Manually Configuring Forms in a DMZ

This document provides the details necessary to manually configure Forms servers for use in perimeter networks or DMZ arrangements.

Notes:

  • If all your servers are within the same domain, then no changes to security modes are required. Changing the security mode is only required when there are servers in a DMZ.
  • For configurations that use two Forms servers, the emails that communicate user task notifications by default will link to tasks on the internal Forms server. If you want your email notifications to link to the Forms server in the DMZ, you should manually alter the value of FormsHostEmailOverride in the cf_options table in the Forms database. Set the value of this option to http://DMZFormsServer/Forms/ to ensure that links in email notifications lead to the public-facing Forms server.

Standard DMZ Configuration: Two Forms Servers, One SQL Server

To configure the DMZ Forms server

In these instructions, you will configure the DMZ Forms server to point to the various servers in the internal network and disable the DMZ Forms server's routing service. Before carrying out these instructions, configure the internal Forms server according to the usual instructions.

Where applicable, the instructions will indicate steps that apply to only one method of authentication.

  1. Open the Forms configuration site on the DMZ Forms server.
    1. On the Database tab, configure the DMZ Forms server to connect to your internal Forms server's SQL database.
    2. On the Forms Server tab, verify that the configuration matches the Forms Server tab configuration of the internal server.

      Note: The Forms configuration site will not be able to validate these settings if the firewall is not configured to allow traffic between the DMZ Forms server and the internal network. See Firewall Considerations for more information.

  2. Find the EndpointUtility.exe program in the Forms installation folder. By default it is in C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin. Open EndpointUtility.exe, and configure the endpoints as follows:
    1. Enter the Forms installation path. By default, this is C:\Program Files\Laserfiche\Laserfiche Forms.
    2. For Laserfiche Directory Server Address, enter the fully qualified domain name for the Laserfiche Directory Server.
    3. Select Use Alternative Service. Select Certificate as the security mode. From the list of certificates presented, choose the certificate that belongs to the Laserfiche Directory Server.
    4. Click Save to update all related configuration files.
  3. Browse to the DMZ Forms server installation folder and open the Web.config file for the Forms configuration site. By default, the file path is C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config
  4. Locate the WCF client configuration block. For the lfrouting endpoint, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold text with the internal Forms server's name.
    <endpoint address="net.tcp://localhost:8168/lfrouting"
    binding="netTcpBinding" bindingConfiguration="timeoutBinding"
    contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
  5. Locate the <netTcpBinding> configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00"
    sendTimeout="00:20:00" openTimeout="00:20:00"
    closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  6. Browse to the DMZ Forms server installation folder and open the Web.config file for Forms. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config. Then, modify this file according to steps 7-13.
  7. Locate the WCF client configuration block. For the lfrouting, lfpushnotification, lfautotrigger, lfformexport, attachmentTransfer, and lfinstance endpoints, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold sections with the internal Forms server’s name.
    <endpoint
    address="net.tcp://localhost:8168/lfrouting"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBinding"
    contract="Laserfiche.Forms.Routing.IRoutingEngineService"
    name="" />
    <endpoint
    address="net.tcp://localhost:8268/lfpushnotification"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBinding"
    contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService"
    name="" />
    <endpoint
    address="net.tcp://localhost:8732/lfautotrigger"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBinding"
    contract="FormsModel.SharedContracts.IAutoTrigger"
    name="" />
    <endpoint
    address="net.tcp://localhost:8736/lfformexport"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBinding"
    contract="FormsModel.SharedContracts.IFormExportService"
    name="" />
    <endpoint
    address="net.tcp://localhost:8170/attachmentTransfer"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBindingStreamed"
    contract="FormsModel.SharedContracts.IAttachmentTransferService"
    name="" />
    <endpoint
    address="net.tcp://localhost:8176/lfinstance"
    binding="netTcpBinding"
    bindingConfiguration="timeoutBinding"
    contract="Laserfiche.Forms.Routing.InstanceProcessing"
    name="" />
  8. If you are using the Laserfiche Directory Server STS:
    1. Locate the wsFederation node. It should begin with the string <wsFederation persistentCookiesOnPassiveRedirects=.
    2. In the wsFederation node, change the realm and reply attributes to the address of the DMZ Forms server.
    3. In the same node, change the issuer variable to the location of the Laserfiche Directory Server STS in the internal network.
  9. Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00"
    sendTimeout="00:59:00" openTimeout="00:59:00"
    closeTimeout="00:59:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  10. Locate the <appSettings> configuration block. To use a file storage volume for attachments, change the EnableAttachmentTransfer flag to true. See the bold text in the following sample.
    <appSettings>
    <add key="EnableAttachmentTransfer" value="true" />
    </appSettings>
  11. Locate the netTcpBinding "timeoutBindingStreamed" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBindingStreamed"
    transferMode="Streamed" closeTimeout="00:59:00"
    openTimeout="00:59:00" receiveTimeout="00:59:00"
    sendTimeout="00:59:00"
    maxReceivedMessageSize="2147483647">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  12. Optional: If desired, the DMZ Forms Server can be configured to use the internal routing service for executing lookup rules. To enable this feature, make the following two additional changes in the WCF client configuration and app settings:
    1. WCF client configuration: Change the localhost references for the lookup endpoints to point to the internal Forms server. For example, replace the bold section with internal Forms server's name.
      <endpoint address="net.tcp://localhost:8174/lookup"
      binding="netTcpBinding" bindingConfiguration="timeoutBinding"
      contract="FormsModel.SharedContracts.IRoutingLookupService" name=""
      />
    2. <app settings> configuration block: Change the EnableRoutingLookupProxy flag to true. See the bold text in the following sample.
      <appSettings>
      <add key="EnableRoutingLookupProxy" value="true" />
      </appSettings>
  13. Open the Windows Services Microsoft Management Console (MMC) snap-in.
    1. View the properties of the Laserfiche Forms Routing Service to Stop the service and change the startup type to Disabled.
    2. View the properties of the Laserfiche Notification Hub Service to Stop the service and change the startup type to Disabled.
    3. View the properties of the Laserfiche Notification Master Service to Stop the service and change the startup type to Disabled.

