Configure external accessibility


There are many paths to wander when it comes to opening up a part to the world wide web. This is a brief description on the best practice on how you could open up the Anywhere365 WebChat to the outside world, without having the worry that all call detail data will be publicly accessible as well.


Configure external accessibility

The Anywhere365 WebChat consists out of two web services, which are:

  1. WebChat - This the front-end which the customer can use to initiate a chat conversation with the employee.

  2. ChatHub - This is the back-end and takes care of the communication with the UCCUCC stands for Unified Contact Center and consists of a queue that can be handled by Agents. Each UCC has its own settings, interactive voice response questions and Agents with specific skills. Agents can be member of, or sign up to, one or more UCCs. service (e.g. for presence information)

The best practice teaches us that there are two ways to implement these web services.


Method 1. (Default) Use a reverse proxy

The web services are installed on the Anywhere365 Application Server and made available to the outside world by using reverse proxy (similar to the dial-in web page of Skype for BusinessSkype for Business is an enterprise software from Microsoft and provides users with instant messaging, online meetings, availabillity information, and audio and video calling. It requires a Skype for Business Server. The Anywhere365 application server is added to the Skype for Business Typology as Trusted Application Server.).

This needs to be done for both the WebChat and the ChatHub url.


Method 2. Host both web services on a web server in a DMZ.


Before you start, this method only works in the following scenario's:




















Also Webchat needs to be already installed on the Application server, Learn More


By hosting the web services on a web server in a DMZ the UCC application server is not directly accessible from outside the network.

The communication of the ChatHub and UCC takes place via the so called MSMQ’s (Message Queues). This is a Windows (service) feature which is able to exchange encrypted messages. The advantage of this method is that it also allows ‘remote’ control and so is able to read and write from and to these MSMQ’s. This is even possible from each server. In this particular case we will use this method to allow communication from the web server (in DMZ) to the UCC server (inner network).

There is not much needed in order to get this working. Both servers need to have the Windows Message Queue feature installed. The following firewall ports should be opened (from webserver to the UCC server and vice versa):

  • TCP: 1801

  • RPC: 135, 2101, 2103, 2105

  • UDP: 3527, 1801

After installing the WebChat and ChatHub web service on the Web server, you should configure the ChatHub so that it uses the correct MSMQ’s.

When doing a default installation of the WebChat the following is configured in the appsettings.config of the ChatHub (by default on the UCC server that is):

<add key="WebChatInputEndpoint" value="msmq://<message queue name>@localhost" />

<add key="WebChatUccEndpoint" value="msmq://<message queue name>@localhost" />

When having the ChatHub on a other server, this should be changed to either:

<add key="WebChatInputEndpoint" value="FormatName:DIRECT=OS:<ucc application server FQDN>\private$\<message queue name>" />

<add key="WebChatUccEndpoint" value="FormatName:DIRECT=OS:<ucc application server FQDN>\private$\<message queue name>" />


<add key="WebChatInputEndpoint" value=" FormatName:DIRECT=TCP:<ucc application server IP>\private$\<message queue name>" />

<add key="WebChatUccEndpoint" value="FormatName:DIRECT=TCP:<ucc application server IP>\private$\<message queue name>" />

Off course you should also pay attention to the IIS configuration. This can also be done in many ways.

We suggest to use Microsoft TMG (or any other proxy server) to determine which traffic needs to be allowed (and which not).


Create the local service accounts

  1. On the UCC server. Go to Computer Management

  2. Now go to Local Users and Groups

  3. Create a new local user and give it a username and password

  4. Now go to Groups and add this user to the local administrators group

  1. Now, go to the machine where the web services will be installed and repeat steps 5 till 8.

    Warning Make sure to use the EXACT SAME USERNAME AND PASSWORD for both the local accounts.

    This doesn't work if the 2 machines are in different forests.


Configure IIS

  1. Open IIS and go to Application Pools.

  2. Now select: Add Application Pool

  3. Fill in an Application Pool name (in this example we went for Webservices) and select OK.

  4. Select the pool and select Advanced Settings

  5. Modify the Identity, choose for Custom account and select Set.


Configure the Message Queues

  1. First thing is, to install the Message Queuing service on the Web server as well.

    Do this via control panel or the following PowerShell command

    Enable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server

  2. Then, on the UCC server, open Computer Management and go to the Private Queues section:

  3. Provide ‘Send Message’ permissions to ‘ANONYMOUS LOGON’ to the following queues:




  4. Give the local account (created before) ‘Full Control’ permissions. In this example the accounts name is ucc_support




  5. You are now finished with configuring the external web services.