Configuring WCF Encryption for Forms in a DMZ

This document provides the details necessary to manually configure WCF encryption for Forms in perimeter network or DMZ arrangements.

Internal Forms server

  1. Generate and download a Certificate Authority (CA) Root Certificate from the internal Forms server to import to the DMZ Forms server.
    1. If the Forms App Pool or routing service does not run as a system user, grant the attached user permissions to manage the certificate's private key.
  2. Browse to the internal Forms server installation folder and open the RoutingEngineServiceHost.exe.config file. By default the path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\RoutingEngineServiceHost.exe.config.
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport security by changing:
      <security mode="Transport" />

      To:

      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>

      <binding name="timeoutBindingStreamed" transferMode="Streamed" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="2147483647">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>
    2. In the <serviceBehaviors> node, add the following configuration to specify the service certificate created in step one.
      <serviceCredentials>
      <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="07c44123eac690d3a9b29af5860e117e887b7fdb" />
      </serviceCredentials>

      Note: Set the findValue to the value of the internal certificate.

    3. In the <endpointBehaviors>, <clientCertificate> node under the <extraEndpointBehavior> node, add the following configuration to specify the service certificate created in step one by changing
      <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>

      To:

      <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="07c44123eac690d3a9b29af5860e117e887b7fdb" />

      Note: Set the findValue to the value of the internal certificate.

    4. In the <client> node, update the <endpoint> nodes for lfinstance, lfrouting, lfpushnotification, lfautotrigger, and lfformexport to use the host name matching the service certificate created in step one, and the configured endpoint behavior in the <extraEndpointBehavior> node. For example:
      <client>
      <endpoint address="net.tcp://certificateHostName:8176/lfinstance" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IInstanceProcessing" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8268/lfpushnotification" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp:/certificateHostName:8732/lfautotrigger" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IAutoTrigger" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp:/certificateHostName:8736/lfformexport" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IFormExportService" name="" behaviorConfiguration="extraEndpointBehavior" />
      </client>

      Note: Replace each instance of certificateHostName above with the fully qualified domain name for the certificate created in step 1.

  3. Update \Forms\Web.config
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport:
      <security mode="Transport" />
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>

      <binding name="timeoutBindingStreamed" transferMode="Streamed" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="2147483647">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>
    2. In the <endpointBehaviors> node, update the<clientCertificate> under <behavior> in the <extraEndpointBehavior> node to specify the service certificate created in step one by changing
      <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>

      To:

      <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="07c44123eac690d3a9b29af5860e117e887b7fdb" />

      Note: Set the findValue to the value of the internal certificate.

    3. In the <client> node, update the <endpoint> node of the lfinstance, lfrouting, lfpushnotification, lfautotrigger, and lfformexportendpooints to use the host name matching the service certificate created in step one, and the configured endpoint behavior in the <extraEndpointBehavior> node. For example:
      <client>
      <endpoint address="net.tcp://certificateHostName:8176/lfinstance" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IInstanceProcessing" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8268/lfpushnotification" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8732/lfautotrigger" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IAutoTrigger" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8736/lfformexport" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IFormExportService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://localhost:8170/attachmentTransfer" binding="netTcpBinding" bindingConfiguration="timeoutBindingStreamed" contract="FormsModel.SharedContracts.IAttachmentTransferService" name="" />

      <endpoint address="net.tcp://localhost:8174/lookup" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IRoutingLookupService" name="" />
      </client>

      Note: Replace each instance of certificateHostName above with the fully qualified domain name for the certificate created in step one.

  4. Update \Config\Web.config
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport security by changing:
      <security mode="Transport" />

      To:

      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>
    2. In the <endpointBehaviors> node, update the<clientCertificate> under <behavior> in the <extraEndpointBehavior> node to specify the service certificate created in step one by changing
      <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>

      To:

      <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="07c44123eac690d3a9b29af5860e117e887b7fdb" />

      Note: Set the findValue to the value of the internal certificate.

    3. In the <client> node, update the <endpoint> node of the lfroutingendpooint to use the host name matching the service certificate created in step one, and the configured endpoint behavior in the <extraEndpointBehavior> node. For example:
      <client>
      <endpoint address="net.tcp://certificateHostName:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" behaviorConfiguration="extraEndpointBehavior" />
      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager" name="LicenseManagerService">
      <identity />

      </endpoint>
      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager2" name="LicenseManagerService2">
      <identity />

      </endpoint>
      <endpoint address="http://localhost:5048/LicenseManager/sts" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILFSecurityTokenService" contract="LicenseManagerSTS.ILFSecurityTokenService" name="LicenseManagerSTS">
      <identity />
      </endpoint>
      </client>

      Note: Replace the instance of certificateHostName above with the fully qualified domain name for the certificate created in step one.

