PART 11. Copy the
rSTS folder from the main Password Manager server to the DMZ server to a folder that is not part of the installed PMSelfService site, such as
C:\rsts2. Navigate to
C:\rsts3. Delete
rsts.config.bin4. Edit
rsts.exe.config with Notepad
• Search for
<source type=Ensure that the key reflects:
<source type="SlaveConfigProvider">This will ensure that the configuration matches the originally configured providers.
• Next, look for:
<slaveConfigProvider backingConfigProviderType="FileConfigProvider" masterUrlFill in the information to the
masterurl key to point to the internal Password Manager rSTS server, such as:
masterUrl=”
https://<internlPMhost-resolveable.fqdn:20000”
5.
Save the file and close Notepad.
6. Open a Command Prompt as Administrator and navigate to
C:\rsts7. Execute:
rsts.exe /install
8. Open
IIS9. Create a binding to the default site with HTTPS to port 20000 using a valid certificate that matches the DMZs FQDN.
10. Restart the server
PART 21. On the internal PMAdmin site create the appropriate forwarder range to make sure that the external hosts are using the DMZ rSTS service
Forwarding can be verified if popup mode (not iframe) is selected and compare with the redirect address as such:
2. Ensure the rSTS settings match the firewall rules from the DMZ host to the internal network.
Required communication includes:
- Password Manager server access from PMSelfService in DMZ (by default 8081, but refer to the PMAdmin site’s reinitialization page for confirmation)
- DNS (port 53) to the domain
- SSL communication ports to the Domain Controller (636 and 3269) as destination ports
- If Kerberos is selected in the provider configuration, also enable port 88 as destination to the Domain Controller
- If no specific DC is selected, leave the servers empty, and you should allow the communication listed to all Domain Controllers.
Example: