Skip to content

Microsoft Internet Information Services (IIS)

When Easit GO is installed in a Windows environment "IIS" is used as a frontend for Easit GO. It is configured to handle incoming traffic on port 443 and redirect that traffic to the Tomcat service, running Easit GO.

IIS can also be configured to handle "SSO" if the user should be authenticated against Active Directory. If you chose this SSO-option, the IIS server will forward user identity in a header to the Tomcat service. Please note that securing the Tomcat service in this case is very imporrtant, so that no unauthorized services can send request to the Tomcat server.

Configuration

Each instance of Easit GO on the server have a application pool and site configured in IIS.

IIS-Overview

Application pool

When Easit GO is installed by an Easit employee the following PowerShell commands is used to setup the application pool. In our example below we are setting up IIS for a system with the following parameters:

  • Name = EasitGOProd
  • Easit root folder = E:\Easit
  • ISAPI folder for system = E:\Easit\ISAPI\[Name]
  • wwwroot folder for system = E:\Easit\wwwRoot\[Name]
$SiteName = 'EasitGOProd'
New-WebAppPool -Name "$SiteName"

Site

A site is created, connected to the application pool and create a virtual directory.

New-WebSite -Name "$SiteName" -Port 80 -ApplicationPool "$SiteName" -PhysicalPath "$WwwRoot"
New-WebVirtualDirectory -Site "$SiteName" -Name jakarta -PhysicalPath "$IsapiRoot\bin"

Since IIS normally can not execute Servlets and Java Server Pages (JSPs), it needs to be configuring to use the ISAPI redirector plugin and that will let IIS send servlet and JSP requests to Tomcat (and this way, serve them to clients).

  1. The ISAPI redirector is a Microsoft IIS plugin (filter + extension). IIS loads the redirector plugin and calls its filter function for each in-coming request.
  2. The filter then tests the request URL against a list of URI-paths held inside uriworkermap.properties. If the current request matches one of the entries in the list of URI-paths, the filter transfers the request to the extension.
  3. The extension collects the request parameters and forwards them to the appropriate worker using the defined protocol like ajp13.
  4. The extension collects the response from the worker and returns it to the browser.

In order to achieve this we expand the archive tomcat-connectors-x.x.x-windows-x86_64-iis.zip from Tomcat Connectors archive to the folder, relative to your Easit root folder, ISAPI/SiteName/. Withing that folder you can find the following files that is of interest:

  • bin/isapi_redirect.dll - The ISAPI redirector for Microsoft IIS plugin.
  • bin/isapi_redirect.properties - Configuration file for the ISAPI Redirector
  • conf/workers.properties - A file that describes the host(s) and port(s) used by the workers (Tomcat processes). A sample workers.properties can be found under the conf directory.
  • conf/uriworkermap.properties - A file that maps URL-Path patterns to workers. A sample uriworkermap.properties can be found under the conf directory as well.

With all that in place we do the following:

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/isapiCgiRestriction" -name "." -value @{path="$isapiRoot\bin\isapi_redirect.dll";allowed='True';description="$SiteName"}
Set-WebConfiguration //System.webServer/isapiFilters -metadata overrideMode -value Allow -PSPath IIS:/

Please visit the docs for Tomcat Connector - ISAPI redirector for Micrsoft IIS HowTo for further reading, configurations and more details.

SSO

"SSO" via Active Directory is achieved by activating Windows Authentication for the site handling incoming requests for Easit GO in IIS.

Please use Microsofts official docs for, Windows Authentication, to activate Windows Authentication.