QPR Knowledge Base 2023.1

Common Microsoft Internet Information Services Configuration

In order for QPR Portal and QPR Web Services Foundation to work properly, handlers for the CGI binary/ISAPI DLL and the .svc extension need to be able to use both GET and POST methods (verbs).

 

 

Using QPR Portal with Internet Information Services 7.0 / 7.5

The following things need to be done if you are using QPR Portal with Microsoft Internet Information Services (IIS) 7.0 in Windows Server 2008 or IIS 7.5 in Windows 7 and Windows Server 2008 R2.

 

IIS Setup

In addition to the default selections, the following extra modules need to be installed for IIS 7.0 / 7.5:

•Common HTTP Features -> Static Content

•Common HTTP Features -> HTTP Redirection

•Common HTTP Features -> HTTP Errors

•World Wide Web Services -> Application Development Features -> .NET Extensibility

•World Wide Web Services -> Application Development Features -> ASP.NET (for QPR Web Services Foundation)

•World Wide Web Services -> Application Development Features -> ISAPI Extensions

•World Wide Web Services -> Application Development Features -> ISAPI Filters

•Web Management Tools -> IIS Management Console (if not already installed)

•Web Management Tools -> IIS Management Scripts and Tools

 

In addition to the default selections, the following role services need to be installed for IIS 7.0 on Windows Server 2008:

•Application Development -> ASP.NET (for QPR Web Services Foundation)

•Application Development -> .NET Extensibility

•Application Development -> ISAPI Extensions

•Application Development -> ISAPI Filters

 

On Windows 7 these selections can be made in the "Turn Windows features on or off" section in the Control Panel. On Windows Server 2008 the selection is available at Server Manager -> Roles -> Web Server (IIS) -> Add Role Services.

 

Do the following to allow qpr.isapi.dll (for QPR Portal) to be executed:

 

1.Go to Start Menu -> Control Panel -> Administrative Tools -> Internet Information Services (IIS) Manager.

2.Expand the Server name and open the ISAPI and CGI Restrictions section.

3.Select Add.

4.Browse the path to the QPR.isapi.dll (using qpr.cgi.exe with IIS 7 is not supported. Note that you'll need to verify that also QPR Web Application Server is configured to use the qpr.isapi.dll) into the ISAPI or CGI Path field.

5.Input a description for the extension and check the "Allow extension path to execute" checkbox.

6.Click the OK button.

 

 

The following MIME type mappings are created automatically for the Portal virtual directory under the QPR2023-1 application in IIS, but in the case there are issues with Silverlight or SVG views, verify that the following mappings exist:

•Extension: .svg, MIME type image/svg+xml

•Extension: .xaml, MIME type application/xaml+xml

•Extension: .xap, MIME type application/x-silverlight-app

•Extension: .xbap, MIME type application/x-ms-xbap

 

To define these mappings, do the following:

 

1.Go to Start Menu -> Control Panel -> Administrative Tools -> Internet Information Services (IIS) Manager.

2.Select Default Web Site.

3.Open the MIME Types section.

4.If the extension is not listed, select Add and input the extension and the correct MIME type.

5.Click OK and restart the website

 

 

Application pool configuration

The application pool created by QPR installation is typically configured properly and the settings don't have to be touched. However, if you are reconfiguring the IIS application and/or application pool manually or the installation has not succeeded in the configuration, note that for configuring the application pool so that qpr.isapi.dll can be run, the "Enable 32-bit Applications" flag needs to be set to false when running 64-bit servers (and the system is naturally 64-bit as well).

 

 

Configuring Internet Information Services 8 / 8.5 / 10 for QPR Suite

The following things need to be done if you are using QPR Portal and/or QPR Web Services Foundation with Microsoft Internet Information Services (IIS) 8.0 in Windows 8 and Windows Server 2012, Microsoft Internet Information Services (IIS) 8.5 in Windows 8.1 and Windows Server 2012 R2, or Microsoft Internet Information Services (IIS) 10.0 in Windows 10 or Windows Server 2016.

 

IIS Setup

In addition to the default selections, the following extra modules and their dependencies need to be installed for IIS 8.0 / 8.5 / 10.

