System Requirements for Web Services

Updated: 2013-03-19

This topic lists supported platforms and requirements for the Services Manager web services.

Group Policy requirements

If you are installing a web service on a domain controller, give the CortexWSUsers group logon locally permission. Additionally, Proxy Users need logon locally permission if you install the Directory Web Service on the domain controller.

BlackBerry

The following table lists the supported BlackBerry and Microsoft Exchange versions. If your environment includes BlackBerry 4, complete the following requirements before installing the Services Manager BlackBerry service. If your environment comprises only BlackBerry 5, you do not need to install a Services Manager BlackBerry service after completing the following requirements.
Version Exchange 2003 Exchange 2007 Exchange 2010 Exchange 2010 Hosting
BlackBerry 4 X X X  
BlackBerry 5 SP1   X X  
BlackBerry 5 SP2     X X

Configure your environment according to the BlackBerry installation guidelines. The following requirements assume you have installed the BlackBerry Enterprise Server software, the latest security updates, and the appropriate service pack for your deployment.

Requirements for all BlackBerry deployments (all supported versions):
  • The Services Manager requires the credentials that are used to run the BlackBerry service, in order to access the BlackBerry Server MAPI profile. This account must be a member of the Exchange View Only Administrators group. Additionally, the BlackBerry service account (or the Exchange View Only Administrators group) must have Open Address List permission on the Default Global Address List.
Requirements for BlackBerry 4 (in addition to requirements for all deployments):
  • Enable the following IIS 7+ roles:
    • Web Server > Application Development > ASP.NET
    • Management Tools > IIS Management Console
    • Management Tools > IIS Management Scripts and Tools
    • Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
  • Install Microsoft .NET Framework 4.0
  • Install the BlackBerry Enterprise Server Resource Kit. When you install the Services Manager BlackBerry web service, you will need the credentials created for the resource kit.

Citrix XenApp for Windows

Supported XenApp versions:
  • Citrix Presentation Server 4.5 for Windows Server 2003
  • Citrix XenApp 5.0 for Windows Server 2008
  • Citrix XenApp 6.0 for Windows Server 2008 R2
  • Citrix XenApp 6.5 for Windows Server 2008 R2
Requirements:
  • Operating system: supported platforms for the XenApp version. Install all recommended operating system patches.
  • Enable Remote Desktop Services.
  • Install .NET Framework 4.0.
  • Installation requires that the Cortex Domain Logon account and the Domain\CortexWSUsers account have full administration rights on the XenApp farm.
  • For Presentation Server 4.5 for Windows Server 2003:
    • Apply SP2 to the Windows Server 2003.
    • From Add or Remove Programs, select Add/Remove Windows Components. Then select Application Server and click Details. Ensure that ASP.NET is enabled and that Internet Information Service (IIS) is enabled and default settings are accepted.
  • For XenApp 5 for Windows Server 2008, XenApp 6, and XenApp 6.5:
    • Disable UAC.
    • Enable the following roles:
      • Web Server > Application Development > ASP.NET
      • Web Server > Security > Windows Authentication
      • Management Tools > IIS Management Console
      • Management Tools > IIS Management Scripts and Tools
      • Management Tools > IIS 6 Management Capability > IIS 6 Metabase Compatibility
  • The Citrix web service uses port 8095 by default.

CRM 2011

Ensure that the CRM 2011 installation is configured with claims-based authentication and an Internet-facing deployment. For help configuring an Internet Facing Domain (IFD) CRM 2011 environment, see http://www.youtube.com/watch?v=T9jZIxDTsBw.

For authentication to succeed, give the ADFS service user account (which is usually the Network Service) read access to the customer's OU.

Exchange

The following table lists the supported platforms and Microsoft Exchange versions.
Version Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 SP1
Exchange 2003 X    
Exchange 2007 SP2   X  
Exchange 2010 SP1 - Enterprise     X
Exchange 2010 SP1 - /Hosting     X
Exchange 2010 SP2     X
Note: Although Exchange 2010 SP1 is included as a supported version in this release of Services Manager, Citrix recommends service providers use Exchange 2010 SP2 instead for new Services Manager deployments. Exchange 2010 SP2 includes improvements that enable service providers to offer a richer feature set to their customers. For more information and guidance about SP2, refer to the article, "Multi-Tenant Support" on the Microsoft TechNet Web site.

