BMD Web: Setting up web applications

1.   Steps for setting up BMD web applications
1.1.   IIS must be installed on the web server with the following role services (in addition to the default installations)
  1.2.   Create a separate Windows user
  1.3.   Create the folder structure on the web server according to the web application in use
  1.4.   Copy the necessary directories and files to the web server
  1.5.   Create BMD.ini on the web server
  1.6.   Depending on the web application, BMD.ini has to be extended.
  1.7.   Special constellations
  1.8.   Setup in IIS
  1.9.   Set up automatic update services
  1.9.1 Special constellations for update service
2.   Troubleshooting
3.   Security recommendations

Detailansicht Technik1. Steps for setting up BMD web applications

This guide is for skilled computer administrators with experience in working with the Internet Information Web Server. On request, our IT support team can set up the web applications for you. To make an appointment, please contact: termin@bmd.at

Detailansicht Technik1.1. IIS must be installed on the web server with the following role services (in addition to the default installations)

Dynamic Content Compression
ISAPI Extensions
HTTP Redirection
IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- IIS 6 WMI Compatibility

PowerShell

Add-WindowsFeature Web-Server,Web-Dyn-Compression,Web-ISAPI-Ext,Web-Http-Redirect,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-WMI

A web application can process up to 30 concurrent users. For more than 30 concurrent users, you have to set up an appropriate load-balancing solution. To do so, please contact the BMD IT support team: technik@bmd.at

BMD Go does not require a separate application pool. It is sufficient to set up the BMD Web application with an additional entry in BMD.ini.

BMD online application is also part of BMD Web. It is opened via a special parameter: http://.... /bmdweb/bmdweb.dll/STARTFUNC/?func=MCS_FRMONLBEWWEB_CREATE

Detailansicht Technik1.2. Create a separate Windows user

This user is used to run the application.

Web server = BMD server

Create user as a local user (or as a domain user)

Web server ≠ BMD server

Create user as a local user (or as a domain user) directly on the web server

Username: e.g. bmdcom-sa (We recommend creating a separate user for each web application.)
Web application Username
BMD Com bmdcom-sa
BMD Web bmdweb-sa
BMD online application bmdweb-sa
BMD web service bmdntcsws-sa
Password: any complex password
The user cannot change the password and it never expires.
Group membership
- User or domain user
- IIS_IUSRS

The created user must be granted permission to “Debug programs”. This either has to be configured in the local security policy or in the group policies.

Detailansicht Technik1. 3. Create the folder structure on the web server according to the web application in use

C:\Inetpub\“web application“
Web application Folder structure
BMD Com C:\Inetpub\bmdcom
BMD Web C:\Inetpub\bmdweb
BMD online application C:\Inetpub\bmdweb
BMD web service C:\Inetpub\bmdntcsws
Grant the respective user (e.g. bmdcom-sa) permission to “Read, execute” for this folder and remove the group “User” (NTFS inheritance has to be disabled in the advanced security settings).
Create the folder “LOG”.
For this folder, you have to grant the user (e.g. bmdcom-sa) permission to “Change” and “Write”.

Detailansicht Technik1.4. Copy the necessary directories and files to the web server

Copy \\“BMDSERVER“\BMDNTCS_PGM\BMDWEBCORE2_SubFolder.zip to the previously created folder and unpack it. In terms of the BMD web service, you need to copy and unpack BMDNTCSWS_SubFolder.zip.
Copy \\“BMDSERVER“\BMDNTCS_PGM\bmdwebcore2.dll to the previously created folder and rename it according to the web application.
(Exceptions BMD web service)

CAUTION! Danger of confusion! The files BMDWEBCORE_SubFolder.zip and bmdwebcore.dll are used for legacy BMD Web/Com applications.

Web application	.dll
BMD Com	bmdcom.dll
BMD Web	bmdweb.dll
BMD online application	bmdweb.dll
BMD web service	Here, you have to copy the file bmdntcsws.dll (instead of bmdwebcore2.dll).

Example (BMD Com):

Detailansicht Technik1.5. Create BMD.ini on the web server

Create the file “BMD.ini” in the directory of the web application.
Depending on the constellation, there are different templates (please adjust the paths accordingly).
PLEASE NOTE: if the paths contain spaces, enter them without ""!!
The entries “ALIASCONFIG” and “ALIASNAMES” have to match the entries in the global BMD.ini which can be found in the general BMD NTCS directory.
Please also note that entry is case sensitive. Moreover, it must be possible for the web server to resolve the SQL server name (if DNS resolution is not possible, please specify it via the HOST file on the web server). This parameter defines the authentication type.

Constellation	Content of the BMD.ini
BMDSERVER = WEBSERVER	[BMD] BIN=D:\PROGRAMME\BMDSoftware\BIN NLS=D:\PROGRAMME\BMDSoftware\NLS DATA=D:\PROGRAMME\BMDSoftware\DATEN LOG=C:\Inetpub\”Web application”\LOG [BMD\ALIASNAMES] ALIAS0=BMDSERVER\BMD:BMD [BMD\ALIASCONFIG] BMDSERVER\BMD:BMD=ENCRYPTED, EXTENDED or SQL
BMDSERVER ≠ WEBSERVER	[BMD] BIN=C:\BMDUpdateservice\BIN NLS=C:\BMDUpdateservice\NLS DATA=C:\BMDUpdateservice\DATEN LOG=C:\Inetpub\”Web application”\LOG [BMD\ALIASNAMES] ALIAS0=BMDSERVER\BMD:BMD [BMD\ALIASCONFIG] BMDSERVER\BMD:BMD=ENCRYPTED, EXTENDED or SQL

Detailansicht Technik1.6. Depending on the web application, BMD.ini has to be extended.

Web application	Extension in BMD.ini
BMD Com	[BMD\BMDCOM2] DBALIAS=BMDSERVER\BMD:BMD FILESDIR=C:\Inetpub\bmdcom\FILES
BMD Web	[BMD\BMDWEB2] DBALIAS=BMDSERVER\BMD:BMD FILESDIR=C:\Inetpub\bmdweb\FILES
BMD online application	Only the BMD Web entry is required here.
BMD web service	No additional entries required

Detailansicht Technik1.7. Special constellations

In the case of BMD Go, the functionality of BMD Web should be deactivated completely.
Web application Extensions in BMD.ini
BMD Go [BMD\BMDWEB2]
HANDLEDREQUESTS=REST
In the case of BMD online application, the functionality of BMD Web should be deactivated completely.
Web application Extensions in BMD.ini
BMD online application [BMD\BMDWEB2]
AUTOSTART_SUBTYPE_MCS=MCS_FRMONLBEWWEB_CREATE
The default timeout of 30 minutes should be adjusted.
Web application Extensions in BMD.ini
BMD Com [BMD\BMDCOM2]
TIMEOUT=10
BMD Web [BMD\BMDWEB2]
TIMEOUT=10

Detailansicht Technik1.8. Setup in IIS

(only different when it comes to the names of individual web applications)

Set up an application pool according to the web application.
Web application Name of the application pool
BMD Com bmdcom
BMD Web bmdweb
BMD online application bmdweb
BMD web service bmdntcsws

Example (BMD Com):

2. Adjust the advanced settings of the application pool

Enable 32-bit applications à TRUE
Start mode à AlwaysRunning
Identity à define the user, e.g. bmdcom-sa
Idle timeout (minutes) à 0
Ping enabled à TRUE
Rapid-Fail Protection enabled à FALSE

3. Add a new application (according to the web application) using the context menu of the Default Website:

Web application	Name of the application
BMD Com	bmdcom
BMD Web	bmdweb
BMD online application	bmdweb
BMD web service	bmdntcsws

Specify the application pool.
“Connect as” → define the respective user, e.g. bmdcom-sa.

Example (BMD Com):

4. Adjust the following settings in the application that you have just created:
Add default document à the respective .dll of the application

Web application	Name of .dll file
BMD Com	bmdcom.dll
BMD Web	bmdweb.dll
BMD online application	bmdweb.dll
BMD web service	bmdntcsws.dll

Example (BMD Com):

5. Enable the ISAPI-dll in the “Handler Mappings”:

6. The DLL file of the web application still needs to be added as an ISAPI in the ISAPI and CGI restrictions (at the level of the web server):

Web application	ISAPI or CGI path
BMD Com	C:\Inetpub\bmdcom\bmdcom.dll
BMD Web	C:\Inetpub\bmdweb\bmdweb.dll
BMD online application	C:\Inetpub\bmdweb\bmdweb.dll
BMD web service	C:\Inetpub\bmdntcsws\bmdntcsws.dll

Example (BMD Com):

7. Go to Request Filtering for the respective website and increase the upload limit of the application to slightly over 100 MB (e.g. 107520000 bytes), as the default value in BMD NTCS is 100 MB. This ensures that the IIS limit is high enough and the limit in BMD NTCS is reached first so that a corresponding BMD NTCS message is generated when the limit is exceeded:

Example for BMD Com:

Detailansicht Technik1.9. Set up automatic update service

Setting up an automatic update service depends on the constellation (adjust paths accordingly). You have to set up and start the update service. Once it has been completed (entry in the log: update complete), you can test accessing the website.

