Mesh server installation - MeshCentral

abashedwhimsicalSoftware and s/w Development

Nov 2, 2013 (3 years and 9 months ago)

681 views





© 2011

Intel Corporation. All Rights

Reserved.


Meshcentral.com






M
eshc
entral

Server Installation Guide



Installing a true web based
management system



















Version
0
.
0.
10

Monday, June 25, 2012

Ylian Saint
-
Hilaire


Meshcentral

Server Install ation Guide


MeshCentral.com








i

Legal Notices and Disclaimers


Disclaimers

INTEL CORPORATION MAKES NO W
ARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE
.
INTEL CORPORATION ASSUMES NO RESPONSIBILITY FOR ANY
ERRORS THAT MAY APPEAR IN THIS DOCUMENT
.
IN
TEL CORPORATION MAKES NO COMMITMENT
TO UPDATE NOR TO KEEP CURRENT THE INFORMATION CONTAINED IN THIS DOCUMENT.

THIS SPECIFICATION IS COPYRIGHTED BY AND SHALL REMAIN THE PROPERTY OF INTEL
CORPORATION
.
NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE
TO ANY
INTELLECTUAL PROPERTY RIGHTS IS GRANTED HEREIN.

INTEL DISCLAIMS ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY
PROPRIETARY RIGHTS, RELATING TO IMPLEMENTATION OF INFORMATION IN THIS
SPECIFICATION
.
INTEL DOES NOT WARRANT OR REPRESENT THA
T SUCH IMPLEMENTATIONS WILL
NOT INFRINGE SUCH RIGHTS.

NO PART OF THIS DOCUMENT MAY BE COPIED OR REPRODUCED IN ANY FORM OR BY ANY MEANS
WITHOUT PRIOR WRITTEN CONSENT OF INTEL CORPORATION.

INTEL CORPORATION RETAINS THE RIGHT TO MAKE CHANGES TO THESE SPECIFIC
ATIONS AT ANY
TIME, WITHOUT NOTICE.


Legal Notices

Intel software products are copyrighted by and shall remain the property of Intel Corporation
.
Use,
duplication or disclosure is subject to restrictions stated in Intel's Software License Agreement, or
in
the case of software delivered to the government, in accordance with the software license
agreement as defined in FAR 52.227
-
7013.


The Intel logo is a registered trademark of Intel Corporation.


Other brands and names are the property of their respective
owners.


Meshcentral

Server Install ation Guide


MeshCentral.com







ii

Table of Contents

Legal Notices and Disclaimers

................................
................................
................................
..
i

Di sclaimers

................................
................................
................................
............................
i

Legal Notices

................................
................................
................................
.........................
i

1.

Abstract

................................
................................
................................
.........................
1

2.

Introduction

................................
................................
................................
....................
1

3.

Software
Inventory

................................
................................
................................
..........
1

4.

Microsoft Messaging Queuing
................................
................................
..........................
2

5.

Mesh Swarm Server

................................
................................
................................
.......
4

5.1

Swarm Server Settings

................................
................................
.............................
5

5.2

Swarm Server Agent Store

................................
................................
.......................
6

5.3

Installing the Swarm Server Service

................................
................................
..........
8

6.

Mesh AJAX Server

................................
................................
................................
.........
8

6.1

Mesh AJAX Server Settings
................................
................................
......................
9

6.2

Installing the AJAX Server Se
rvice

................................
................................
..........

11

7.

Server Redundancy

................................
................................
................................
......

14

8.

Load
-
Bal ancing & SSL offload

................................
................................
.......................

16

9.

Settings up agents

................................
................................
................................
........

18

10.

ASP.net Server Setup

................................
................................
................................

24

10.1

ASP.net load bal ancing

................................
................................
..........................

28

11.

Notes

................................
................................
................................
........................

29


Meshcentral

Server Install ation Guide


MeshCentral.com







iii

Document Changes



June
11
, 2012


0.0.10


Grammatical corrections
, netsh command
-
line tool details

added
and added some
comments/suggestions.


April 24, 2012


0.0.9


Updated setting.t
xt description with new values.


January 3, 2012


0.0.8


Added ASP.net installation instructions
.


December 19. 2011


0.0.7


Added AJAX load
-
balancing settings
.


December 6. 2011


0.0.6


Added load
-
balancing and SSL offload section.


Added “
adminportloc
al
” settings when going load
-
balancing.


December 5. 2011


0.0.5


Added server redundancy section.


December 2. 2011


0.0.4


Added section on setting
a mesh agent for custom server & updated screen shots.


November 30
. 2011


0.0.3


Minor fixes to settin
gs in both
AJAX and swarm servers
.


November 29. 2011


0.0.2


Added swarm server and AJAX server details.


November
1
7
. 2011


0.0.1


Initial version



Meshcentral

Server Install ation Guide


MeshCentral.com







1

1.

Abstract


This document reviews how to install a Meshcentral server complete with all of the component
s
needed to handle mesh agents, web users and other management tools. This document is only
intended for someone that wants to setup the back
-
end server which is not typical.

Readers of
this document should be fully familiar with Meshcentral’s architecture
. Other overview and
architecture document are available.


2.

Introduction


The Meshcentral server is a set of multiple applications that are not
all
required to run on the
same computer. Communication between the components is configured using a setup file a
nd
done using TCP sockets, Microsoft Message Queuing (MSMQ) or Micro
soft SQL Server. To
review, thes
e are the major components. In general, the Social Server is completely optional but
all other components are probably desirable.




Let’s start by setting up the operating system required to host any or all of
these

components.

3.