For environments that already include Exchange 2010 SP1 in a hosting mode (i.e., using the /hosting switch), ensure it is installed in a separate domain forest from any other Exchange implementation. Exchange 2010 SP1 installed in a hosting mode sets different permissions on the organization's OUs.

Follow the guidance in the Microsoft documentation for preparing and installing Exchange. The information in this section assumes you have installed the Exchange software.

Requirements:
  • Install all recommended operating system patches.
  • Enable Remote Desktop Services.
  • Disable UAC.
  • Enable the following IIS 6 and 7+ roles:
    • Web Server > Application Development > ASP.NET
    • Management Tools > IIS Management Console
    • Management Tools > IIS Management Scripts and Tools
    • Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
  • Install .NET Framework 4.0.
  • If you are using Exchange 2010, install Microsoft Exchange 2010 SP1 Management Tools.
  • Services Manager service installation requires that the Cortex Domain Logon account have full administration rights to Microsoft Exchange.
  • Exchange User Level Packages are used as templates for Exchange mailboxes. Packages define which protocols are enabled, plus mailbox limits and data storage. The installation process creates one package, which is used to test the installation. This package specifies the mail databases to use (Server / Storage Group). One or more storage groups are created when Exchange is installed; select one to use for the installation test.
  • By default, the Exchange web service uses port 8095 to communicate with the Provisioning and Web servers.

Configuring Permissions for Exchange 2007 and Exchange 2010

Use the following steps to configure permissions in an environment that includes only an Exchange 2007 SP2 or Exchange 2010 SP1 deployment. These steps are not required for Exchange 2010 SP2 or mixed Exchange deployments.
  1. Launch ADSledit.msc on a server in the domain.
  2. Right-click ADSI Edit, select Connect to, and then select the Configuration naming context.
  3. Expand CN=Configuration,DC=CustomerDomainPrefix,DC=CustomerDomainSuffix.
  4. Enable the List Object permission in the directory.
    1. Expand CN=Services > CN=Windows NT.
    2. Right-click CN=Directory Service and select Properties.
    3. Set the dsHeuristics attribute to 001.
  5. Disable the Default Email-Address policy. (By default, this policy applies to all users and gives all users the primary email address alias@exchangedomain.)
    1. Expand CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Recipient Policies.
    2. From the middle pane, right-click CN=Default Policy and select Properties.
    3. Edit the following properties:
      • msExchLastAppliedRecipientFilter: Alias -eq 'NoSuchEmail'
      • msExchPurportedSearchUI: Microsoft.PropertyWell_QueryString=(mailNickname=NoSuchEmail) (replace current entry)
      • msExchQueryFilter: Alias -eq 'NoSuchEmail'
      • purportedSearch : (&(objectclass=PublicFolder)(!(extensionAttribute15=*)))
  6. Lock down default global address lists.
    1. Expand CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists Container > CN=All Global Address Lists.
    2. Right-click CN=Default Global Address List and select Properties.
    3. On the Security tab, click Advanced.
    4. Clear the Include inheritable permissions from this object's parent check box, and then click Add.
    5. Click Apply and then click Yes for each warning that appears.
    6. Sort the permissions by name and remove the entries for Authenticated Users except the Deny entry that applies to msExchAvailabilityAddressSpace objects. Click OK to close the dialog box.
    7. On the Security tab, select the Everyone group and click Remove. Click OK to close the dialog box.
  7. Lock down address lists.
    1. Expand CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists Container > All Address Lists.
    2. Right-click CN=All Users and select Properties.
    3. On the Security tab, click Advanced. Clear the Include inheritable permissions from this object's parent check box and then click Add.
    4. Click OK and then click Yes for each warning that appears.
    5. Remove the Everyone and Authenticated Users groups.
    6. Add the Proxy USERS group and deny the Read permission. (If the Services Manager roles have not yet been installed, or if this group does not exist, create a domain local group in Active Directory called Proxy USERS.)
    7. Repeat Steps b-f for the All Contacts, All Groups, All Rooms, and Public Folders containers.
  8. Lock down the All Address Lists container.
    1. Expand CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists Container.
    2. Right-click CN=All Address Lists and select Properties.
    3. On the Security tab, click Advanced and then add the Proxy USERS group with the following settings:
      • Apply to: This object only
      • List Contents: Deny
      • List Object: Allow
  9. Delete the default offline address list.
    1. Expand CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists Container > CN=Offline Address Lists.
    2. In Offline Address Lists, delete CN=Default Offline Address List.
  10. Set permissions at the Exchange organization level.
    1. Expand CN=Services > CN=Microsoft Exchange.
    2. Right-click CN=ExchangeOrganization and select Properties.
    3. On the Security tab, add the group Proxy USERS and allow the Read permission.
    4. Click Advanced and select the Proxy USERS group. Click Edit and configure the following settings:
      • Apply to: This object only
      • List contents: Allow
      • List object: Allow
      • Read all properties: Allow
      • Read permissions: Allow

