9.3 Multiple servers with a web server in a DMZ

You may want to configure your system to have a web server in a separate domain. This web server can serve as a bridge between the outside world and the protected network that hosts the MyID application server and database.

To configure this, you must set up local users on your application and web servers, and configure the firewall to allow communication between the servers.

1. On both the application server and web server in the separate domain, create the following user accounts, and add them to the Distributed COM Users group:

   • LocalWeb – this is the local account for running the MyID website.
   • LocalMWS – this is the local account for running the MyID web services.

   Note: These are suggested names for the local accounts. You can use your own names, as long as you use them consistently across both servers.

2. On the application server, in Component Services, under My Computer > COM+ Applications, expand the tree for the MyID component to view the Roles option, then add the appropriate LocalWeb and LocalMWS users to the MyID roles for each MyID component – these roles are:

   • App_Role
   • Web_Role

   Add the appropriate local users to each role that contains the existing domain users. That is, if the role has the MyID web domain user, add the local web user; if the role has the MyID web service domain user, add the local MWS user.

3. On the web server, install the MyID Web Server using the main MyID installation program.

   When you install the web server and web service components, specify the local users you created above. Specify the local machine name with the user name; for example:

   MYSERVER01\LocalWeb

4. Set up the Windows firewall between the web and application servers to allow the following:

   • 135/TCP – RPC Endpoint Manager.
   • 5000-5099/TCP – DCOM.
   • 49152-65535/TCP – RPC for LSA, SAM, Netlogon.

5. On the application server, copy the proxy MSI files for each of the MyID components.

   The proxy MSI files are located by default in the following folder:

   C:\Program Files\Intercede\MyID\Components\Export\

6. Copy the proxy MSI files to the web server in the separate domain and install them.

9.3.1 Known issues

• IKB-355 – You must enter the MyID COM+ user details even on a web-only tier

  Currently the MyID installation program requires you to enter the COM+ account in this scenario. While this information is not technically required for operation, the installer currently needs this information to continue with the installation process.