To configure the internal Forms server

  1. Browse to the internal Forms server installation folder and open the Web.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
  2. Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  3. Browse to the internal Forms server installation folder and open the RoutingEngineServiceHost.exe.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\RoutingEngineServiceHost.exe.config
  4. Locate the netTcpBinding configuration block. For both timeoutBinding and timeoutBindingStreamed, change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    <binding name="timeoutBindingStreamed" transferMode="Streamed" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" maxReceivedMessageSize="2147483647">
    <security mode="None" />
    </binding>
    </netTcpBinding>

    Note: Verify that the security mode for userSyncClient (C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\UserSyncClient.exe.config ) and the routing engine (RoutingEngineServiceHost.exe.config) use the same mode when configuring the DMZ and internal Forms servers.

  5. Browse to the Web.config file for the Forms configuration site. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config . Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  6. Browse to the Laserfiche.PushNotificationService.Master.Host.exe.config file for the internal Notification service. By default, the file path is: C:\Program Files (x86)\Laserfiche\Laserfiche Notification\Service\Laserfiche.PushNotificationService.Master.Host.exe.config
  7. Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  8. If you configure Laserfiche Audit Trail auditing on the internal Forms server after performing the above steps, you will need to recycle the FormsAppPool on the DMZ machine to make the auditing configuration take effect.

Two Forms Servers with Two STS Instances

This configuration works only if you are using Laserfiche Directory Server. It is identical to the standard configuration, except that the DMZ Forms server authenticates to an STS instance in the DMZ, while there is a separate STS instance in the internal network for the primary Forms server to authenticate to. To accommodate having an STS instance on a different computer from the Directory Server computer, you must change the endpoints in the DMZ Forms server.

Note: For the STS instance in the DMZ to authenticate to the Directory Server in the internal network, the DMZ server must have a valid SSL certificate.