•Common HTTP Features -> Static Content

•Common HTTP Features -> HTTP Redirection

•Common HTTP Features -> HTTP Errors

•World Wide Web Services -> Application Development Features -> ASP.NET 4.7 (for QPR Web Services Foundation)

•World Wide Web Services -> Application Development Features -> ISAPI Extensions

•World Wide Web Services -> Application Development Features -> ISAPI Filters

•Web Management Tools -> IIS Management Console (if not already installed)

•Web Management Tools -> IIS Management Scripts and Tools

 

In addition to the default selections, the following role services need to be installed for IIS 8.0 / 8.5 on Windows Server 2012 / 2012 R2:

•Web Server -> Application Development -> ASP.NET 4.7 (for QPR Web Services Foundation)

•Web Server -> Application Development -> ISAPI Extensions

•Web Server -> Application Development -> ISAPI Filters

 

On Windows 8 / 8.1 / 10 these selections can be made in the "Turn Windows features on or off" section in the Control Panel. On Windows Server 2012, 2012 R2, and 2016 the selection is available at Server Manager -> IIS -> select "Add Roles and Features" from the Tasks drop-down menu in the Roles and Features section.

 

Do the following to allow qpr.isapi.dll (for QPR Portal) to be executed:

 

1.Go to Control Panel -> Administrative Tools -> Internet Information Services (IIS) Manager.

2.Expand the Server name and open the ISAPI and CGI Restrictions section.

3.Select Add.

4.Browse the path to the QPR.isapi.dll (using qpr.cgi.exe with IIS 7 and newer is not supported. Note that you'll need to verify that also QPR Web Application Server is configured to use the qpr.isapi.dll) into the ISAPI or CGI Path field.

5.Input a description for the extension and check the "Allow extension path to execute" checkbox.

6.Click the OK button.

 

 

The following MIME type mappings are created automatically for the Portal virtual directory under the QPR2023-1 application in IIS, but in the case there are issues with Silverlight or SVG views, verify that the following mappings exist:

•Extension: .svg, MIME type image/svg+xml

•Extension: .xaml, MIME type application/xaml+xml

•Extension: .xap, MIME type application/x-silverlight-app

•Extension: .xbap, MIME type application/x-ms-xbap

 

To define these mappings, do the following:

 

1.Go to Control Panel -> Administrative Tools -> Internet Information Services (IIS) Manager.

2.Select Default Web Site.

3.Open the MIME Types section.

4.If the extension is not listed, select Add and input the extension and the correct MIME type.

5.Click OK and restart the website

 

 

Application pool configuration

The application pool created by QPR installation is typically configured properly and the settings don't have to be touched. However, if you are reconfiguring the IIS application and/or application pool manually or the installation has not succeeded in the configuration, note that for configuring the application pool so that qpr.isapi.dll can be run, the "Enable 32-bit Applications" flag needs to be set to false when running 64-bit servers (and the system is naturally 64-bit as well).

 

 

Configuring Web Site Manually

QPR installation creates the QPR2023-1 application under the default web site in IIS. If you want to use a different site, the application and its virtual directories should be created manually. The following changes are needed to the default configuration:

 

1.See the "Application pool configuration" section above for information about proper application pool configuration.

2.Create the MIME type mappings as instructed above.

3.If QPR Web Service Foundation is used, remove the following mappings from the QPR2023-1 application:

•.svc

•.aspx

•.axd

•WebResource.axd

•ScriptResource.axd

 

 

Web Server Hardening

The website's security posture can be enhanced by defining several HTTP headers designed for improving end user security:

 

1.Go to Control Panel -> Administrative Tools -> Internet Information Services (IIS) Manager.

2.Select the server.

3.Open the HTTP Response Headers section.

4.If present, Remove the X-Powered-By header.

5.Select Add to add the following response headers and values:

•Strict-Transport-Security: max-age=86400; includeSubDomains

•Referrer-Policy: strict-origin

•X-Frame-Options: SAMEORIGIN (Note that, if you are routing QPR UI via IIS, using this setting will make the QPR UI mobile app not able to access QPR UI.)

•X-XSS-Protection: 1; mode=block

•X-Content-Type-Options: nosniff

•Content-Security-Policy: default-src 'none'; frame-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'

 

In addition, after using the servicetester.aspx to test that your QPR Web Services is properly configured, the servicetester.aspx should be disabled as follows:

1.    Make a backup copy of the servicetester.aspx file located in the C:\Program Files\QPR Software Plc\QPR 2023.1 Servers\WebServices folder to some other location.

2.    Create an empty file named servicetester.aspx.

3.    Paste the following content into the created servicetester.aspx file:

 

<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>

<html xmlns=http://www.w3.org/1999/xhtml>

</html>

 

4.    Copy the created servicetester.aspx file over the original one in the C:\Program Files\QPR Software Plc\QPR 2023.1 Servers\WebServices folder.