As a part of your new iPaaS implementation, we’ll be installing CPHive to facilitate data between Counterpoint and iPaaS. One of the requirements for installation is an IIS server configuration and Red Rook has created a Suggested Network Configuration Diagram for CPHive. Note that this is suggested, and the typical configuration we see, but not required. 

Please work with your IT provider to discuss IIS server configuration options and address the CPHive server action items and let us know if you have any questions. 

Install Server Application Requirements:

• Windows Server 2012 R2 or greater OS
•  .Net 4.7.2 or greater (Framework Runtime) 
  • Download and install the following link or locate the .MSI installation package for .NET 4.7.2 framework runtime.
    
  • https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net472-web-installer
•  IIS version 8 or greater
  • Microsoft Documentation on installing IIS 8.5
  • https://docs.microsoft.com/en-us/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2
  • Install with the "Server Manager" application to "add roles or features" to the server with the following Roles installed:additional detail, including roles, can be found at:

     CPHive Server Requirements: IIS and SSL 

Procure and apply SSL certificate to the IIS server website.

This SSL certificate will either be a Wildcard certificate in the form of *.YourDomain.com or it can be an SSL certificate for a specific subdomain such as CP.YourDomain.com.

• If this certificate is already owned, skip forward to the installation section. Otherwise, this certificate will need to be purchased from your domain name provider such as GoDaddy.com, NameCheap.com or any other domain name provider.
  • A CSR will be required to request an SSL certificate for a specific subdomain. The process of applying for an SSL certificate and fulfilling the subsequent request can be found from the domain provider. Here is an example from GoDaddy.com
    • https://www.godaddy.com/help/request-my-ssl-certificate-562
  • If a CSR is generated from this IIS server, the Certificate will be installed by default upon completing the CSR request using this IIS server. You can skip the next step.
    
• Install the certificate onto the server using the IIS
  
  • Export the certificate .PFX file and maintain the private key during export. 
  • Place .PFX file onto the IIS server and double click to install the certificate into the "Personal" certificate store. It can also be installed to the "web hosting" store if that makes more sense for your organization. 
  • Verify the cerficate is available in IIS by accessing the base server within IIS:
  • The certificate will be listed in the proceeding window (if installed):

Enable whitelisted traffic to reach the IIS server using HTTPS. 

The following configuration is done on your organizations edge router/firewall and this section may require a member of your network management team.

• Whitelist inbound traffic to the below IPs/domain for port 443 (default HTTPS port. If in use, please assign a new port and notify RR Team)
  
  • outbound.iPaaS.com  (This is the priority address as it allows us to update DNS entries without requiring them to update their whitelisting policy)
    • The host name outbound.iPaaS.com will automatically resolve to the new IP address (52.184.255.108) if using DNS. If the host name can be used for the “allow” rules instead of the IP address, that would be preferable as it may prevent future firewall changes from being necessary as the host name should dynamically apply to any new IP addresses.
      
  • 52.184.255.108 (Our current production Azure cluster address. It's the same as the above domain name but an IP address)
  • 69.61.66.128/27  (Our staging and development environments)
    
  • 52.247.120.218 (Deprecated production Azure cluster address. ONLY share this IP to allow them to remove old whitelist entries. This azure cluster has been shut down permenantly) 
• For Firewall configuration, These can be configured as either a direct port forwarding on a dedicated Public IP address or as a NAT rule on any available Public IP address. 
• Port forwarding requires that port 443 is available on a Public IP address owned by your organization. If 443 is not available use a NAT rule instead to translate the port traffic and send the new port to Red Rook. 
  • NAT rules can be configured to translate an arbitrary port such as 9443,10433,11443 or any number just be sure to avoid known ports for other services that may be in use.
    •  It's suggested to use larger numbers to avoid conflicts. aka 44443 but anything the range of 10000-49000 is typically open/random port space. As a rule, avoid using a number over 49000 as these are approaching reserved port spaces. 
    • For more info on ports and their known services:
      • https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
    • For more information on NAT firewall rules see the documentation for your Router manufacturer on how to configure NAT rules. Here is some documentation from Cisco:
      • https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-addr-consv.html

Configure a Public DNS entry to resolve a new subdomain to the public IP address of the DNS IIS server (set in previous step)

• A DNS entry may also be required to redirect this new subdomain to the proper server IP. This is also done within the management site for your domain provider. 
  • This entry will be added in your DNS management section for your organizations domain name provider website such as GoDaddy.com.
  • This entry is suggested to be an "A record" that resolves the subdomain to an IP address such as:
    • CPHive.YourDomain.com resolves to 69.61.66.130 (This IP address needs to match the firewall configuration that opens port 443 to the server that is hosting the CPHive IIS instance.) This will be a Public IP address that is provided by your internet service provider. 
      
    • Example:

Provide Red Rook with Permissions to access Counterpoint and DB:

• Counterpoint version 8.4.6.19 or greater
  • A Counterpoint User account within every Company that exists within the cp database. 

    
    

    
    

• SQL 2008R2 or greater
  • A SQL Server account (using SQL database authentication) with DBOwner permissions to the Counterpoint Database. This allows database access limits instead of full rights to every DB on the server.
    
  • A Windows Domain account with Administrative rights on the SQL server would be required if you wish to use Windows Auth to provide SQL server access. This option provides full access to EVERY database on the SQL server. 
    

• User Login to NCR Counterpoint 
  • User Login with db_owner permissions to Counterpoint Production database.
    

    • This permission needs to be set on the SQL server instance.

• A Windows Domain user account with Administrative rights to the IIS Server and Counterpoint Application server. 
• If required for remote access, a set of credentials that are permitted to log onto a VPN client to access the internal network remotely may be necessary for remote access. 
  • If a VPN is not available, we also offer GoToAssist remote access. This remote access application can be configured to allow us either monitoring or unattended access if after hours work is expected.