Configuring Services Manager for a Mixed Exchange 2010 Environment

When using Exchange 2010 Enterprise with Exchange 2007 or 2003, to ensure correct operations, copy the globalAddressList attribute into the globalAddressList2 attribute.

globalAddressList2 attribute

The globalAddressList2 attribute was introduced in Windows Server 2008 R2. In an environment that includes Exchange 2010, an address list must be populated into the attribute to ensure correct operation. Exchange 2010 manages the globalAddressList2 attribute automatically, but Exchange 2007 and 2003 do not.

To populate globalAddressList2 with all entries from globalAddressList, run the following PowerShell script.

$configroot = ([adsi]"LDAP://rootdse").ConfigurationNamingContext
$MSEXOU = [adsi]("LDAP://CN=Microsoft Exchange,CN=Services,$configroot")
[array]$gal = $null
foreach ($dn in get-GlobalAddressList) {	$gal += ($dn.distinguishedname)}
$gal = '@("' + ([string]::join('","', $gal)) + '")'
$MSEXOU.putEx(2, 'globalAddressList2', (invoke-expression "$gal"))
$MSEXOU.setinfo()

After running this script, any systems that interact with globalAddressList must now use globalAddressList2; otherwise, Exchange will not detect them.

Lync Enterprise and Lync 2010 for Hosting

The following assumes you have deployed the Lync Enterprise 2010 topology.

Requirements
  • Install .NET Framework 4.0.
  • Install Lync Server Management Shell.
  • Add or enable the following roles and features:
    • IIS 6.0 (minimum)
    • Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools
    • PowerShell 2.0

MySQL

Requirements:
  • Install MySQL version 5.0 or 5.1.
  • Run MySQL on the default port 3306.
  • On the MySQL server:
    • Allow local and remote connections
    • Open the firewall to allow connections to the MySQL server on port 3306.
    • Open port 8095.
  • The Services Manager requires login access to administer databases and users. If you are using multiple SQL servers, use the same account for all of them (suggested name: CortexMySQLHosting). This account must have DBA (grant all) global privileges.

SharePoint

The following table lists the SharePoint and IIS version support.
Version IIS 6 IIS 7 IIS 7.5
SharePoint 3 X X  
SharePoint Enterprise 2010   X X
SharePoint Foundation 2010   X X

Follow the guidance in the Microsoft documentation for hosting SharePoint. The following assumes you have installed the SharePoint software.