Software Inventory


First, let’s
determine

a general inventory of what will be needed to setup
a M
eshcentral

server.




Computer.
A computer or virtual machi
ne
with sufficient capability for the expected
traffic. Currently the external Meshcentral.com runs on a
DELL PowerEdge 710

2 Xeon Processors, 16 threads
, 24G RAM, 1TB Mirrored. We found that this
configuration should have no problem handling over 20k conn
ections.

Meshcentral

Server Install ation Guide


MeshCentral.com







2



Operating System.

Any good version of Microsoft Windows should be able to host the
server, but we run Microsoft Windows Server 2008r2 64 bit.



Database.

We need to install Microsoft SQL server 2008r2 64 bit. The database may run
on a separate compu
ter in the network or co
-
located with the rest of the software.



MSMQ.

Microsoft Message Queuing needs to be enabled on all computers that run
Meshcentral software. The only exception is the database server. This component is
built
-
into Microsoft Windows.



W
eb Server
. We need Internet Information Server (IIS) enabled with ASP.net using .NET
Framework 4.0 enabled. Use the latest IIS7.



Domain Name
.

A domain name should point to the server’s IP address.



TLS Certificate
.

It’s recommended to have a trusted TLS ce
rtificate for the domain
name. We can run without, but for production use this should be a requirement.



Meshcentral database schema
.

We have a database schema that includes tables and
stored procedures. This will be used to setup the database to use with M
eshcentral’s
software.



.NET Framework 4.0
. All of the Meshcentral software is built in C# and required the
Microsoft .NET Framework 4.0.



Meshcentral software
.

The ASP.net application, AJAX server, Swarm Server and Social
Server are of course all required.

The C# applications come as both Windows Servers
and Windows Applications. The Windows Applications version of the servers can be used
to test installations.



Firewall
.

We recommend firewall software in order to make sure that only authorized
ports are ava
ilable for connection. The Firewall software
built

into Windows can perform
this task.


In addition, we have a few incoming ports that are needed.

Firewall rules must be set accordingly.




Domain ports 80, 443, 8084 and 8085
. All of these ports are used but

the ASP.net &
AJAX server. Port 80 is simply used to redirect the user to port 443 which hosts the IIS
ASP.net application. The AJAX server will share port 443 with IIS use 8084 for dynamic
HTTP and 8085 for web sockets. All of these ports should be
avai
lable on an IP address
with a trusted, certificate validated domain name.



TCP port 8080
. This is the SwarmServer port.

It’s used for MeshAgents and other
consoles tools to connect to. It runs using a different certificate and can have its own
separate doma
in name.



TCP port 8088
.

This

is the SwarmServer administrator port. Only other internal
components must be allowed to connect to this port.


4.

Microsoft Messaging Queuing


First, get a Microsoft Server 2008r2 ready and perform all updates.
It’s recommended t
o run it on
mirrored drives for better reliability.

M
ake sure the updates include .NET Framework 4.0. Then,
go in the Windows Add/Remove features or Server Console and add support for
IIS along with
ASP.net.


Meshcentral

Server Install ation Guide


MeshCentral.com







3



Also, add support for Microsoft Message Queu
ing. We recommand installing Multicasting Support
as a sub
-
option to MSMQ since we may
use

this.




At this point the server software installation is complete
.


We
now

need to
install Microsoft SQL Server 2008r2 along with the SQL Server Management
Studio

console.

This will allows us to setup the database.

The database can be installed on a
different computer, as long as we know the database connection string, we should be ok.


Meshcentral

Server Install ation Guide


MeshCentral.com







4

5.

Mesh
Swarm Server


The swarm server is the central and most critical piece of s
oftware of the entire system. It’s a
server that listens on a few ports and speaks only binary.

Both mesh agents and mesh consoles
can connect to it and swarm server perform
s

book keeping, message relay and traffic tunneling.

The swarm server will often ma
intain 1000’s of idle TLS connections to mesh agents. It’s also
possible to run multip
le swarm s
ervers with a central database and Microsoft message queuing
used for coordination.


There are the executable files of the Swarm Server:



Manageability Stack.
dll


ManageabilityControls.dll


MeshCommon.dll


MeshInterface.dll


MeshSwarmServer.exe


MeshSwarmService.exe


The swarm server comes with two executable, the MeshSwarmServer.exe runs as an application
with a regular Windows user interface. It’s used a

lot for debugging and small deployments. The
MeshSwarmService.exe is a Windows Service executable and is the one used for production
environments. The MeshSwarmService.exe makes reference to the MeshSwarmServer.exe, so
both executable are required for pro
duction use, even if only running as a Windows service. All
four other DLL’s are dependencies.

All executable
s

and
assemblies

are

written in

C#
for the
.NET
Framework 4.0.


The following picture is the Mesh Swarm Server running in application mode. It list
s current mesh
agents on the top and various events on the bottom.



Meshcentral

Server Install ation Guide


MeshCentral.com







5


5.1

Swarm Server Settings


When launching the swarm server (both application or service), the file “settings.txt” will be
loaded and parsed. Here is an example of the settings.txt file:


sw
armid=1

certfile=sfr.cps.intel.com.pfx

certpass=sfr.cps.intel.com

port=8080

adminport=8088

adminportlocal=0

db=

Initial Catalog=MeshCentral;Data Source=localhost;Async=true;
httproutekey=11112222333344445555666677778888…

msmq_queue=.
\
Private$
\
MeshSwarmServ
er01

msmq_queue_mcast=234.1.2.5:16970

msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970

agentwhitelist=LM
-
Keystore.txt

agentdefaultban=1

agentdefaultbantime=86400

agenttrustedroot=1111222233334444

,OID:1.2.840.113741.1.5.1.101.1.6

swarmserver1=127.0.0.1:8088

swarmserver2=10.232.58.27:8088

logfilepath=D:
\
Logs


The “
swarmid
” value is a swarm server unique number. If many swarmservers are running at the
same time, this number must be unique for each server.


The “
certfile
” and “
certpass
” values point to the certi
ficate used by the swarm server. This is not
the TLS certificate used by the web
site;

instead it’s generally a self
-
signed certificate. It will be
used by the mesh agents and mesh consoles to authenticate the swarm server.


The “
port
” value is the main TC
P port the server will listen on. All connections will start with a
TLS handshake.


The “
adminport
” value is for a secondary administrator port. It’s similar to the main port except
that there is no TLS and all connections are assumed to come from a truste
d source. This port is
used by the AJAX server to perform routing without the need for TLS. Also, traffic on this port has
TCP delays removed and is intended for fast operations between private components.
The
f
irewall must
prevent any

un
-
authorized access

to this port.

This value can be set to 0 to disable
the administrator port.


The

adminportlocal
” value must be set to “0” or “1” and indicates if the administrator port should
be bound to the local loopback interface only. For simple servers where the AJ
AX server is
running on the same computer as the Swarm Server, this value should be 1. If omitted, the
default value is 1.


The “
db
” value is the connection string to the database with the Meshcentral schema already
loaded.
In this example we use a databas
e on the localhost, but
having the database

on a
different computer works

as well
.


Meshcentral

Server Install ation Guide


MeshCentral.com







6

The “
httproutekey
” is a

pre
-
shared
secret;

it is used to authenticate users that request traffic
routing.

This value should be the same between swarm server, AJAX server an
d ASP.net
application.


The “
msmq_queue
” value indicates the name of the message queue that will be
created for this
Swarm Server instance. Generally this would be of the form “
\
Private$
\
MeshSwarmServer01” with
the last number is the swarm server identifie
r.


The “
msmq_queue_mcast
” value is optional and used if the message queue for this server
should subscribe to a multicast address and port. For production environments it’s likely
preferable to not use this option and to use unicast messages only.


The “
m
smq_send
” enumerates all of the other message queues that messages should be sent
to. This may include other swarm servers, AJAX servers and a

social server
.

We can send
message to many queues at once using a multicast:


msmq_send=FORMATNAME:MULTICAST=234.
1.2.5:16970


Or we can
specify queues for unicast
:


msmq_send=FORMATNAME:DIRECT=TCP:local host
\
\
Pri vate$
\
\
Mesh
AjaxServer01


Or specify many queues using the pipe as separator:


msmq_send=FORMATNAME:MULTICAST=234.1.1.2:16979|FORMATNAME:DIRECT=T
CP:localhost
\
\
Private$
\
\
Mesh
AjaxServer01


The “
debugmode
” flag value indicates whether the application should run in debug mode or not?
1
=debug mode, 0=release mode.


The “
agentwhitelist
”, “
agentdefaultban
”, “
agentdefaultbantime
” and “
agenttrustedroot


are
settings that

set
what

agents can
connect

to the server and which one can’t.

The first setting is
the “
agentwhitelist
” and specifies a text file with a list of known good node id’s. Each line of this
text file
must start with a SHA256 hash of the public key portion of
the node’s certificate in
hexadecimal.


agentdefaultban
” must be set to 1 if default behavior is to ban a node that is not
on the whitelist. “
agentdefaultbantime
” sets the amount of time a banned node should wait
before attempting to re
-
connect, banned nod
es may not always follow this.

Lastly,

agenttrustedroot
” specifies the hash of a trusted certificate along with a node OID that is
acceptable for agent connections.


The “
swarmserver
” followed by a number specifie
s

the administrative IP address and port o
f
another swarm server in the group. This setting allows a swarm server to communicate with other
swarm servers that are part of a load
-
balanced group.

Communication between the servers will
be both TCP and UDP. Servers will ignore their own number and onl
y consider the IP address
and port of other servers. So a server with “swarmid=2” will ignore “swarmserver2=xxx”, will take
into account “swarmserver1=xx” and “swarmserver3=xx”.


The “
logfilepath

setting

specifies where the log files must be written. If n
ot set, the server’s
executable path is the default.


5.2

Swarm
Server Agent Store


Meshcentral

Server Install ation Guide


MeshCentral.com







7

The swarm server will has one sub
-
directory called “
AgentStore
” that is used to keep all the
mesh agents. The swarm server first loads, it will go thru all of the mesh agents i
n the agent store
sub
-
directory and check signatures. The swarm server keeps an internal list of all the mesh
agents that are available in the store and will automatically update agents in the field if needed.


The following picture is an example of the co
ntent of the “AgentStore” folder. It contains signed
mesh agents for many different computer architectures (Windows, Linux, OS X, Android…).




When a new mesh agent is detected in the wild, the server may automatically
download

it and
check the signature
. If it’s valid, it
is
stored in the agent store for future use.


When first installing the swarm server, this folder can be left empty. Slowly, the swarm server will
fill it up as needed. If a new agent is added to this folder, the swarm server will not p
ick it up until
it re
-
scans the agent store folder.


As a curiosity, here is a list of the currently assigned architecture numbers. Each mesh agent’s
file name will have a version number and an architecture number. Only a new version of an agent
with the s
ame architecture number can update a previous one.