Before carrying out these instructions, configure the internal Forms server according to the usual instructions.

To configure the DMZ Forms server

  1. Configure the internal Forms server using the default configuration instructions.
  2. Configure the firewall to open ports between the DMZ Forms server and the following internal servers: Laserfiche Directory Server, the internal Forms server, and the Forms SQL Server. See Firewall Considerations for more information.
  3. Give FormsAppPool full control permission to the private key in the certificate used by the Forms site.
    1. Open Microsoft Management Console (MMC). If the snap-in for Certificates is not installed, install it by going to File, selecting Add/Remove Snap-in, and selecting the Certificates snap-in. Choose to add this snap-in for the Local Computer.
    2. Once the snap-in is added, click on Certificates in the left pane, and within this, on Personal.
    3. If you have created a certificate for the Forms site and saved it to the Personal node, there will be a sub-folder in this node labeled Certificates. Expand this.
    4. Right-click on the certificate for the Forms site. Select All Tasks, then Manage private keys.
    5. Select Add… under the “Group or user names” section. In the ensuing dialog box, enter the object names to be added. Choose the location to be the local computer. Then check for the object name IIS AppPool\FormsAppPool. After the object is found, click OK.
    6. Back in the permissions for private keys dialog box, select FormsAppPool in the “Group or user names” section. In the “Permissions for FormsAppPool” section, ensure that Allow is checked for the option Full control. Click OK to save this setting.
  4. Find the EndpointUtility.exe program in the Forms installation folder (by default, it is in C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin). Open EndpointUtility.exe, and configure the endpoints as follows:
    1. Enter the Forms installation path. By default, this is C:\Program Files\Laserfiche\Laserfiche Forms.
    2. For Laserfiche Directory Server Address, enter the fully qualified domain name for the Laserfiche Directory Server.
    3. Select Use Alternative Service. Select Certificate as the security mode. From the list of certificates presented, choose the certificate that belongs to the Laserfiche Directory Server.
    4. Click Save to update all related configuration files.
  5. Open the Forms configuration site on the DMZ Forms server.
    1. On the Database tab, configure the DMZ Forms server to connect to your internal Forms server's SQL database.
  6. Browse to the DMZ Forms server installation folder and open the Web.config file for the Forms configuration site. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config
  7. Locate the WCF client configuration block. For the lfrouting endpoint, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold sections in the following sample with the internal Forms server’s name.
    <endpoint address="net.tcp://localhost:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
  8. Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  9. Browse to the DMZ Forms server installation folder and open the Web.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
    1. Locate the WCF client configuration block. For the lfrouting, lfpushnotification, lfautotrigger, lfformexport, attachmentTransfer, and lfinstance endpoints, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold sections in the following sample with the internal Forms server’s name.
      <endpoint address="net.tcp://localhost:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
      <endpoint address="net.tcp://localhost:8732/lfautotrigger" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IAutoTrigger" name="" />
      <endpoint address="net.tcp://localhost:8268/lfpushnotification" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService" name="" />
      <endpoint address="net.tcp://localhost:8736/lfformexport" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IFormExportService" name="" />
      <endpoint address="net.tcp://localhost:8170/attachmentTransfer" binding="netTcpBinding" bindingConfiguration="timeoutBindingStreamed" contract="FormsModel.SharedContracts.IAttachmentTransferService" name="" />
      <endpoint address="net.tcp://localhost:8176/lfinstance" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IInstanceProcessing" name="" />
    2. Locate the wsFederation node. It should begin with the string <wsFederation persistentCookiesOnPassiveRedirects=.
    3. In the wsFederation node, change the realm and reply variables to the address of the DMZ Forms server.
    4. In the same node, change the issuer variable to the location of the Laserfiche Directory Server STS in the DMZ.
    5. Locate the netTcpBinding "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
      <netTcpBinding>
      <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
      <security mode="None" />
      </binding>
      </netTcpBinding>
    6. Locate the <appSettings> configuration block. To use a file storage volume for attachments, change the EnableAttachmentTransfer flag to true. See the bold text in the following sample.
      <appSettings>
      <add key="EnableAttachmentTransfer" value="true" />
      </appSettings>
    7. Locate the netTcpBinding "timeoutBindingStreamed" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
      <netTcpBinding>
      <binding name="timeoutBindingStreamed" transferMode="Streamed" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" maxReceivedMessageSize="2147483647">
      <security mode="None" />
      </binding>
      </netTcpBinding>
  10. Optional: If desired, the DMZ Forms Server can be configured to use the internal routing service for executing lookup rules. Make the following two additional changes in WCF client configuration and <app settings> to enable:
    1. WCF client configuration: Change the localhost references for the lookup endpoints to point to internal Forms server. For example, replace the bold section with internal Forms server's name.
      <endpoint address="net.tcp://localhost:8174/lookup"
      binding="netTcpBinding" bindingConfiguration="timeoutBinding"
      contract="FormsModel.SharedContracts.IRoutingLookupService" name=""
      />
    2. <app settings> configuration block: Change the EnableRoutingLookupProxy flag to true. See the bold text in the following sample.
      <appSettings>
      <add key="EnableRoutingLookupProxy" value="true" />
      </appSettings>
  11. Open the Microsoft Management Console (MMC). Add the Services snap-in if it does not already exist. This can be done by clicking on File, then choosing Add/Remove Snap-in. Once you have the snap-in, perform the following steps:
    1. Select Services in the left pane.
    2. In the list of services, right-click on Laserfiche Forms Routing Service and select Properties. Choose to Stop the service, then change the Startup type to Disabled.
    3. In the list of services, right-click on Laserfiche Notification Hub Service. Choose to Stop the service, then change the Startup type to Disabled.
    4. In the list of services, right-click on Laserfiche Notification Master Service. Choose to Stop the service, then change the Startup type to Disabled.
  12. If you configure Laserfiche Audit Trail auditing on the internal Forms server after performing the above steps, you will need to recycle the FormsAppPool on the DMZ machine to make the auditing configuration take effect.

