Install Server Components

In this section, we'll detail how to install and configure required server components. Consider your network and determine where you would like which components of Privileged Identity to be installed. Then follow the steps below for each installation, including the components required to fulfill the server's purpose.

Note: To enable Remote COM access, please follow the instructions below as well as Further Steps to Enable Remote COM Access.

Use PowerShell to Install Required Server Components on Windows Server 2016 or 2012

To enable Remote IIS Management using the PowerShell command line interface, enter the following line:

Install-WindowsFeature Web-Mgmt-Console

In the command above, Web-Mgmt is the component required to manage Windows Server.

 

To enable Remote COM Access using PowerShell, enter:

Install-WindowsFeature AS-Ent-Services

 

To enable Web App Hosting using PowerShell, enter:

Install-WindowsFeature Web-Default-Doc,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Http-Logging,Web-Stat-Compression,Web-Windows-Auth,Web-Asp-Net45,Web-Net-Ext45,Web-ASP,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Console

In the command above, Web-Windows-Auth is an optional parameter which enables the web service to support Integrated Windows Authentication.

 

To enable Web Service Hosting using PowerShell, enter:

Install-WindowsFeature AS-Http-Activation,Web-Windows-Auth

In the command above, Web-Windows-Auth is an optional parameter which enables the web service to support Integrated Windows Authentication.

 

Note: If you want more than one feature on the same system, you may combine the parameters in one line. For example:

Install-WindowsFeature Web-Mgmt-Console,AS-Ent-Services,AS-Http-Activation,Web-Windows-Auth

Use the GUI to Install Required Server Components on Windows Server 2016 or 2012

To install server requirements using the user interface:

Server Manger Dashboard

  1. On each host server, open Server Manager.
  2. From the dashboard, click Add roles and features.

 

Before You Begin

  1. On Before You Begin, click Next.

 

Select Installation Type

  1. On Installation Type, select Role-based or feature-based installation. Click Next.

 

Select Destination Server

  1. On Server Selection, select your host server (or remote host server if managing a core installation) and click Next.

 

Select Server Roles

  1. On Server Roles, select components to install based on how this server will be used.
    1. To enable Remote IIS Management and/or Web App Hosting, select Web Server (IIS).
    2. To enable Remote COM Access and/or Web Service Hosting, select Application Server.

Note: If any of the above selections prompts you to add required features or services, do so.

  1. Click Next.
  2. On Features, click Next.
  3. On Web Server Role (IIS), click Next.
  4. On Role Services, select components to install based on how this server will be used.
    • For Remote IIS Management, select Management Tools > IIS Management Console to manage IIS.
    • For Web Service Hosting, select Web Server > Security > Windows Authentication to support Integrated Windows Authentication.
    • For Web App Hosting, select:
      • Common HTTP Features
        • Default Document
        • HTTP Errors
        • Static Content
        • HTTP Redirection
      • Health and Diagnostics > HTTP Logging - (Optional) Used for troubleshooting
      • Performance > Static Content Compression
      • Security - Items are optional unless needed for your use case
        • Request Filtering - Allows you to restrict clients from making certain requests of the web server, such as limiting the size of requests or prohibiting access to certain URLs.
        • Client Certificate Mapping Authentication - Install if users are provisioned user certificates via Active Directory and if user-certificate-based authentication is required. This requires additional IIS configuration.

          For more information, see Configure SSL on IIS.

        • IIS Client Certificate Mapping Authentication - Install if users are provisioned user certificates and if mapping and certificate authentication should be performed in IIS rather than Active Directory. This requires additional IIS configuration.

          For more information, see Configure SSL on IIS.

        • IP and Domain Restrictions - Allows you to restrict source IP addresses and domain names from making requests of the web server.
        • URL Authorization - Allows you to restrict URLs and HTTP methods. This can increase security when used in conjunction with Integrated Windows Authentication.
        • Windows Authentication - Allows you to use Integrated Windows Authentication. This may require additional IIS configuration.
      • Application Development
        • .NET Extensibility 4.5
        • ASP
        • ASP.NET 4.5
        • ISAPI Extensions
        • ISAPI Filters
      • Management Tools > IIS Management Console

      Note: If any of the above selections prompts you to add required features or services, do so.

  5. Click Next.
  6. On Application Server, click Next.
  7. On Role Services, select components to install based on how this server will be used.
    1. For Remote COM Access, select COM Network Access.
    2. For Web Service Hosting, select Windows Process Activation Service Support > HTTP Activation.
    3. Note: If any of the above selections prompts you to add required features or services, do so.

  8. Click Next.
  9. On Confirmation, validate your selections, and optionally check Restart the destination server automatically if required.
  10. Click Install.
  11. After installation, you must restart any management consoles, deferred processors, and/or zone processors which were running when this process began. In Server Manager, also restart any stopped services.

Further Steps to Enable Remote COM Access

Privileged Identity requires Remote COM to discover and manage COM applications on remote systems, as well as to push the web app and the web service to remote systems.

In each of these cases, if Remote COM access is disabled on the target system, Privileged Identity will fail to perform the requested function and will log an error message.

In addition to enabling Remote COM access, you must ensure that your firewall permits the required traffic from the management console host system and zone processor host systems, or a similar error will occur.

Rule Program to Allow Local Address Remote Address Protocol Local Port Remote Port
COM In %systemroot%\system32\dllhost.exe Any Host IP Any Any Any
COM Port Mapper In Any Any Host IP TCP 135 Any
IIS In %windir%\system32\inetsrv\inetinfo.exe Any Host IP Any Ephemeral Ports Any
COM Port Mapper In Any Any Host IP TCP 135 Any

Unless otherwise configured, communication begins on port 135 (RPC Port Mapper), which then negotiates a target ephemeral port through which Privileged Identity performs the requested work. Ephemeral port ranges are initially determined by Microsoft and are specific to the target Windows system. However, administrators may change these ports.

Note: While the sections above detail how to enable Remote COM access using PowerShell or the GUI, you may also enable Remote COM by modifying the registry:

  1. Run regedit.exe.
  2. Select the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3.
  3. Right-click the key Remote Access Enabled, and then select Modify.
  4. In the Edit DWORD Value dialog, type 1, and then click OK.