0
-

Reserved (Can’t be updated)

1
-

Win32
-
Console (Debug)

2
-

Win64
-
Console (Debug)

3
-

Win32
-
Service

4
-

Win64
-
Service

5
-

Linux/x86

6
-

Linux/x86
-
64

7
-

MIPS

8
-

Linux
-
Xen
-
x86

9
-

Android/ARM

10
-

Linux/ARM

11


Apple MAC OS X

12
-

Android/x86


Meshcentral

Server Install ation Guide


MeshCentral.com







8

Architecture number 0 is reserved for custom agents that can’t be updated.

The agent signature
also includes the version and architecture number, so agent’s filename is not authori
tat
ive.


5.3

Installing the

Swarm Server Service


The swarm server service is installed using “InstallUtil.exe”
.

T
his is a Microsoft tool for installing
C# Windows Services.

To install the service, simply run:


installutil meshswarmserver.exe


T
o un
-
install, run:


installutil /u mes
hswarmserver.exe


After installation, start the service using the Windows service manager.

It’s recommended to start
the application service of the swarm server first to see if the settings.txt file is ok and there are not
problems. Then, close the applica
tion and launch the
service.


Since both application and service will attempt to bind the same TCP ports and use the same
message queues, they both can’t run at the same time.


6.

Mesh AJAX Server


The
AJAX

server
provides interactive HTTP services to Meshcen
tral
, this is the server that makes
web pages “real time” allowing two way communication between the web browser and the rest of
the infrastructure.


The AJAX server is built on top of Microsoft Internet Information Server (IIS) in that, it uses the IIS
HT
TP handling capabilities.

As a result, it’s important to first setup IIS correctly before setting up
the AJAX server.


The
s
e are the executable files of the AJAX Server:



Manageability Stack.dll


MeshInterface.dll


MeshAjaxServer.exe


MeshAjaxService.
exe


Just like the swarm server, the AJAX server comes with two executable
s

and the service
executable depends on the application
executable
, so both have to be present.

The two other
DLL’s are dependencies.

The two DLL’s are the same as the Swarm Server D
LL’s but they
should not be mixed so that the swarm server and AJAX server can be updated
separately

and
mixing the DLL’s could cause possible version issues.

Just keep the separate servers with their
own separate DLL’s.


The following picture is the appli
ca
tion version of the AJAX server with a single user holding an
interactive session.


Meshcentral

Server Install ation Guide


MeshCentral.com







9



6.1

Mesh AJAX

Server Settings


When launching the AJAX server (
either

application or service), the file “settings.txt” will be
loaded and parsed. Here is an example of the

settings.txt file:



serverid=1


certfile=Meshcert.p12


certpass=MeshcertPassword


webcertfile=
HttpsDomainCert
.pfx


webcertpass=

HttpsDomainCertPass


port=8088


ajaxport=8084


wsport=8085


wsportsec=1


db=Initial Catalog=MeshCentral;Data Source=
localhost;Integrated Security=SSPI;Async=true;


httproutekey=
11112222333344445555666677778888


msmq_queue=.
\
Private$
\
MeshAjaxServer01


msmq_queue_mcast=234.1.2.5:16970


msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970


ajaxprefix=/ajax/


ajaxswapfile=a
jaxswap.txt


bind=https://+:8084/


bind=https://+/ajax/


httpheader_Access
-
Control
-
Allow
-
Headers=Content
-
Type

Meshcentral

Server Install ation Guide


MeshCentral.com







10


swarmserver1=127.0.0.1:8088


ajaxserver2=http://192.168.1.105
:808
4


domainauth=1


logfilepath=D:
\
Logs


The “
server
id

value is the

AJAX se
rver unique number. If many
AJAX
servers are running at the
same time, this number must be unique for each server.


The “
certfile
” and “
certpass
” values point to the certificate used by the swarm server. This is not
the TLS certificate used by the web site
; instead it’s generally a self
-
signed certificate. It will be
used by the mesh agents and mesh consoles to authenticate the swarm server.


The “
webcertfile
” and “
webcertpass
” values point to the
HTTP TLS
certificate used
by this
server for web access.
Thi
s is generally a signed and trusted certificate with the correct domain
name for this
server.
This certificate will be used to perform TLS authentication on web sockets.


The “
port
” value is the admin
istrator port of the SwarmServe.
This setti
ng will chang
e in the
future, should be 8080 for now.


The “
ajaxport


is the main HTTP AJAX port for this server. This port should also have a “bind”
setting

like “bind=https://+:8084/”.


The “
wsport
” is the web socket port.
The AJAX server will handle this port on its

own without
using an IIS binding. IIS 8.0, will support web sockets natively and so, this will change in the
future.


The “
wsport
sec
” is
1 if the web socket port is secured using TLS. 0 is the default.

For web socket
security to be enabled, the “webcertfi
le” and “webcertpass” must be set and valid.


The “
db
” value is the connection string to the database with the Meshcentral schema already
loaded. In this example we use a database on the localhost, but having the database on a
different computer works.


Th
e “
httproutekey
” is an AES pre
-
shared secret, it is used to authenticate users that request
traffic routing. This value should be the same between swarm server, AJAX server and ASP.net
application.


The “
AjaxPrefix
” value should always be set to “/ajax/”.
Used as an alternative way to access the
AJAX server on port 80 or 443. Ajax calls made on port 80 or 443 and more compatible with
foreign proxies.


The “
AjaxSwapFile
” value points to a file that has HTML substitution. Should not be used.


The “
Bind
” value

can appear one or more times and specifies the IIS bindings this AJAX server
will make on startup. Generally these values should stay:



bind=https://+:8084/


bind=https://+/ajax/


The “
msmq_queue
” value indicates the name of the message queue that will

be created for this
server instance. Generally this would be of the form “
\
Private$
\
Mesh
Ajax
Server01”

with the last
number is the

server identifier.