Requirements for SharePoint 2010 Services deployments:
  • Operating system: Windows Server 2008 (minimum), with all recommended operating system patches.
  • Enable Remote Desktop.
  • Disable UAC.
  • Add the service account used for the Services Manager SharePoint 2010 web service deployment and configurations to the farm. Use cmdlet Get-SPShellAdmin to look up the account name.
  • Set the SharePoint 2010 web service to the same application pool identity as the SharePoint Central Administration site.
  • Identify the application (front-end) server in the farm where the SharePoint 2010 web service is to be deployed.
  • Install and configure Services Manager IIS Web Service (used for Windows Web Hosting Services) on the same SharePoint 2010 server used for managing the site host headers.
  • Install the Services Manager DNS Service to use the full functionality of SharePoint 2010 site DNS management.
  • Open ports 8095-8098 and 5985 from the server hosting the SharePoint 2010 and IIS web services to the Services Manager Web Server and provisioning server.
  • Enable the following roles:
    • Web Server > Application Development > ASP.NET
    • Web Server > Security > Windows Authentication
    • Management Tools > IIS Management Console
    • Management Tools > IIS Management Scripts and Tools
  • Make the SharePoint 2010 service account a member of the local administrators group on the server hosting the SharePoint 2010 web service and the CortexAdmins group in Active Directory.
  • Configure the following local policies:
    • Enable the Allow CredSSP Authentication option under Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service.
    • Enable the Allow CredSSP Authentication option under Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Client.
    • Enable the Allow Fresh Credentials with NTLM-only Server Authentication option under Computer Configuration\Administrative Templates\System\Credentials Delegation. Verify that it is enabled and configured with an SPN appropriate for the target computer (select Show next to Add servers to the list). For example, for a target computer name "myserver.domain.com" the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.
    • Enable the Allow Delegating Fresh Credentials option under Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer (click Show next to Add servers to the list). For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.
  • Disable loopback check:
    1. From the Registry Editor, select the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    2. Right-click Lsa, point to New, and select DWORD Value.
    3. Type DisableLoopbackCheck.
    4. Right-click DisableLoppbackCheck, then select Modify.
    5. In the Value field, type 1.
    6. Restart the server.
  • Allow WinRM to listen for requests:
    1. Run the following command at the command prompt on the SharePoint 2010 server: winrm e winrm/config/listener
    2. If the command prompt does not show anything, running the following command: winrm quickconfig
    3. At the prompt “Make these changes?”, type y.

      For more information, refer to http://msdn.microsoft.com/en-us/library/aa384372%28VS.85%29.aspx.

  • Increase the memory allocated for PowerShell by running the command: Set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000.
Requirements for SharePoint 3 Services deployments:
  • Operating system: Windows Server 2003 Service Pack 2 (minimum)
  • Enable Remote Desktop.
  • Set the SharePoint 3 web service to the same application pool identity as the SharePoint Central Administration site. This should be the service account used by Services Manager for SharePoint 3 web service provisioning.
  • Identify the application (front-end) server in the farm where the SharePoint 3 web service is to be deployed.
  • Make sure the SharePoint 3 web service farm is installed using Domain Account Mode instead of Active Directory Account Creation Mode.
  • Install and configure Services Manager IIS Web Service (used for Windows Web Hosting Services) on the same SharePoint 3 server used for managing the site host headers.
  • Open ports 8095-8098 from the server hosting the SharePoint 3 web service and IIS web services to the Services Manager Web Server and provisioning server.
  • If the application server is on Windows 2008, enable the following roles:
    • Web Server > Application Development > ASP.NET
    • Web Server > Security > Windows Authentication
    • Management Tools > IIS Management Console
    • Management Tools > IIS Management Scripts and Tools
  • Make the SharePoint 3 web service account a member of the local administrators group on the server hosting the SharePoint 3 web service and the CortexAdmins group in Active Directory.

Virtual Machine

Supported:
  • System Center Virtual Machine Manager 2008 R2 SP1
  • Hyper-V Server 2008 R2
Requirements:
  • Enable the following roles:
    • Web Server > Application Development > ASP.NET
    • Web Server > Security > Windows Authentication
  • Install Microsoft .NET 4.0.
  • System Center Virtual Machine Manager 2008 R2 Administrator Console
  • For each Hyper-V host, use SCVMM to set up network access:
    • Configure network adaptors.
    • Configure VLAN ranges for VLAN trunking.

