Server

This section identifies hardware and software requirements for Usercube's server.

License Key

The server requires a license key provided by NETWRIX.

Software

The server is a .NET application.

Running the server requires installing the ASP.Net hosting bundle in version 8.0.

Hosting

The server can be run as:

• an Internet Information Services (IIS) website from the minimal version IIS 10.0 (recommended);
• a Windows service;
• a stand-alone executable for tests or debugging purposes.

It is recommended to enable the following Internet Information Services (IIS) features to host Usercube:

• Windows Authentication;
• Anonymous Authentication.

Service Accounts

The installation of the server as part of an Active Directory domain requires the use of an account with sufficient privileges to create a service account on the domain.

The server should be assigned a custom Windows service account.

The IIS built-in application pool identity should not be used, because it will prevent the custom account from connecting to a distant SQL Server. Hence NETWRIX recommends using a domain account.

Working directory permissions

The agent's service account needs specific permissions on the working directory:

• Read and List folder contents on the working directory;
• Read & Execute and List folder contents on the Runtime directory, usually C:/identitymanager<Organization>/Runtime, in order to run the agent executable;
• Read and List folder contents on the directory for provisioning orders, whose path depends on the Work folder's path;
• Read, List folder contents, and Write on the directory for data collection, whose path depends on the Work folder's path.

Other permissions should be denied.

FAQ: How to set up directory permissions in Windows Server?

Database permissions

If Windows' authentication is used for SQL Server, then the server should be able to authenticate to SQL Server with its assigned service account. It means that the server's service account needs to be assigned an SQL Server login with the relevant roles, including necessarily either sysadmin or securityadmin.

For more information, see the server installation procedure.

Hostname and DNS

In the case of an on-premises installation, the server needs to be assigned a hostname within the organization's domain. Agents must be able to resolve the server's hostname.

The associated DNS zone needs to be updated accordingly.

The DNS alias should be written in lowercase in order to comply with as many security rules as possible.

SSL Certificate

The server requires the use of an SSL certificate in order to perform HTTPS communication with end-users' browsers.

Usercube SaaS offering comes with an SSL certificate signed by a trusted certificate authority for the *.usercube.com domains. This certificate allows end-users to access the server through the Internet without any further configuration. Using another domain name for the SaaS installation requires providing NETWRIX with the corresponding SSL certificate signed by a trusted certificate Authority.

Usercube on-premises offering requires the use of an SSL certificate trusted by all the target end-users' browsers. Standard practices use a certificate signed by the target organization's Public Key Infrastructure (PKI) root certificate authority. The on-premise SSL certificate must be set up in IIS.

Emails

The server needs access to an SMTP server to send email notifications.

Encryption and Identity Server Key Pairs

An RSA-2048 encryption key pair is required for:

• Usercube's server in order to perform various encryption operations, such as source, configuration, or log file encryptions;
• Usercube's Identity Server for end-user authentication purposes.

Such a certificate does not need to be integrated into the target organization's Public Key Infrastructure and does not require an expiration date. They are only relevant to internal and temporary Usercube data and can be changed at any time.

An RSA key pair, as in an X.509 public key certificate and a private key, can be stored either:

• As a PKCS #12 archive (also called Personal Information Exchange file or .pfx file) stored in the server's host file system. The archive contains both the public key certificate and the private key.
• As a certificate from a Windows' certificate store identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains both the public key certificate and the private key. This is the recommended method.

The key pair can be generated with tools such as OpenSSL or Microsoft's New-SelfSignedCertificateandpvk2pfx tool.

What's Next?

Let's move on to Usercube's agent requirements.