Configure external accessibility

Introduction

There are many paths to wander when it comes to opening up a part to the world wide web. This is a brief description on the best practice on how you could open up the Anywhere365 WebChat to the outside world, without having the worry that all call detail data will be publicly accessible as well.

 

Warning Important note:

This doesn't work if the 2 machines are in different forests.

 

MACHINE B

MACHINE A

FOREST A

FOREST B

WORKGROUP

FOREST A

WORKS

DOES NOT WORK​

WORKS

FOREST B

DOES NOT WORK

WORKS

WORKS

WORKGROUP

WORKS

WORKS

WORKS

 

Configure external accessibility

The Anywhere365 WebChat consists out of two web services, which are:

  1. WebChat - This the front-end which the customer can use to initiate a chat conversation with the employee.
  2. ChatHub - This is the back-end and takes care of the communication with the UCCUCC stands for Unified Contact Center and consists of a queue that can be handled by Agents Each Contact Center has its own settings, interactive voice response questions and Agent with specific skills. Agents can be member of, or sign up to, one or more Contact Centers. service (e.g. for presence information)

The best practice teaches us that there are two ways to implement these web services.

  1. (Default) The web services are installed on the Anywhere365 Application Server and made available to the outside world by using reverse proxy (similar to the dial-in web page of Skype for BusinessSkype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant-messaging client used by Anywhere365. In order to use SFB, a Microsoft Skype for Business Server is required. Skype for Business is enterprise software; compared to Skype, it has different features that target businesses.)
  2. Host both web services on a web server in a DMZ. By doing that the UCC application server is not directly accessible from outside the network.

The communication of the ChatHub and UCC takes place via the so called MSMQ’s (Message Queues). This is a Windows (service) feature which is able to exchange encrypted messages. The advantage of this method is that it also allows ‘remote’ control and so is able to read and write from and to these MSMQ’s. This is even possible from each server. In this particular case we will use this method to allow communication from the web server (in DMZ) to the UCC server (inner network).

There is not much needed in order to get this working. Both servers need to have the Windows Message Queue feature installed. The following firewall ports should be opened (from webserver to the UCC server and vice versa):

  • TCP: 1801
  • RPC: 135, 2101, 2103, 2105
  • UDP: 3527, 1801

After installing the WebChat and ChatHub web service on the Web server, you should configure the ChatHub so that it uses the correct MSMQ’s.

When doing a default installation of the WebChat the following is configured in the appsettings.config of the ChatHub (by default on the UCC server that is):

<add key="WebChatInputEndpoint" value="msmq://<message queue name>@localhost" />

<add key="WebChatUccEndpoint" value="msmq://<message queue name>@localhost" />

When having the ChatHub on a other server, this should be changed to either:

<add key="WebChatInputEndpoint" value="FormatName:DIRECT=OS:<ucc applicatie server FQDN>A fully qualified domain name (FQDN), sometimes also referred as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).\private$\<message queue name>" />

<add key="WebChatUccEndpoint" value="FormatName:DIRECT=OS:<ucc applicatie server FQDN>\private$\<message queue name>" />

Or

<add key="WebChatInputEndpoint" value=" FormatName:DIRECT=TCP:<ucc applicatie server IP>\private$\<message queue name>" />

<add key="WebChatUccEndpoint" value="FormatName:DIRECT=TCP:<ucc applicatie server IP>\private$\<message queue name>" />

Off course you should also pay attention to the IIS configuration. This can also be done in many ways.

We suggest to use Microsoft TMG (or any other proxy server) to determine which traffic needs to be allowed (and which not).

 

Create the local service accounts

  1. On the UCC server. Go to Computer Management

  2. Now go to Local Users and Groups

  3. Create a new local user and give it a username and password

  4. Now go to Groups and add this user to the local administrators group

  1. Now, go to the machine where the web services will be installed and repeat steps 5 till 8.

Warning Make sure to use the EXACT SAME USERNAME AND PASSWORD for both the local accounts.

This doesn't work if the 2 machines are in different forests.

 

Configure IIS

  1. Open IIS and go to Application Pools.

  2. Now select: Add Application Pool

  3. Fill in an Application Pool name (in this example we went for Webservices) and select OK.

  4. Select the pool and select Advanced Settings

  5. Modify the Identity, choose for Custom account and select Set.

 

Configure the Message Queues

  1. First thing is, to install the Message Queuing service on the Web server as well.

    1. Do this via control panel or the following PowerShell command

    Enable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server

  2. Then, on the UCC server, open Computer Management and go to the Private Queues section:

  3. Provide ‘Send Message’ permissions to ‘ANONYMOUS LOGON’

    Example:

  4. Give the local account (created before) ‘Full Control’ permissions. In this example the accounts name is ucc_support

    Example:

  5. You are now finished with configuring the external web services.

 

The following PowerShell scripts can be used (this gives full control permissions to the accounts, for all queues)

$account = “ANONYMOUS LOGON”

[Reflection.Assembly]::LoadWithPartialName("System.Messaging")

[System.Messaging.MessageQueue]::GetPrivateQueuesByMachine(".") |% { $_.SetPermissions($account, [System.Messaging.MessageQueueAccessRights]::FullControl,[System.Messaging.AccessControlEntryType]::Set) }

 

$account = “local\account”

[Reflection.Assembly]::LoadWithPartialName("System.Messaging")

[System.Messaging.MessageQueue]::GetPrivateQueuesByMachine(".") |% { $_.SetPermissions($account, [System.Messaging.MessageQueueAccessRights]::FullControl,[System.Messaging.AccessControlEntryType]::Set) }