To configure the internal Forms server

  1. Browse to the internal Forms server installation folder and open the Web.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
  2. Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  3. Browse to the internal Forms server installation folder and open the RoutingEngineServiceHost.exe.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\RoutingEngineServiceHost.exe.config
  4. Locate the <netTcpBinding> configuration block. Change the security mode from Transport to None for timeoutBinding and timeoutBindingStreamed. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    </binding>
    <binding name="timeoutBindingStreamed" transferMode="Streamed" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" maxReceivedMessageSize="2147483647">
    <security mode="None" />
    </binding>
    </netTcpBinding>

    Note: Verify that the security mode for userSyncClient (C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\UserSyncClient.exe.config ) and the routing engine (RoutingEngineServiceHost.exe.config) use the same mode when configuring the DMZ and Internal Forms servers.

  5. Browse to the Web.config file for the Forms Configuration site. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config
    Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  6. Browse to the Laserfiche.PushNotificationService.Master.Host.exe.config file for the internal Notification service. By default, the file path is: C:\Program Files (x86)\Laserfiche\Laserfiche Notification\Service\Laserfiche.PushNotificationService.Master.Host.exe.config
  7. Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    </binding>
    </netTcpBinding>

High-Security Variation: Two Forms Servers, Two SQL Servers

To configure the DMZ Forms server

In these instructions, you will configure the DMZ Forms server to connect to the appropriate servers in the DMZ and the internal network. You will also set up the DMZ SQL database and purge the relevant information from it and the DMZ Forms server. Finally, you will turn off the DMZ Forms server’s routing service.

Before carrying out these instructions, configure the internal Forms server according to the usual instructions.

  1. Create the DMZ Forms SQL database as follows.
    1. Make a copy of the internal Forms SQL database.
    2. Clear the cf_bp_data table in the copied database. This table stores data from the fields in submitted forms, and you will want to make sure that no information is leaked even if the DMZ is compromised.
    3. Move the copied database to the DMZ machine.
    4. On the Forms configuration site for the DMZ Forms server, configure the DMZ Forms server to connect to the DMZ SQL database.
    5. Modify all Forms process diagrams in the DMZ Forms server to have only a message start event and an end event. This way, the structure of tasks will not be revealed even if the DMZ is compromised. This action also deletes all tasks in the Forms inbox.
    6. Close any open SQL connections going through the internal firewall.
  2. Open the Forms configuration site on the DMZ Forms server.
    1. On the Forms Server tab, specify the internal Forms server URL.
      If you are using Laserfiche Server for authentication:
      1. On the User Authentication tab, select Use Laserfiche Server authentication and specify the internal Laserfiche Server host name. If Laserfiche Server is not running on port 80, make sure to specify the port value in the host name in the format ServerName:PortNumber.
      If you are using Laserfiche Directory Server for authentication:
      1. On the User Authentication tab, select Use a Laserfiche Directory Server for Single Sign-On authentication and specify the fully qualified domain name of the Laserfiche Directory Server STS in the internal network, in the format //DirectoryServer/LFDSSTS. Specify the internal Directory Server’s database.
    2. On the Email Settings tab, specify your SMTP server for draft notifications. If the SMTP email server is on the internal network, you will have to allow the DMZ Forms server to communicate with your email server. If the DMZ Forms server cannot access the email server, users can still save drafts, but they will not receive email notifications of the drafts.
  3. Find the EndpointUtility.exe program in the Forms installation folder (by default, it is in C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin). Open EndpointUtility.exe, and configure the endpoints as follows:
    1. Enter the Forms installation path. By default, this is C:\Program Files\Laserfiche\Laserfiche Forms.
    2. For Laserfiche Directory Server Address, enter the fully qualified domain name for the Laserfiche Directory Server.
    3. Select Use Alternative Service. Select Certificate as the security mode. From the list of certificates presented, choose the certificate that belongs to the Laserfiche Directory Server.
    4. Click Save to update all related configuration files.
  4. Browse to the DMZ Forms server installation folder and open the Web.config file for the Forms configuration site. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config
  5. Locate the WCF client configuration block. For the lfrouting endpoint, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold text in the following sample with the internal Forms server’s name.
    <endpoint address="net.tcp://localhost:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
  6. Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  7. Browse to the DMZ Forms server installation folder and open the Web.config file for Forms. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
  8. Locate the WCF client configuration block. For the lfrouting, lfpushnotification, lfautotrigger, lfformexport, attachmentTransfer, and lfinstance endpoints, change the localhost references to point to your internal Forms server. In the following example, you would replace the bold sections in the following sample with the internal Forms server’s name.
    <endpoint address="net.tcp://localhost:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
    <endpoint address="net.tcp://localhost:8268/lfpushnotification" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService" name="" />
    <endpoint address="net.tcp://localhost:8732/lfautotrigger" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IAutoTrigger" name="" />
    <endpoint address="net.tcp://localhost:8736/lfformexport" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IFormExportService" name="" />
    <endpoint address="net.tcp://localhost:8170/attachmentTransfer" binding="netTcpBinding" bindingConfiguration="timeoutBindingStreamed" contract="FormsModel.SharedContracts.IAttachmentTransferService" name="" />
    <endpoint address="net.tcp://localhost:8176/lfinstance" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IInstanceProcessing" name="" />
  9. If you are using the Laserfiche Directory Server STS:
    1. Locate the wsFederation node. It should begin with the string <wsFederation persistentCookiesOnPassiveRedirects=.
    2. In the wsFederation node, change the realm and reply attributes to the address of the DMZ Forms server.
    3. In the same node, change the issuer variable to the location of the Laserfiche Directory Server STS in the internal network.
  10. Optional: If desired, the DMZ Forms Server can be configured to use the internal routing service for executing lookup rules. Make the following two additional changes in WCF client configuration and app settings to enable:
    1. WCF client configuration: Change the lookup endpoints localhost references to point to the internal Forms server. For example, replace the bold section with internal Forms server's name.
      <endpoint address="net.tcp://localhost:8174/lookup" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IRoutingLookupService" name="" />
    2. <app settings> configuration block: Change the EnableRoutingLookupProxy flag to true. See the bold text in the following sample.
      <appSettings>
      <add key="EnableRoutingLookupProxy" value="true" />
      </appSettings>
  11. Locate the <appSettings> configuration block. To use a file storage volume for attachments or to auto-sync attachments in database storage, change the EnableAttachmentTransfer flag to true. See the bold text in the following sample.
    <appSettings>
    <add key="EnableAttachmentTransfer" value="true" />
    </appSettings>
  12. Locate the <netTcpBinding> configuration block. Change the security mode from Transport to None for both timeoutBinding and timeoutBindingStreamed. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBindingStreamed" transferMode="Streamed" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" maxReceivedMessageSize="2147483647">
    <security mode="None" />
    </binding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  13. Open the Windows Services Microsoft Management Console (MMC) snap-in
    1. View the properties of the Laserfiche Forms Routing Service to Stop the service and change the Startup type to Disabled.
    2. View the properties of the Laserfiche Notification Hub Service to Stop the service and change the Startup type to Disabled.
    3. View the properties of the Laserfiche Notification Master Service to Stop the service and change the Startup type to Disabled.
  14. If you configure Auditing for the internal Forms Server after you perform the above steps, you will need to sync the cf_options table from the internal database to the DMZ database to sync the auditing configuration. The options you need to synchronize are: FormsAuditingEnabled, AuditTrailURL, AuditZeroMQConfig, and AuditEventTypeSettings. You will also need to recycle the FormsAppPool on the DMZ machine to make the auditing configuration take effect.

To configure the internal Forms server

  1. Browse to the internal Forms server installation folder and open the Web.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config.
  2. Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  3. Browse to the internal Forms server installation folder and open the RoutingEngineServiceHost.exe.config file. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\RoutingEngineServiceHost.exe.config.
  4. Locate the <netTcpBinding> configuration block. Change the security mode from Transport to None for both timeoutBinding and timeoutBindingStreamed. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    </binding>
    <binding name="timeoutBindingStreamed" transferMode="Streamed" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" maxReceivedMessageSize="2147483647">
    <security mode="None" />
    </binding>
    </netTcpBinding>

    Note: Verify that the security mode for userSyncClient (C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\UserSyncClient.exe.config ) and the routing engine (RoutingEngineServiceHost.exe.config) use the same mode when configuring the DMZ and Internal Forms servers.

  5. Browse to the Web.config file for the Forms Configuration site. By default, the file path is: C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config.
    Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
    <security mode="None" />
    </binding>
    </netTcpBinding>
  6. Browse to the Laserfiche.PushNotificationService.Master.Host.exe.config file for the internal Notification service. By default, the file path is: C:\Program Files (x86)\Laserfiche\Laserfiche Notification\Service\Laserfiche.PushNotificationService.Master.Host.exe.config
  7. Locate the <netTcpBinding> "timeoutBinding" configuration block. Change the security mode from Transport to None. See the bold text in the following sample.
    <netTcpBinding>
    <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
    <security mode="None" />
    </binding>
    </netTcpBinding>

Note: In this configuration, the submitted form will not be displayed on the “Thank You” page. This protects the submitted data. The “Thank You” page retrieves its data after the routing engine finishes submitting the form, so this data cannot be accessed. You should direct users to your own custom “Thank You” page.

Note: Because the intermediate steps in processes have been purged on the DMZ Forms server, only changes in the start event in the DMZ Forms server’s process modeler will affect the actual process. Any changes made in the DMZ Forms server to events after the start event will have no effect on the internal Forms server.

Note: Timer start events will work only on the internal Forms server.

Note: If your processes do not change, your DMZ SQL Server does not need to be updated with data from the internal servers. If you update existing processes or add new processes in the internal Forms server, you can push these out to the DMZ SQL Server using the following method: Copy the internal SQL Server to the DMZ again, following step 1 in To configure the DMZ Forms server. This method must be used if the process file storage location has changed to use a new volume.