Constellation	Content of BMDService.ini
BMDSERVER = WEBSERVER	Edit the file \\“BMDSERVER“\BMDNTCS_PGM\bmdservice.ini and set the following entry: [BMDUPDATESERVICE] UpdateClient=2 Restart the service “BMDNtcsSvc” Check the file \\“BMDSERVER“\BMDNTCS_PGMDATA\LOG\bmdntcssvc.log
BMDSERVER ≠ WEBSERVER	Copy the files BMDNtcsSvc.exe – libeay32.dll – ssleay32.dll – msvcr71.dll from the directory \\“BMDSERVER“\BMDNTCS_PGM to a local directory on the web server (e.g. C:\BMDUpdateservice) Create a bmdservice.ini file in the same directory with the following specifications: [BMDUPDATESERVICE] UpdateClient=1 Host=BMDSERVER Port=81 Create a BMD.ini file in the same directory with the following specifications: [BMD] BIN=C:\BMDUpdateservice\BIN NLS=C:\BMDUpdateservice\NLS DATA=C:\BMDUpddateservice\DATEN LOG=C:\BMDUpdateservice\LOG [BMD\ALIASNAMES] ALIAS0=BMDSERVER\BMD:BMD Use a command, e.g. C:\BMDUpdateservice\BMDNtcsSvc.exe/install, to create the service on the web server and then start it. Check the file, e.g. C:\BMDUpdateservice\LOG\bmdntcssvc.log

Detailansicht Technik1.9.1. Special constellations for update service

The application pool running on IIS is automatically restarted at midnight. If you want to define a different time for this, you have to make the following entry:

Extensions in BMD.ini

[BMDUPDATESERVICE]
PeriodicRestartSchedule=03:00

Detailansicht Technik2. Troubleshooting

Check if all the required ports from the web server to the application server are reachable—see BMD: Programs and (software) firewalls.

The website displays a “Service unavailable” notification and the application pool is stopped automatically each time:
- Check whether the correct password has been entered for the user bmdcom-sa on the website as well as in the application pool.
- Check whether the permissions for the required directories are correct.
- Check whether the user bmdcom-sa has the permission “Log on as batch processing order” (should be the case by default due to the membership in the group IIS_IUSRS).

The login window opens but without the background or without text on the buttons:
- Check the BIN, NLS and FILES directories in BMD.ini and their permissions for the bmdcom-sa user.
A database connection error occurs when logging in:
- Check the ALIAS entry in BMD.ini
- Name resolution not possible (especially in the case of a web server in a DMZ)

Uploading the Databox or sharing documents is not possible:
- The service BMDNTCSSVC must be actively running and the document archive in BMD NTCS has to operate as “storage via service”.
- Name resolution not possible (especially in the case of a web server in a DMZ)

The browser displays a message stating “Possible DoS Attack...”
- The BMD web applications are equipped with protection against denial-of-service attacks. If more than 20 accesses occur within 5 minutes from one IP address, further accesses are blocked by the web application. You can change this value via a parameter in BMD.ini on the web server. This might be necessary if you are using a load balancer and it is therefore always the same IP which accesses the webserver.
- To do so, set the following entries in section [BMD\BMDWEB2]:
  - DOS_TIME_RANGE=5 (time in minutes)
  - DOS_ALLOWEDSESSIONS=100 (number of accesses by one IP address)

Detailansicht Technik3. Security recommendations

All servers should be running on the latest Windows updates and the patches provided by the manufacturers in order to eliminate various security gaps.
In general, it is advised to follow the corresponding instructions and recommendations by Microsoft in order to run the operating system and its components as securely as possible. For further information, please see: http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Please also refer to our BMD NTCS hardening guide: BMD NTCS Hardening Guide

Section:

BMD installation guides

« Back

BMD Business Solutions s.r.o

Nám. 1. mája 7991/9
SK-81106 Bratislava - Staré Mesto
+421 220 861 990
bratislava@bmd.com

Služby

Impressum

Prohlášení o ochraně osobních údaj

Více informací

Technické informace a podpora

Všechny informace o firmě BMD

Follow us

Web application	Username
BMD Com	bmdcom-sa
BMD Web	bmdweb-sa
BMD online application	bmdweb-sa
BMD web service	bmdntcsws-sa

Web application	Folder structure
BMD Com	C:\Inetpub\bmdcom
BMD Web	C:\Inetpub\bmdweb
BMD online application	C:\Inetpub\bmdweb
BMD web service	C:\Inetpub\bmdntcsws

Web application	Extensions in BMD.ini
BMD Go	[BMD\BMDWEB2] HANDLEDREQUESTS=REST

Web application	Name of the application pool
BMD Com	bmdcom
BMD Web	bmdweb
BMD online application	bmdweb
BMD web service	bmdntcsws