Meshcentral

Server Install ation Guide


MeshCentral.com







11

The “
msmq_queue_mcast
” value is optional and used if the message queue for this server
should subscribe t
o a multicast address and port. For production environments it’s likely
preferable to not use this option and to use unicast messages only.


The “
msmq_send
” enumerates all of the other message queues that messages should be sent
to. This may include swarm
servers,
other
AJAX servers and a social server. We can send
message to many queues at once using a multicast:


msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970


Or we can specify queues for unicast:


msmq_send=FORMATNAME:DIRECT=TCP:local host
\
\
Pri vate$
\
\
Mesh
AjaxServer01


Or specify many queues using the pipe as separator:


msmq_send=FORMATNAME:MULTICAST=234.1.1.2:16979|FORMATNAME:DIRECT=T
CP:localhost
\
\
Private$
\
\
Mesh
AjaxServer01




The “
httpheader_xxx


value can appear many times and specifies added headers to

put in all
AJAX HTTP replies.


The “
swarmserver1=127.0.0.1:8088
” indicates

the administrator
IP
address and port of the
swarm server with identifier number 1. One or more of these lines can be in the settings files, one
for each swarm server administrator

port. The AJAX server will use this address to communicate
directly with a swarm server without authentication or TLS. Traffic on this connection is without
TCP delay and intended to be within a private network.


The “
ajax
server
X
=
http://192.168.1.105:80
8
4
” i
ndicates

the URL of the dedicated AJAX port of
each peer AJAX server.

This is used when load balancing is in use and
an

AJAX server receive
s

a request it can’t handle. In this case, it will re
-
route the request to the correct AJAX server.


The “
domainau
th=1
” indicated that Microsoft Domain authentication should be used. Except for
intranet servers, this value should be
omitted
.


The “
logfilepath

setting

specifies where the log files must be written. If not set, the server’s
executable path is the defaul
t.


6.2

Installing the AJAX Server Service


The
AJAX

server service is
a little trickier to install.

It’s recommended to run the application
version of the AJAX server first and make sure the settings file is read correctly before starting to
install and run t
he service.

The application version of the AJAX server is easy to run, but the
service version requires extra bindings.


If you are running https,

you need to bind the SSL certificate to the application identifier of the
AJAX server. Run this line with “xx
x” being the MD5 hash of the HTTPS certificate

in a command
window (run as administrator)
.



Meshcentral

Server Install ation Guide


MeshCentral.com







12



netsh http add sslcert ipport=0.0.0.0:8084 certhash=xxx appid={8bf83834
-
1594
-
4051
-
b4a7
-
5693561b257a} clientcertnegotiation=enable


This a
dds a new SSL server cer
tificate binding and corresponding client certificate policies for an
IP address and port.

Syntax

add sslcert

[
ipport=

]
IPAddress
:
port

[
certhash=

]
CertHash

[
appid=

]
GUID

[ [
certstorename=

]
CertStoreName

[
verifyclientcertrevocation=

]
enable

|
disa
ble

[
verifyrevocationwithcachedclientcertonly=

]
enable

|
disable

[
usagecheck=

]
enable

|
disable

[
revocationfreshnesstime=

]
U
-
Int

[
urlretrievaltimeout=

]
U
-
Int

[

sslctlidentifier=

]
SSLCTIdentifier

[
sslctlstorename=

]
SSLCtStoreName

[
dsmapperusage=

]
enable

|
disable

[
clientcertnegotiation=

]
enable

|
disable

] ]

Parameters

ipport
=<ip address of the server>:<port number>

Required. Specifies the IP address and port for the binding. A colon character (:) is used
as a delimiter between the IP address

and the port number.
Instructs the tool to set the
certificate to port specified on the computer. Optionally, the four zeroes that precede the
number can also be replaced by the actual IP address of the computer.


certhash
=<hash code of the certificate>

R
equired. Specifies the SHA hash of the certificate. This hash is 20 bytes long and is
specified as a hexadecimal string.
Specifies the thumbprint of the certificate. This hash
code can be obtained by running the Mesh server application and selecting
‘File/
Certificate Hashs..’ menu option and copying the ‘SHA256 Hash:’ value.


appid
=<application ID>

Required. Specifies the GUID to identify the owning application.
It can be obtained by …


certstorename

Optional. Specifies the store name for the certificate. D
efaults to MY. Certificate must be
stored in the local machine context.

verifyclientcertrevocation

Optional. Specifies the Turns on/off verification of revocation of client certificates.

verifyrevocationwithcachedclientcertonly

Optional. Specifies whether
the usage of only cached client certificate for revocation
checking is enabled or disabled.

usagecheck

Optional. Specifies whether the usage check is enabled or disabled. Default is enabled.

revocationfreshnesstime

Optional. Specifies the time interval, in

seconds, to check for an updated certificate
revocation list (CRL). If this value is zero, then the new CRL is updated only if the
previous one expires.

urlretrievaltimeout

Optional. Specifies the timeout interval (in milliseconds) after the attempt to re
trieve the
certificate revocation list for the remote URL.

Meshcentral

Server Install ation Guide


MeshCentral.com







13

sslctlidentifier

Optional. Specifies the list of the certificate issuers that can be trusted. This list can be a
subset of the certificate issuers that are trusted by the computer.

sslctlstorename

Optional. Specifies the certificate store name under LOCAL_MACHINE where
SslCtlIdentifier is stored.

dsmapperusage

Optional. Specifies whether DS mappers is enabled or disabled. Default is disabled.

clientcertnegotiation
=<enable>|<disable>

Optional. Specif
ies whether the negotiation of certificate is enabled or disabled. Default is
disabled.



