Deployment architecture

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
ddumas
Posts: 389
Joined: Tue Apr 23, 2013 11:17 pm

Deployment architecture

Post by ddumas »

Soon, I will be look to deploy my first AwareIM app.

I am thinking of using an Amazon Web Services (AWS) server. I think one advantage of that as I understand, is that its elastic, and can be expanded (CPUs, Memory, etc) as the application needs to scale up due to higher volume.

Since I am most familiar with Windows (and maybe that's bad reasoning to decide), it will be a Windows server.

Since I will need access to that server to install software at will (on demand), I think it needs to be an "unmanaged" server.

I will need to install SQLExpress. I do not believe that SQL Server Standard Edition is free.
When I deploy the AWAREIM app, I think it installs all components, including Tomcat. I am not familiar with the java executable / Tomcat "run settings" to allocate memory, etc, so that application performance is best achieved. So, the default java / Tomcat run settings may not be best.

For the application, I am thinking that this will best execute as a link from a "Main" Website domain (with all the pretty stuff) to the AwareIM app. In that scenario the app will be on a separate domain, correct? Otherwise I would have to run in a frame in the Main website, and I am guessing that is sub-optimal. Maybe the two approaches do not necessitate 2 separate domains?

Does this above sound like a reasonable architecture? I am probably missing some things.

Dave
UnionSystems
Posts: 197
Joined: Fri Jun 17, 2016 7:10 am
Location: Brisbane Australia
Contact:

Re: Deployment architecture

Post by UnionSystems »

We use AWS but you should restrict RDP access to the server our it will get hacked.

Refer https://docs.aws.amazon.com/AWSEC2/late ... tance.html
AWS Linux, Windows Server, AIM 8.4 & 8.6
ddumas
Posts: 389
Joined: Tue Apr 23, 2013 11:17 pm

Re: Deployment architecture

Post by ddumas »

Wow. Great tip. I will be sure to take note, and make sure security is setup to handle that.

May I ask if your architecture setup is similar to the one I am describing? I basically know how to spell AWS, but that's it :)

Dave
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: Deployment architecture

Post by customaware »

I have now migrated 7 of my 8 servers away from AWS and into Upcloud.

Much Simpler
Nearly twice as fast + basically 1/2 the cost.
And allows you to back up an entire server in the blink of an eye (I actually had to test it to beleive it !!)

You are welcome to user this referral code...

https://upcloud.com/signup/?promo=F7YB75

Additionally....
Have moved all DB except 1 from MySQL to MariaDB

I agree about RDP..... Change port and user and crazy long strong password.... and install IPBan. Made a huge difference.

There are a few other Gotchas (Such as SSL certs and all the changes after an Aware IM update, landing pages and Font Awesome etc etc ) but let me know when you get there and will give you a hand and point you in the right direct for resources.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Deployment architecture

Post by intra »

I agree with pretty much everything said here, however port numbers and long password strings alone will not protect you from all attempts.

Classic example is 'bluekeep' vulnerability.
https://www.bleepingcomputer.com/news/s ... ndows-pcs/

Security is like an onion.. layers!

I would consider the following.

1. Keep on-top of vulnerabilities by having latest updates (in your case windows updates).
2. Change the port from 3389 to something else .
3. Long password.
4. Restrict access to RDP port via firewall
5. Consider a VPN server (if youre really paranoid) as you'll need another method to authenticate.
6. Consider a 2FA service when it comes to logging into said server as an administrator.
7. Geoblock / reverse proxy requests as much as possible.
8. USE SSL and have up to date ciphers.
9. Run AwareIM under a restricted user.

General rule of thumb is to keep a bare minimum of ports open and layer on the security from there.

I personally use Linux (shell) on AWS infrastructure with a raft of other applications/customisation's to hide AwareIM from the exposed internet as much as possible.
Avid Linux user....
ddumas
Posts: 389
Joined: Tue Apr 23, 2013 11:17 pm

Re: Deployment architecture

Post by ddumas »

Thanks, I will look through those, and make sure they are implemented on the AWS install. I will have to hire someone to do all this, as I have not experience in Server setup and Admin.
Dave
Post Reply