  5. Update Laserfiche.PushNotificationService.Master.Host.exe.config. By default the path is:C:\Program Files (x86)\Laserfiche\Laserfiche Notification\Service\Laserfiche.PushNotificationService.Master.Host.exe.config
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport security by changing:
      <security mode="Transport" />

      To:

      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>
    2. In the <serviceBehaviors> node, add the following configuration to specify the service certificate created in step one.
      <serviceCredentials>
      <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="07c44123eac690d3a9b29af5860e117e887b7fdb" />
      </serviceCredentials>

      Note: Set the findValue to the value of the internal certificate.

  6. Restart the Forms routing service, Forms App Pool, and the Notification master service on the internal Forms server to make the above configuration active.

DMZ Forms server

  1. Generate and download a Certificate Authority (CA) Root Certificate from the DMZ Forms server to import to the internal Forms server.
    1. If the Forms App Pool or routing service does not run as a system user, grant the attached user permissions to manage the certificate's private key.
  2. Browse to the DMZ Forms servers Forms server installation folder and open the \Forms\Web.config file. By default the path is: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config.
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport security by changing:
      <security mode="Transport" />

      To:

      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="200000000">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>

      <binding name="timeoutBindingStreamed" transferMode="Streamed" receiveTimeout="00:59:00" sendTimeout="00:59:00" openTimeout="00:59:00" closeTimeout="00:59:00" maxReceivedMessageSize="2147483647">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>
    2. In the <endpointBehaviors>, <clientCertificate> node under the <extraEndpointBehavior> node, add the following configuration to specify the service certificate created in DMZ server step one by changing
      <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>

      To:

      <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="8546bf3ceb126b5706071158cbd290a333ce5a56" />

      Note: Set the findValue to the value of the DMZ server certificate.

    3. In the <client> node, update the <endpoint> nodes for lfinstance, lfrouting, lfpushnotification, lfautotrigger, and lfformexport to use the host name matching the service certificate created in step one for the internal Forms server, and the configured endpoint behavior in the <extraEndpointBehavior> node. For example:
      <client>
      <endpoint address="net.tcp://certificateHostName:8176/lfinstance" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IInstanceProcessing" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8268/lfpushnotification" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.PushNotificationService.SharedContracts.IPushNotificationService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8732/lfautotrigger" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IAutoTrigger" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8736/lfformexport" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IFormExportService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager" name="LicenseManagerService">
      <identity />
      </endpoint>

      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager2" name="LicenseManagerService2">
      <identity />
      </endpoint>

      <endpoint address="http://localhost:5048/LicenseManager/sts" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILFSecurityTokenService" contract="LicenseManagerSTS.ILFSecurityTokenService" name="LicenseManagerSTS">
      <identity />
      </endpoint>

      <endpoint address="net.tcp://certificateHostName:8170/attachmentTransfer" binding="netTcpBinding" bindingConfiguration="timeoutBindingStreamed" contract="FormsModel.SharedContracts.IAttachmentTransferService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="net.tcp://certificateHostName:8174/lookup" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.IRoutingLookupService" name="" behaviorConfiguration="extraEndpointBehavior" />
      </client>

      Note: Replace each instance of certificateHostName above with the fully qualified domain name for the internal server certificate created in step one.

  3. Update \Config\Web.config
    1. In the <netTcpBinding> node, update each <security> node as follows to use a clientCredentialType of Certificate for Transport security by changing:
      <security mode="Transport" />

      To:

      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>

      For example:

      <binding name="timeoutBinding" receiveTimeout="00:20:00" sendTimeout="00:20:00" openTimeout="00:20:00" closeTimeout="00:20:00">
      <security mode="Transport">
      <transport clientCredentialType="Certificate" />
      </security>
      </binding>

    2. In the <endpointBehaviors>, <clientCertificate> node under the <extraEndpointBehavior> node, add the following configuration to specify the service certificate created in DMZ server step one by changing

      <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>

      to

      <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="8546bf3ceb126b5706071158cbd290a333ce5a56" />

      Note: Set the findValue to the value of the DMZ server certificate.

    3. In the <client> node, update the <endpoint> node of the lfroutingendpooint to use the host name matching the service certificate created in step one for the internal Forms server, and the configured endpoint behavior in the <extraEndpointBehavior> node. For example:

      <client>
      <endpoint address="net.tcp://certificateHostName:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" behaviorConfiguration="extraEndpointBehavior" />

      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager" name="LicenseManagerService">
      <identity />
      </endpoint>

      <endpoint address="http://localhost:5048/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager2" name="LicenseManagerService2">
      <identity />
      </endpoint>

      <endpoint address="http://localhost:5048/LicenseManager/sts" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILFSecurityTokenService" contract="LicenseManagerSTS.ILFSecurityTokenService" name="LicenseManagerSTS">
      <identity />
      </endpoint>
      </client>

      Note: Replace the instance of certificateHostName above with the fully qualified domain name for the internal server certificate created in step one.

  4. Restart the Forms App Pool on the DMZ Forms server to make above configuration active.