      Hyper-V hosts can be stand-alone or clustered. Services Manager supports Cluster Shared Volumes for provisioning highly available VMs.

    • For each Hyper-V host Services Manager is to manage, refer to Steps Required to Add a New Hyper-V Host.
  • Open inbound TCP port 8095 in the Windows firewall.
  • Open the following firewall ports, by role:
    Role Port Description
    SCVMM servers 8100 VMM - Administrator Console to VMM server
      As installed RDP - self-service portal website port
    If using a remote VMM database 1433 TDS - SQL Server
    Virtual server 5900 VMRC - VMRC connection to virtual server host
    Hyper-V hosts 80 WinRM - VMM server to VMM agent on Windows Server-based host (control)
      443 BITS - Library server > hosts
      445 SMB - VMM server to VMM agent on Windows Server-based host (data)
      2179 RDP - VMConnect to Hyper-V hosts
      5900 VMRC - connection to virtual server host
    Virtual machines 3389 RDP - Remote desktop to VMs
  • An Active Directory security group is added to Hyper-V servers to enable remote connections. Your environment must allow security groups to be added to the host from the domain containing the Services Manager components.
  • Remove the following folders or executables from real-time scanning by security software:
    • The default virtual machine configuration folder (for example, C:\ProgramData\Microsoft\Windows\Hyper-V) and any custom virtual machine configuration folders
    • The default virtual machine hard disk drive folder (for example, C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks) and any custom virtual machine hard disk drive folders
    • Snapshot folders
    • VMMS.EXE - Virtual Machine Management Service
    • VMWP.EXE - Virtual Machine Worker Process
    • If you use Hyper-V Live Migration with Cluster Shared Volumes, remove the Cluster Storage folder (for example, C:\Clusterstorage) and all subfolders.

Windows Web Hosting

The following table lists the supported Internet Information Services (IIS) versions and platforms.
Version Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 SP1 Windows Server 2008 R2 SP1 Web Edition
IIS 6 X      
IIS 7   X    
IIS 7.5     X X
Requirements
  • Hardware:
    • Processors: server class, one or more 2.0 GHz (minimum)
    • Memory: 2 GB (minimum) recommended
    • Disk space: 10 GB (minimum) free space
  • Install all recommended operating system patches.
  • Enable the following roles:
    • File Service > File Server
    • IIS > Application Development > ASP.NET
    • IIS > Application Development > .NET Extensibility
    • IIS > Application Development > CGI (required only if PHP support is required)
    • IIS > Application Development > ISAPI Extensions
    • IIS > Application Development > ISAPI Filters
    • IIS > Security > Basic Authentication
    • IIS > Security > Windows Authentication
    • IIS > Management Tools > IIS Management Console
    • IIS > Management Tools > IIS Management Scripts and Tools
    • IIS > Management Tools > Management Service
  • Ensure that the IIS FTP Server Role is not enabled.
  • For IIS 7.0 and higher: Set up the web server with any server certificates needed for secure site browsing and with a network file share to store site files and documents (typically, C:\WebHosting).
  • Install .NET Framework 4.0.
  • Configure the Web Management Service (WMSvc) to run automatically at startup. By default, it is set to Manual.
  • Enable Remote Desktop Services.
  • The Network Service account must be able to read the configuration files in the directory C:\Windows\System32\inetsrv\config.
  • When provisioning the customer site, the Services Manager sets permissions for the customer's Active Directory groups on the site/folder. Additionally, the AppPool identity for the site is also a domain account under that customer's OU. Therefore, the web hosting server must either be a member of the domain or have a trust relationship with that domain, so that groups and accounts are accessible and have rights on the server.

Other Services

Service Requirement/Supported Version
Domain Name System (DNS) BIND version 9.x DNS Server
File Sharing Manager Supported on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
Hosted Apps and Desktops Citrix App Studio 1.0
Office Communication Server Microsoft Office Communications Server 2007 R2

For information about the Directory Web Service, see System Requirements for Server Roles.

Contact Careers Terms of Use Privacy Governance Follow Us
© Citrix Systems, Inc. All rights reserved.