Note: With the High-Security variation, users may still save drafts, but drafts cannot be submitted from the DMZ Forms server.

One Forms Server in DMZ

To configure the DMZ Forms server

In these instructions, you will configure the DMZ Forms server to connect to the relevant servers in the DMZ and the internal network. You will then configure the DMZ Forms server to authenticate to the Laserfiche Directory Server STS in the DMZ.

  1. Configure the firewall to open the appropriate ports between the DMZ Forms server and the following servers in the internal network: Laserfiche Directory Server, Laserfiche Server, and SQL Server.
  2. Carry out Steps 3-4 in the earlier instructions for configuring the DMZ Forms server when there are two STS instances.
  3. Open the Forms configuration site on the DMZ Forms server.
    1. On the Database tab, configure the DMZ Forms server to connect to your server SQL database.
    2. On the User Authentication tab, select Use a Laserfiche Directory Server for Single Sign-On authentication and set Directory Server STS URL to the address of the Laserfiche Directory Server STS in the DMZ.

Firewall Considerations

The DMZ Forms server must be able to communicate with the internal computers hosting the following services:

  • The internal Forms server if you are using one of the configurations with two Forms servers.
  • The Microsoft SQL Server instance hosting the Forms SQL database.
  • Either the Laserfiche Server or Directory Server, depending on your Forms authentication method.

When opening ports in the firewall, make sure to only allow connections from the DMZ Forms server.

Internal Forms Server

When modifying the DMZ Forms server Web.config files, take note of the port values specified for the various endpoints. The DMZ Forms server must be able to communicate with the internal Forms server on these ports.

SQL Server

Forms must also be able to communicate with the appropriate SQL Server. Make sure that the appropriate SQL Server port (the default port is 1433) is open to traffic from the appropriate Forms server.

If the DMZ Forms server is configured to use Laserfiche Server authentication

The DMZ Forms server must be able to communicate with your internal Laserfiche Server. By default, Laserfiche Server uses port 80 for unsecured traffic, port 443 for secure traffic, and port 5051 for Laserfiche Server notifications.

If the DMZ Forms server is configured to use Laserfiche Directory Server authentication

The DMZ Forms server must be able to communicate with Laserfiche Directory Server. By default, Directory Server uses port 5048 for unsecured traffic and port 5049 for secure traffic. This information is embedded in the Forms license file. By default, the Forms license file is located at: C:\Program Data\Laserfiche Forms\License\lf.licx

Open the file and locate the LicenseServerListeningPort value.

Email Server

If the SMTP email server is on the internal network, you will have to allow the DMZ Forms server to communicate with your SMTP email server. If the DMZ Forms server cannot access the SMTP email server, users can still save drafts from DMZ Forms server, but they will not receive email notifications of the drafts.

Laserfiche Audit trail

To send audit events to Laserfiche Audit Trail, the Forms configuration server needs to be able to connect to the Laserfiche Audit Trail configuration site. By default, through port 443 for HTTPS, 80 for HTTP. This is customizable in the IIS manager bindings.

The Forms server/routing service sends audit log activities to Laserfiche Audit Trail directly and individually, which requires a connection to the Audit Trail Event Hub Service over port 10256 by default. This is customizable in the AuditEventHub.json configuration file on the Audit Trail server. See the Laserfiche Audit Trail documentation for more information.

Network Ports for Laserfiche Products

Product Ports

Laserfiche Forms 12

80 for HTTP, 443 for HTTPS

8168 for lfrouting

8268 for lfpushnotification

8170 for attachmentTransfer

8181 for the Notification Hub Service

8732 for lfautotrigger

8736 for lfformexport

8174 for lookup

8176 for lfinstance

Directory Server 12

5048 for HTTP

5049 for HTTPS

Laserfiche Server 12

80 for HTTP

443 for HTTPS

5051 for notifications

Microsoft SQL Server

1433 for default instance

SMTP Server

25 for default SMTP port

Laserfiche Audit Trail

10256 for receiving audit logs