To delete this binding do this:


netsh http delete sslcert ipport=0.0.0.0:8084


To show the SSL bindings, do this:


netsh http show sslcert


After setting up the SSL
binding, you will need to authorize the AJAX server local service account
to bind to HTTP paths.


If running secure sockets:


netsh http add urlacl url="https://+:8084/" user="Local Service"

netsh http add urlacl url="https://+:443/ajax/" user="Local Servi
ce"


Otherwise:


netsh http add urlacl url="http://+:8084/" user="Local Service"

netsh h
ttp add urlacl url="http://+:80
/ajax/" user="Local Service"


Adds a Uniform Resource Locator (URL) reservation entry. This command reserves the URL for
non
-
administrato
r users and accounts. The DACL can be specified by using an NT account name
with the listen and delegate parameters or by using an SDDL string.

Syntax

add urlacl

[
url=

]
URL

[ [
user=
]
User

[ [
listen=

]
yes
|
no
[
delegate=

]
yes
|
no
] | [
sddl=

]
SDDL

]

Parameters

url
=”<URL>:<port number>” (1)

Required. Specifies the fully qualified Uniform Resource Locator (URL).

user
=”<user or group name>”

Required. Specifies the user or user
-
group name

listen

Meshcentral

Server Install ation Guide


MeshCentral.com







14

Optional. Specifies one of the following values:
yes
: Allo
w the user to register URLs. This
is the default value.
no
: Deny the user from registering URLs.

delegate

Optional. Specifies one of the following values:
yes
: Allow the user to delegate URLs
no
:
Deny the user from delegating URLs. This is the default valu
e.

sddl

Optional. Specifies an SDDL string that describes the DACL.



To show the current bindings


netsh http show urlacl


Installing the AJAX service itself
is the same as the swarm server using

“InstallUtil.exe”. To install
the service, simply run:


ins
tallutil mesh
ajax
server.exe


To un
-
install, run:


installutil /u mesh
ajax
server.exe


After installation, start the service using the Windows service manager.

If two AJAX servers are
run at the same time, HTTP binding failure will occur.


7.

Server Redundancy


Both the AJAX server and swarm server are designed to run with multiple instances. They can be
run in a load
-
balancing fashion, or by having one or more active and one or more hot spares.
Each instance of a server must have its own “settings.txt” file.




In this first scenario, we will assume that an outside router performs the load balancing on both
the agent
-
side and HTTP side. On the HTTP side, the router can also perform SSL
-
offloa
d
operations, but not on the swarm server s
ide (the swarm server needs to authenticate the
agents).


Let’s look at the two settings.txt file for both swarm servers.


Meshcentral

Server Install ation Guide


MeshCentral.com







15

Swarm Server #1


swarmid=1

certfile=cert.p12

certpass=certpass

port=8080

adminport=8088

adminportlocal=
0

db=Initial Catalog=MeshCentr
al;Data Source=localhost
\
SQLEXPRESS

httproutekey=00000000000000000000000000000000
1

msmq_queue=.
\
Private$
\
MeshSwarmServer01

msmq_queue_mcast=234.1.2.5:16970

msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970

swarmserver1=192.168.0.100:8088

swarmserver2
=
192.168.
0.101
:8088


Swarm Server #
2


swarmid=2

certfile=cert.p12

certpass=certpass

port=8080

adminport=8088

adminportlocal=0

db=Initial Catalog=MeshCentral;Data Source=localhost
\
SQLEXPRESS

httproutekey=00000000000000000000000000000000
1

msmq_queue=.
\
Private$
\
MeshSw
armServer02

msmq_queue_mcast=234.1.2.5:16970

msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970

swarmserver1=
192.168.0.100
:8088

swarmserver2=192.168.0.101:8088


It’s very important that
each

swarm service instance has its own identifier, starting at number 1.
In
this example, the “msmq_queue” is different for each server, this change it optional.

Most other
values, like the http routing key must be identical.


We have to make sure the
administrator port for each swarm server is no longer bound to
localhost, the

line “
adminportlocal=0


will allow all connections to be accepted. It’s important that
the administrator port only be connected from the AJAX servers or trusted servers. External users
MUST NOT have access to the swarm server administrator port.


Also, we

specify the
administration IP address and port for other swarmservers in each
configuration using the “swarmserverX=” setting.


Now let’s look at the AJAX server settings.exe files.


AJAX

Server #1


serverid=1

certfile=
cert
.p12

certpass=
certpass

port=8080

db=Initial Catalog=MeshCentral;Data Source=localhost
\
SQLEXPRESS

Meshcentral

Server Install ation Guide


MeshCentral.com







16

httproutekey=
000000000000000000000000000000001

ajaxprefix=/ajax/

ajaxswapfile=ajaxswap.txt

ajaxport=8084

wsport=8085

bind=http://+:80/ajax/

bind=http://+:8084/

msmq_queue=.
\
Private$
\
MeshAjaxS
erver01

msmq_queue_mcast=234.1.2.5:16970

msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970

httpheader_Access
-
Control
-
Allow
-
Headers=Content
-
Type

swarmserver1=
192.168.0.100
:8088

swarmserver2
=
192.168.0.101
:8088


AJAX

Server #1


serverid=2

certfile=
cert
.p12

certp
ass=
certpass

port=8080

db=Initial Catalog=MeshCentral;Data Source=localhost
\
SQLEXPRESS

httproutekey=
000000000000000000000000000000001

ajaxprefix=/ajax/

ajaxswapfile=ajaxswap.txt

ajaxport=8084

wsport=8085

bind=http://+:80/ajax/

bind=http://+:8084/

msmq_queu
e=.
\
Private$
\
MeshAjaxServer
02

msmq_queue_mcast=234.1.2.5:16970

msmq_send=FORMATNAME:MULTICAST=234.1.2.5:16970

httpheader_Access
-
Control
-
Allow
-
Headers=Content
-
Type

swarmserver1=
192.168.0.100
:8088

swarmserver2
=
192.168.0.101
:8088


Again, it’s very important t
hat each server has its own identifier number starting at 1.

In this
example, each server has a different “msmq_queue” name, but this is not required. It’s important
to correctly put the swarm server address and administrator port, “swarmserver1” must be f
or
swarm server #1 and
“swarmserver1”

for swarm server number 2. Values must be correct.


8.

Load
-
Balancing & SSL offload


This section looks at situations where load balancers and/or SSL offloading hardware are
expected to be installed on the server side. Fi
rst, let’s look at what the servers look like in the
minimal situation.


Meshcentral

Server Install ation Guide


MeshCentral.com







17




Here, we have the AJAX server and swarm server handing incoming HTTPS and TLS
connections. The servers perform all of the authentication and encryption.

Now, let’s look at
adding SSL offloading hardware.




Here the SSL offloading is added to the picture. Note that only the HTTPS connections are
offloa
ded, the resulting connection is

passed along to the AJAX server on ports 80,

8084 and
8085. SSL offloading must support HTML5 web sockets on port 8085.

The swarm server’s
connections are not SSL offloaded because the swarm
server performs

mutual
-
authentication
TLS and authentication happens in both
directions
.


Meshcentral

Server Install ation Guide


MeshCentral.com







18



In this picture, the swarm service is load balanced. Here again, no SSL offload is performed
between the agents and swarm server.

The connections are simply routed to the least loaded
server.




In this last picture,
we have SSL offload and load balancing in front all servers. Again, the swarm
servers don’t get SSL offload.


9.

Settings up agents


If the Swarm Server is setup, it’s now time to setup mesh agents. Normally, users use the
ASP.net application to create a poli
cy file, download the agent and install it on a computer. In this
section, we use a different approach and use the “
M
esh

Controller
” tool.


Meshcentral

Server Install ation Guide


MeshCentral.com







19

On a Windows client computer, download and install the latest “Mesh Manageability Tools” at:
http://opentools.homeip.net/mesh


Then, launch the Mesh Controller tool. It should look like this:




Here, mesh agents were found on the local network and listed. But if no local agents are running
on the local network, nothing
will show up, that’s ok. Go in the fi
le menu and “Create New
Mesh…”


Meshcentral

Server Install ation Guide


MeshCentral.com







20



Type in a mesh name and
a
strong password.

Next, select the server you want the agents to
connect to. If you are using a custom server not in the list, select “(No Web Service)” for no
w, we
will edit the policy later.




Meshcentral

Server Install ation Guide


MeshCentral.com







21

Next, the mesh agent will be installed on the local computer with this new policy.

You can use the
next wizard steps to save mesh administrative state and save a mesh agent for installation on
other comptuers. You can
do this if you want, or just exit out.

Now, a computer should show up
with your new mesh.




Now we are going to edit the mesh policy. Right click on the computer and select “Show Trusted
Policy…” and click “Edit Policy…”. You are now in the policy edito
r.


Meshcentral

Server Install ation Guide


MeshCentral.com







22



In the first tab, you can change the policy name and change the mesh password, but we will
leave this as
-
is. No need to type anything in this screen. Go to the “web service” tab.



Meshcentral

Server Install ation Guide


MeshCentral.com







23

For a custom server, select “(Custom Web Service)”, then type in th
e server address, port and
the SHA256 hash of the service certificate. You can get this value easily by going to the Swarm
Server’s file menu, select “Certificate hashes…” and cut & pasting the SHA256 hash.




In the “Web Permissions” tab, you can set wha
t actions the web service is allowed to perform on
computers with this agent & policy. Select them all for now.




Now, click ok. Within a few seconds, the local mesh agent will connect to the remote server. You
should see computers connecting to the Swar
m Server.


Meshcentral

Server Install ation Guide


MeshCentral.com







24



That’s it. You have your first computer connected. Mesh agents with automatically update each
other’s policies,
so if you have many agents on a local network, you only need to update the
policy once.


At any time, yo
u can go in Mesh Controlle
r, “File” menu and “Create Mesh Installer…” to create
an installer with the latest mesh policy. Also note that the “meshagent.msh” policy file is valid for
all agent architectures, so it will work on Windows, Linux, OS X, Android…


10.

ASP.net Server Setup


On
ce both AJAX server and Swarm server are setup, it’s now time to focus on installing the
ASP.net server. This is the user facing user interface and so, often the portion most easily
associated with the mesh technology.

Since one of the most interesting asp
ects of this
Meshcentral

Server Install ation Guide


MeshCentral.com







25

technology is that remote interactions are all web based, the ASP.net server is the portal to all of
the interesting features.


To get the server setup, create a web site in IIS and copy the ASP.net files into it. You may use
the default IIS w
eb site.




When, go into the IIS control panel so we can continue the configuration.

At this point, you may
want to add IIS bindings and configure TLS on the web site.

Meshcentral

Server Install ation Guide


MeshCentral.com







26



The first task is to go into the “Connection Strings” and setup the proper connecti
on string for the
database. This will be used by ASP.net for user memberships. In the case of a development
machine, we use a simple “localhost” connection string.




Then, go back and select “Application Settings”, this is where most of the configuration

of the
ASP.net application takes place.

Here is an example of the settings on a development machine.


Meshcentral

Server Install ation Guide


MeshCentral.com







27



Lets look at each setting individualy.


AgentStorePath



The Path where the mesh agents executable are stored. Ideally, this is the
same path that the

SwarmServer uses to store mesh agents. Then the swarm server obtains a
new version of an agent, it will be stored in this location and the ASP.net server can take
advantage of it right away. This path is used to allow users to download the mesh agents fro
m the
web site for initial installation. The ASP.net server will always attempt to get the latest version of
the agent at this location.


AjaxServerHost



The host name of the AJAX server. If omitted, the AJAX server is assumed to
be located on the same se
rver at the ASP.net server.


AjaxServerPort



The AJAX server dedicated port number. Often set to 8084.


AjaxServerScheme



“http” or “https” values allowed, if omitted, “http” is used.

This indicates if
the
AJAX dedicated
port
(often 8084)
was set with or

without TLS security.


AjaxServerWSPort



The AJAX server dedicated web socket port. Often set to 8085.


AjaxServerWSScheme



“ws” or “wss” values allowed, if
omitted

“ws” is used. This indicates if
the

deviated

web socket port
(often 8085)
has TLS in in
use.


ConnectionString



The database connection string for the mesh database. This is often the
same as the ASP.net connection string configured earlier.


msmq_send


This line indicates how to send a message on the Microsoft Message Queue for
mesh. This
is used by the ASP.net application to send messages to the AJAX & Swarm servers.
A typical value is:


FORMATNAME:MULTICAST=234.1.2.5:16970


This will multicast the message on a given IP address and port. An alternative is to send
messages directly to MSMQ
queues like this:


FORMATNAME:DIRECT=TCP:
myserver
\
\
Pri vate$
\
\
MeshSwarmServer01


Meshcentral

Server Install ation Guide


MeshCentral.com







28

In the second case, we have to set all of the message targets separated by the “|” pipe character.


SwarmServerCertHash



The
MD5
hash of the swarm server certificate. This is
used by the
ASP.net server to create now mesh policies.

This value can be found by running the Swarm
Server in interactive mode and
selecting “Certificate Hashes” in the file menu.


SwarmServerHost



The host name of the swarm server. If omitted, the swarm

service is
assumed to be running on the same computer as the ASP.net server.


SwarmServerLongHash



The SHA256 hash of the swarm server certificate. This is used by the
ASP.net server to create now mesh policies. This value can be found by running the Swa
rm
Server in interactive mode and selecting “Certificate Hashes” in the file menu.


SwarmServerPort



The port of the swarm server, this is typically “8080”.


TrafficRoutingKey



The routing cookie pre
-
shared secret. This is the same secret that is
configu
red with the AJAX server and Swarm server; it’s a 96 character long hex string.



10.1

ASP.net load balancing


The ASP.net application is easy to setup with a load balancer. Just configure one server and
once it’s working, copy everything into an identical serv
er. Since all the settings will be part of the
“web.config” file, cop
yi
ng the file over to other servers will also copy the settings over.

Meshcentral

Server Install ation Guide


MeshCentral.com







29

11.

Notes


For flexibility and ease of use, the HTTP Server API supports four different ways to specify hosts.
The four
host
-
specifier categories are listed below
in order of precedence
:


Strong wildcard (Plus Sign)

When the host element of a UrlPrefix consists of a single plus sign (+), the UrlPrefix
matches all possible host names in the context of its scheme, port and re
lativeURI
elements, and falls into the strong wildcard category.

A strong wildcard is useful when an application needs to serve requests addressed to
one or more relativeURIs, regardless of how those requests arrive on the machine or
what site they specify

in their Host headers. Use of a strong wildcard in this situation
avoids the need to specify an exhaustive list of host and/or IP
-
addresses.

Explicit

An explicit host name such as a fully qualified domain name in the host element places a
UrlPrefix in the

explicit category. This kind of host element is matched directly against the
Host headers of incoming requests.

Explicit host specifications are useful for multi
-
site applications such as Web servers that
deliver different content depending on the site to

which the request was directed.

IP
-
bound weak wildcard

When an IP address appears as the host element, then the UrlPrefix falls into the IP
-
bound Weak Wildcard category. This kind of UrlPrefix matches any host name for the
specified IP interface with the
specified scheme, port and relativeURI, and that has not
already been matched by a strong
-
wildcard or explicit UrlPrefix. The IP address takes
one of two forms in the host element:

IPv4 Literal String

An IPv4 literal consists of four dotted decimal numbers
, each in the range 0
-
255, such as
192.168.0.0.

IPv6 Literal String

An IPv6 literal string is enclosed in square brackets and contains hex numbers separated
by colons; for example: [::1] or [3ffe:ffff::6ECB:0101].

IP
-
bound weak
-
wildcard host specifiers are

intended for applications that vary the content
they serve based on the route taken by incoming requests. Do not rely on IP
-
bound
weak
-
wildcard host specifiers to enforce security.

Weak wildcard (asterisk)

When an asterisk (*) appears as the host element,

then the UrlPrefix falls into the weak
wildcard category. This kind of UrlPrefix matches any host name associated with the
specified scheme, port and relativeURI that has not already been matched by a strong
-
wildcard, explicit, or IP
-
bound weak
-
wildcard U
rlPrefix.


This host specification can be used as a default catch
-
all in some circumstances, or can be used
to specify a large section of URL namespace without having to use many UrlPrefixes.