Split Deployment of the Web Application Server and Management Server

The Web Application is normally installed on to the same machine as the Prognosis Server component, this is a requirement of the installer. For a standard deployment, this automatically configures the Web Application to obtain data from the local Prognosis Server. However, in some circumstances, it may be required to have the Web Application obtain data from a remote Prognosis Server.

To do this a manual configuration needs to be carried out using the procedures below.

To avoid browser delays, a maximum latency of 20ms between the Web Application and the Prognosis Server component is recommended

When choosing to use a Split deployment of the Web Application, note that the Snapshot Web Reports will not be available for use, see Web Reports.

Management Server

Install the Management Server on a Windows server using the standard installation steps. Ensure that the Web Application component is selected.

Web Application Server

On the server that is to be set up with the Web Application that is to obtain data from the remote Management Server, carry out the following steps.

Install the Management Server and Web Application components on to the required MS Windows server.

If the Management Server component is not required to operate on this machine, the Prognosis service should be stopped and the 'start up' type changed to 'manual' or 'disabled'. This will avoid the server component being restarted automatically. This can be done through the Control Panel → Administrative Services → View Local Services facility of the MS Windows operating system.

Open the <PROGNOSIS_HOME>/WebUI/IIS/web.config file using any text editor.

In the <appSettings> section add the following:

<add key="ServerName" value="<PrognosisIp>" />
<add key="ServerPort" value="<PortNumber>" />

Where:

<PrognosisIp>

The IP address of the remote Management Server.

<PortNumber>

By default, port 6767 is used between the IIS web server and the Prognosis Server. If for some reason port 6767 cannot be used, then this additional 'add key' statement needs to be included specifying the port number to be used. If port 6767 is being used, then this statement is not required.

Example:

<appSettings>
...
<add key="ServerName" value="172.255.255.1" />
<add key="ServerPort" value="3535" />
</appSettings>

Save and close the configuration file.

If a port other than 6767 is being used between the Web Application server and the remote Prognosis Server, then the following addition will also need to be made to the irpqlsrv.ini file. This file can be found in the following folder.

<PROGNOSIS_HOME>/Server/Configuration/irpqlsrv.ini

Add the following:

[PQL]
Port=<PortNumber>

Save and close the configuration file.

Refresh/reopen the Web Application.

See the Security Recommendations for Web Application Server for details of port security in such a split deployment.

Split Deployment with Skype for Business Monitoring

When monitoring a Skype for Business environment and a split deployment of the Web Application and the Management Server is required, then the following steps will need to be completed.

On the Management Server open the <PROGNOSIS_HOME>/WebUI/IIS/web.config file using any text editor.

In the <appSettings> section add the following:

<add key="SkypeServiceHttpProtocol" value={"HTTPS"|"HTTP"} />
<add key="SkypeServicePort" value="9100" />

The 'SkypeServicePort' is the Conversation Reader API port running on the Management Server, the default port number is 9100. This port needs to be accessible by the Web Application server to accept incoming requests.

If a port other than 6767 is being used between the Web Application server and the Management Server, then this step has to be performed.

Edit the irmsmgs.ini file on all Global and Regional Management Servers. This file can be found in the following folder path on each server:

<PROGNOSIS_HOME>\Server\Configuration\irmsmgs.ini

a) Add the following to the envvars statement under the [EXE] section:

[EXE]
envvars=..., "PQLEXEC_PORT=<PortNumber>"

b) Also, modify "AUTH_PORT=6767” by changing 6767 to the new port number.

c) Restart IRMSMGS.EXE.

Installing SSL Certificate

In the web.config file either a secure connection (HTTPS) or a non-secure connection (HTTP) can be used as the 'SkypeServiceHttpProtocol'. If a non-secure connection is chosen, then the following steps to provide a certificate are not required. However, as data provided by this service is highly sensitive, it is recommended that a self-signed certificate be obtained and then the IIS configured to trust this certificate. Alternatively, a CA certificate can be obtained.

If a CA signed certificate is purchased, it will need to be located along with the private key on the Management Server. In this situation, it is important to ensure that security on the Management Server is not compromised.

Obtaining a Self-Signed Certificate

If a Self-Signed Certificate is to be used, then the following steps will need to be completed.

Install OpenSSL - Win32OpenSSL (if required refer to https://www.openssl.org/community/binaries.html)

Generate a self-signed certificate using the following commands:

C:\>Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg

C:\>openssl.exe req -x509 -newkey rsa:2048 -keyout private-key.pem -out certificate.pem -days 365 -nodes

Complete the required details paying particular attention to the 'Common Name'. This name must match the 'ServerName' entry in IIS and should be the name of the Management Server.

Run the following command to convert the certificate files to .pfx format.

C:\>openssl pkcs12 -inkey private-key.pem -in certificate.pem -export -out certificate_pfx.pfx

The certificate is now ready to be applied, for details see the Applying the Certificate below.

Obtaining a CA Signed Certificate

If a CA signed certificate is to be used, then a certificate request will need to be created and sent to a Certificate Authority. The CA will send back a new certificate. To do this use the following steps:

Open IIS Manager and from the IIS section double-click on 'Server Certificates'

Right click and select 'Create Certificate Request'.

Complete the required details paying particular attention to the 'Common Name' field. This name must match the 'ServerName' entry in IIS and should be the name of the Management Server.

Specify a file name for the request output, e.g. C:\cert_request.txt

Send the certificate request file to your Certificate Authority. Once the details have been verified the CA will send back a new certificate for the Management Server.

If the certificate format is .cer instead of .pem, then use the following procedure to convert it.

a)  Install OpenSSL - Win32OpenSSL (if required refer to https://www.openssl.org/community/binaries.html)

b)  Convert the certificate from .cer to .pem by running the following command:

C:\>openssl x509 -inform der -in <certificate-name>.cer -out certificate.pem

The certificate is now ready to be applied, see below.

Applying the Certificate

When the certificate is ready, it can be placed into the correct places:

On the Management Server, place the certificate.pem and private-key.pem into the following folder path:

<PROGNOSIS_HOME>\Server\Configuration\microservices

Using the Windows Client on the Management Server open the PROGNOSIS Configuration and locate the following statement:

! Microservices Process Manager
SET RUN (irMSMGS.EXE, N)

If the statement is set to 'N', simply change this to 'Y' and restart the configuration.

If the statement is already set to 'Y' change it to 'N' and restart the configuration. Then change the statement back to 'Y' and start it again.

On the Web Application server, open IIS Manager, double-click on certificate_pfx.pfx to import it. Put this certificate into the 'Trusted Root Certificate' store.

Provide feedback on this article