Secure Server Connections

In this product, all server-server and server-client connections can be encrypted. This is done with appropriate certificates and configuration during installation in the Infrastructure Administrator (IA) tool. Additionally we recommend using a dedicated network segment for servers. There should be a firewall or router configuration between the server network and client network that will limit the access to only legitimate communications between the clients and the servers. The physical network connections of servers should be monitored with the same precautions as access to the actual server.

Infrastructure

The system availability is achieved by building acceptable level of redundancy with High-Availability Controller (HAC) managed with the IA tool: creating instances of virtual units with appropriate software packages on reasonable number of physical servers.

Reserve a specific administration workstation in the server network for running IA with editing rights (HAC Administrator Users). The administration connection to HAC nodes can be configured to use ports other than the ones the HAC nodes use when communicating with other HAC nodes. Also this administration connection can also be secured.

Users with HAC View-only Administration User rights can be located also on the office network, especially when separate administration port and secured connection between IA and HAC nodes are used.

Notice that optional user names and passwords for running Windows services are not encrypted in the IA tool.

To Acquire Maximum Safety:

  • Define secure connection between HAC nodes.

  • Define secure connection between HAC nodes and the administrative workstation where the Infrastructure Administrator (IA) tool is run.

  • Define Windows user accounts without any rights to be used as HAC Administration Users (both the ones with editing rights and view-only users).

  • Do not allow communication between HAC nodes (HAC-HAC communication) to be reached from outside the server network, and separate this communication from the administration communication (HAC-IA communication) by using different ports.

  • Define secure connection towards databases. Configure them at operating system and SQL server.
    Note:

    Cryptographic protocol TLS 1.1 and older are deprecated. TLS 1.2 supported as of FP14, for Email Sender and OII as of FP16.