In this article
Switches
High-speed, full duplex network switches are recommended. Dual switch layout can be used to provide network redundancy, although this could require additional configuration in the network department in terms of setting master/slave devices, routing etc.
Load Balancers
If using a load balancer or pair of load balancers, the device(s) should be able to balance traffic based on different patterns, and preferably also supporting multiple virtual IP addresses with individual rule sets (i.e. Authoring would require sticky session management via the LB, while Reportal, being written entirely in .NET, supports sessions across servers using SQL Server, ASP state or Redis session control. Forsta Plus surveys are completely session-less, and require no session tracking on the LB device.)
Load balancers should preferably also be able to use health checks using URL patterns or HTTP HEAD requests to check for actual availability in the real server pool, in order to allow performing maintenance on servers in the load balanced pool without interrupting the service as a whole.
Network Load Balancing (NLB) services in the Windows Server platform may also be used, but its functionality for providing sticky sessions for Authoring servers is not tested by Forsta and therefore cannot be recommended in a production environment.
Note on Load balancer configurations:
By default, the following should be set for each endpoint above.
- Sessionless (round robin or least connections)
- HTTPS using SSL Offloading (aka. SSL/TLS acceleration) is recommended. SSL Offloading is the method of hosting the SSL certificate on the Loadbalancer (rather than the server) so that SSL traffic terminates there and the traffic is forwarded on another port (example port 81 to the server). This reduces CPU on the webservers and is easier to manage SSL certificates at a central location on the LB.
- Health check using a static file on the server (for example isalive.htm at the Webroot of the server). The load balancer monitors for the existence of this file to decide if the server is ‘live’. The benefit of this method is that rolling deployment of Platform Plus does not interrupt site usability (as one server per role can be updated at a time) and it is simple to take a server out of ‘production’ in order to preform maintenance (windows updates and rebooting etc.) by renaming the file.
- OPTIONAL – Enabled x-forwarded-for header. This forwards the original clients IP address to the server (rather than the load balancer virtual IP). This can help with identifying traffic from a specific respondent / user when troubleshooting and following IIS, application and service logs.
Result would be HTTPS 443 -> Load balancer (SSL Offload) -> HTTP 81 -> Web Server
HTTPS / SSL certificates will need to be created / purchased for HTTPS endpoints.
Firewalls/IDS
There are no specific requirements in terms of firewall hardware. However it is strongly recommended that firewalls from reputable vendors are deployed to provide some security on inbound connections to web servers to minimize the surface area for potential attacks.
Network Traffic Requirements to/from the Forsta Plus Site
| From | To | Service | Ports | Protocol |
| Users | Deployment servers | HTTP / HTTPS | 80,443 (customizable) | TCP |
| Users | Authoring servers | HTTP / HTTPS | 80,443 (customizable) | TCP |
| Users | Webservice servers | HTTP / HTTPS | 80,443 (customizable) | TCP |
| Users | Rest API servers | HTTP / HTTPS | 80,443 (customizable) | TCP |
| Users | Reportal servers | HTTP / HTTPS | 80,443 (customizable) | TCP |
| All Forsta servers | Remote mail servers | SMTP | 25 | TCP |
| Users | Server holding shared data / FTP data | FTP / SFTP / SSH / FRTPS | 20, 21, 22, 990 or custom | TCP |
| Octopus Server | Artifactory Feed | HTTPS | 443 | TCP |
The rule marked in italics is only required when the FTP add-on is enabled. Most FTP, SFTP / FTPS / SSH servers may be configured to run on custom ports if you wish to use ports other than the default.
Forsta web servers can also be set up to listen on non-standard ports if required.
Network Traffic Requirements Between Servers Internally Within the Site
It is recommended to run servers in the same network segment. However, if network access control between servers is required, the services required by Forsta Plus are listed below:
| From | To | Service | Ports | Protocol |
| Octopus server | All Forsta Web servers | Octopus Tentacle | 10933 | TCP |
| Octopus server | SQL Database server | SQL Connection | 1433 | TCP |
| All Forsta Plus servers | SQL Database server(s) | SQL connection | 1433 (customizable) | TCP |
| All Forsta Plus servers | Metadata Rest API server | Web | 80 | TCP |
| Authoring servers, Task System servers | All Forsta servers (also database servers if Archiving is enabled) | File system access over SMB/CIFS | 445 | TCP |
| Authoring servers | Searching service | Searching service | 9731 | TCP |
| Authoring, Task System and Metadata REST API servers | Server(s) running RabbitMQ | Rabbit MQ | 5672 | TCP |
| Reportal servers | Server running 'Forsta Caching Service' | Forsta Caching Service | 8282 | TCP |
| All Forsta Plus servers | Servers running 'Forsta BitStream Service' | Forsta BitStream Service | 8285 (customizable) | TCP |
| (Optional) All Forsta Plus servers | Logstash | Logging | 9998 (configurable) | TCP1 |
| Task System servers | Forsta Authoring URL | Web | 80 / 443 | TCP |
| Deployment servers | Forsta Services accessed in Custom Code Libraries | Web | 80 / 443 | TCP |
| Reportal servers | Forsta Authoring URL | Web | 80 / 443 | TCP |
| Forsta Translator servers | Forsta Authoring URL | Web | 80 / 443 | TCP |
| Forsta CATI servers2 | Forsta Webservices | Web | 80 / 443 | TCP |
| Forsta CATI servers2 | Forsta Authoring URL | Web | 80 / 443 | TCP |
| Forsta CATI servers2 | Forsta Deployment URL | Web | 80 / 443 | TCP |
| 1 - This rule is optional | ||||
| 2 - If applicable | ||||