, the Default Web Site is most likely in use. If the Default Web Site is being used, you can either install Accelerus Web site as a folder within the default folder, or create an additional website. If you create an additional website, you will need to ensure that users are able to access the Accelerus Web site independently of the Default Web Site. This may require specifying a different port number (not recommended), or adding an additional DNS record. See the background notes for more information.
•If there are no folders, other than aspnet_client or the Accelerus Web site folder within the default folder, delete the Default Web Site by right clicking over it and selecting the Remove option.
|
|
While Accelerus Web may be configured as a folder inside another website, we recommend, for security reasons, that it is created as a separate website.
•Click Start, then Run, and enter inetmgr in the Run box. •Click OK and Internet Information Services (IIS) Manager will open.
|
Accelerus Web site is likely to be its own website if it is the only website running on IIS. If there are other websites being hosted, you will need to take care with the bindings so that they do not clash with the bindings of any other website.
•In the Connections pane, right click on Sites. •Select Add Web Site.
|
•In the Add Web Site window, configure the bindings for the website as follows:
➢Site name: |
AccelerusWeb
|
➢Physical path: |
C:\inetpub\wwwroot\Semaphore.Accelerus.Web
|
➢IP address: |
All Unassigned
|
➢Port: |
80
|
➢Host name: |
<blank>
If there is another website that is using port 80, you will need to provide a host name in this window. This will likely mean that the host name will need to be added to a DNS server inside and/or outside your school's network.
|
•Click OK. This will create the Accelerus Web Site application, and also an application pool called AccelerusWeb with some default settings.
|
|
•In the Connections pane, right click on Application Pools and select Add Application Pool. •In the Add Application Pool window: ➢Enter the Application Pool name, ie AccelerusWeb. ➢Select .NET Framework V4.0.30319. ➢Click OK.
|
•In the Connections pane, select the website and/or parent folder in which the Accelerus Web site should be created. •Right click the selected website or folder and select Add Application. •In the Add Application window: ➢Set the Alias to the name that appears in the URL, eg this would be accelerus if the URL was http://myschool.edu.au/accelerus. ➢Click the Select button. ➢In the Select Application Pool window, choose the AccelerusWeb application pool and click OK. ➢Set the Physical path to the folder where AccelerusWebInstaller was unzipped, eg C:\inetpub\wwwroot\Semaphore.Accelerus.Web. ➢Click OK.
|
|
|
•In the Connections pane: ➢Click Application Pools. ➢In the centre pane, right click on AccelerusWeb and select Advanced Settings. •Set the following:
➢.NET Framework Version: |
v4.0
|
➢Managed Pipeline Mode: |
Integrated
|
➢: |
ApplicationPoolIdentity
|
➢: |
0
|
•Click OK in the Advanced Settings window.
|
|
The of an application pool defines the permissions under which the application will run. The permission set here is the same security context that is used to connect to the Accelerus SQL database. If SQL is using Windows authentication, that is important. If SQL is using its own authentication, the identity is less important.
The SQL credentials are specified in the web application's settings so the user assigned to the application pool identity is not relevant for the database connection.
•In the Connections pane, click . •In the centre pane, right click on AccelerusWeb and select Advanced Settings. •In the Advanced Settings window, click Identity in the Process Model section. •Click the browse button at the right. •In the Application Pool Identity box, select Built-in account option. •Select from the dropdown list. •Click OK in Application Pool Identity box. •Click OK in the Advanced Settings window.
|
The application pool identity will be used to authenticate the SQL database connection. Because IIS and SQL are on the same computer, the application pool can use the built in ApplicationPoolIdentity, but SQL will need to have that identity added as a user. Alternatively, you may use an existing user account or create a new user specifically for accessing the SQL database. If you wish to create a custom account, use the steps from the topic below that describes when IIS and SQL are on different computers.
•In the Connections pane, click . •In the centre pane, right click on AccelerusWeb and select Advanced Settings. •In the Advanced Settings window, click Identity in the Process Model section. •Click the browse button at the right. •In the Application Pool Identity box, select Built-in account option. •Select from the dropdown list. •Click OK in Application Pool Identity box. •Click OK in the Advanced Settings window.
|
•Open SQL Server Management Studio. •Login to the SQL Server hosting your Accelerus website. •In the Object Explorer, in the left panel, expand Security. •Right click Logins and select New Login. •In the Login name field, directly add a new user with the login name of IIS APPPOOL\AccelerusWeb. Do not add this using the Browse button. NB: There are three Ps in APPPOOL
•In the left panel, click User Mapping. •Check the box for your Accelerus SQL database in the top right hand panel. •In the bottom panel, tick db_datareader, db_datawriter and public permissions |
|
If the IIS and SQL servers are on different computers, it is not possible to use the inbuilt ApplicationPoolIdentity account. This is because it only authenticates on the local computer. For the situation in which IIS and SQL are on different computers, you will need to create a custom user account that exists on both computers. Typically this will be a domain account with minimal Windows permissions.
You may wish to create this user account so that the user account's password is set never to expire.
•In the Connections pane, click . •In the centre pane, right click on AccelerusWeb and select Advanced Settings. •In the Advanced Settings window, click Identity in the Process Model section. •Click the browse button at the right. •In the Application Pool Identity box, select the Custom account option. •Click the Set button. •In the Set Credentials box, enter the domain name and user name as domain\user and type the password in twice. •Click OK in the Set Credentials box. •Click OK in the Application Pool Identity box. •Click OK in the Advanced Settings window.
|
•Login to the SQL Server computer. •Open SQL Server Management Studio. •Ensure the custom account exists as a user with db_datareader and db_datawriter permissions on the Accelerus SQL database. •If it doesn't exist, create the SQL user linked to the windows authentication account, as follows: ➢In the Object Explorer, in the left panel, expand Security. ➢Right click Logins and select New Login. ➢In the Login name field, directly add a new user with the login name of custom user set in the previous step. ➢In the left panel, click User Mapping. ➢Check the box for your Accelerus SQL database in the top right hand panel. ➢In the bottom panel, tick db_datareader, db_datawriter and public permissions
|
|
|
At a command prompt, run the appropriate one of the following commands:
•Accelerus Web is the only website hosted by the IIS server: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -iru
•Accelerus Web is not the only website: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -ir
NB Accelerus runs as a 32bit application regardless of whether your server is a 32bit or 64bit machine. The command must always be run from the %systemroot%\Microsoft.NE\Framework\ folder not the %systemroot%\Microsoft.NET\Framework64 folder.
|
|
The application settings for Accelerus Web must be configured for each school to tell the application how to connect to the database.
•In the Connections pane, expand the Sites and click on AccelerusWeb. •In the centre pane, at the bottom, click Features View. •In the centre pane, within the ASP.NET section, double click Application Settings.
|
•Double click DatabaseName. •In the Edit Application Setting box that appears, enter the name of your Accelerus database in the Value field, and click OK. •Similarly, double click DatabaseServerName, then enter the name of your SQL Server in the Value field, and click OK.
|
The following steps in the Application Settings window are only required where SQL authentication is used to login to the Accelerus database:
•Double click Username and enter the SQL username in the Value field, clicking OK in the Edit box. •Double click Password and, similarly, enter the SQL password in the Value field, and click OK.
|
If your school has a Goals Management System licence, in the Application Settings window:
•Double click PhotoLocation and enter the full path of the folder in which photos are being stored for the Goals Management System. •Click OK.
|
|
In the Connections pane:
•Right click on the Accelerus Web site. •Select Manage Website. •Select Browse. The Accelerus Login window should appear.
•In the browser window that appears, delete from and including /Home/Login to the end of the URL. Replace this with /database/test, eg http://localhost/database/test.
|
Where Accelerus Web site has been setup as its own website, it may be necessary to add a new record to the DNS that maps the host name to the IIS server’s IP address.
|
•Login to Accelerus as an administrator. •In Tools > School Settings: ➢Click the System Items tab. ➢Tick on Enable Active Directory Integration. ➢Configure the login settings as required. •Add or import the domain user name details for each teacher in the Accelerus database.
|
•In the Connections pane, select the Accelerus Web site. Depending on your configuration, this could be a website called AccelerusWeb or a folder in another website named whatever you have given the Accelerus Web site, eg reports.
•In Features View, double click Authentication. •Right click on Anonymous Authentication and select Disable. •Right click on Forms Authentication and select Disable. •Right click on Windows Authentication and select Enable.
|
It is recommended that you test Windows Authentication by browsing the Accelerus Web Site from a computer other than the IIS server to avoid the IIS loopback security check. If the loopback security check is enabled, you will be prompted for credentials three times and, after entering valid credentials each time, you will receive a 401.1 Login Failed Error.
To test the Accelerus Web site from another computer, you must be logged into windows as a domain user name that is linked to a teacher in the Accelerus database.
See http://support.microsoft.com/kb/896861 for more information.
|
|
|
