Cloud Server: Deployment and Security
Product line
Standard
|Expert
Operating mode
CLOUD ABO
|ON-PREMISES
Modules
Services & CRM
Budget & Phases
Purchases
Resource Planning
Business Intelligence
The Cloud app, the Web App, the Phone App app and the Outlook app are Cloud Clients. Here the business logic runs on the server, the interface is also prepared on the server and the Cloud Clients only display it and receive the user input. The Vertec Cloud Server is responsible for the provisioning.
Usually, the Vertec Cloud Server is already installed from Setup. If you want to install the service manually, for example on a different server, proceed as described below. The Vertec Cloud Server is usually installed on the Vertec Server machine (the machine on which the Vertec installation directory and the database server are located). It is also possible to operate on a separate machine as long as it has access to the database server. If installed on a separate server, a Vertec program directory must be created manually and the files from the Vertec installation directory must be copied into it; if installed on the Vertec server machine, this is already present.
In order for the Vertec Cloud Server to run as a Windows service, it must be registered with Windows. This is done by the Command line off with the command:
Vertec.CloudServer.exe /install
The start of the service is done via the Services control panel or from the command line:
net start Vertec.CloudServer
You can also run several different Vertec Cloud Server services on one machine. For the exact procedure, see the article on Multiple Cloud Server Instances.
For testing purposes, it may be useful to start the Vertec Cloud Server as a normal application instead of as a Windows service. This can be done by calling Vertec.Cloudserver.exe with the Command Line Parameters
/noservice:
Vertec.CloudServer.exe /noservice
The connection to the Vertec Cloud Server can be secured via TLS (formerly SSL).
With an encrypted connection, the server is required to identify itself to ensure that the client (Cloud app, Web app, Phone app, and Outlook app) is communicating with the real server. An “identification” for the server is called a certificate and is usually issued by a publicly recognized certificate authority (CA) for a fee.
If Vertec is operated in the Cloud Suite, this is already guaranteed by Vertec.
If you put Vertec on the Internet yourself, follow these steps:
To obtain a certificate, you must be registered with a certificate authority. There you can purchase a certificate for a specific domain and a specific period of time.
In order to have the certificate issued, the following steps are necessary:
Then the certificate must be bound to a port:
In order for the certificate to be accessed on a specific port, it must be bound to that port. If Vertec Cloud Server is executed as an administrator, this will be completed automatically on startup. If something does not work (e.g. because you do not authorize), Vertec Cloud Server will report an error.
Only if the Vertec Cloud Server is not supported by a user with Administrator rights
(e.g. Localsystem in the normal case) or a binding error has occurred, the certificate must be manually bound once. To manually bind the certificate, Vertec Cloud Server can use the command line parameter /certbind be executed. The Cloud Server tries to obtain the certificate that you Vertec.ini – File
to bind to the port specified in the same location. If this fails, the Vertec Cloud Server will issue an error.
Use internally /certbind
and /certunbind
netsh. To inspect certificate bindings, use the command line command show sslcert [ipport=]IP Address:port (see https://docs.microsoft.com/windows/desktop/Http/show-sslcert). Example:
netsh http show sslcert ipport=0.0.0.0:443
Valid only for encrypted operation. As a measure against man-in-the-middle attacks, HST support has been built into the Vertec Cloud Server. HST can be configured by HSTS Max Age in the Vertec.ini configuration file.
Valid only for encrypted operation. To avoid typing https:// in the browser line, all HTTP requests are sent to the server specified in Vertec.ini Server port
on HTTPS requests for Secure server port
redirected.
Windows has a prioritized list of Cipher suites that are taken into account by servers and clients on the machine (Cipher suit priority list). This list is regularly updated by Microsoft with Windows updates, but usually includes protocols that are no longer top in terms of security for reasons of backward compatibility.
But really problematic cipher suites are removed by Microsoft with updates. Normally, relying on the Windows standard should suffice.
Encryption uses Microsoft’s SSL system, which in turn uses cipher collections and updates them with Windows updates. For Windows backward compatibility reasons, encryption combinations are also supported, which are classified as insecure by some SSL testing tools.
For installations with higher security requirements, e.g. to meet the (high) requirements of the usual SSL test tools, it is possible to define your own priority list of encryption suites (cipher suites). This then replaces the list maintained by Microsoft and must also be updated yourself.
Defining your own cipher suite list is done in the Local Group Policy Editor (gpedit.msc).
The connection to the Cloud Server can also be operated unencrypted. However, this is only suitable for operation in the LAN or via VPN.
No certificate is required in unencrypted mode. If in the setting Secure server port no value is set in the Vertec.ini file (default), the server starts unencrypted.
Outlook app can only be used with one genuine certificate operated.
In order to limit access to local cloud Cloud Server Hosts resources via Cloud Clients, an option to restrict scripting has been introduced in version 6.1.0.9 to prevent file access and import of non-Vertec modules. See Restrict scripting for Cloud Sessions.
For the Cloud Server there is a management console, which runs on port 8082 by default (setting Management Port in the Vertec.ini file). It is called via localhost:8082. The caller must be logged on to the server and the call must be made via localhost. This is not possible from “outside”.
The Management Console looks like this:
Here you can see the idle sessions started in stock (see Process Pool Size in the Vertec.ini file) as well as all currently logged in clients.
The Management Console provides the following options:
Der Cloud Server befindet sich derzeit im Wartungsmodus. Bitte versuchen Sie es nach Abschluss der Wartungsarbeiten erneut. 
As of Vertec 6.3, there is an endpoint (URL) for monitoring purposes of the Cloud Server, which starts a new session as a test and returns the time required for it.
The URL responds to the HTTP GET request /monitor_session_start and returns a response timed in milliseconds.
For this to work, it must be turned on in the Vertec.ini file:
[CloudServer] Monitoring = true
Now, if a monitoring tool calls the URL /monitor_session_start, it gets the start data as follows:
<Tool_http_custom_check> <status>OK</status> <response_time>2331.38</response_time> </Tool_http_custom_check>
The response time is in milliseconds. To protect against denial-of-service attacks, a session with this URL can be started by default only every 10 minutes. This time can also be set in the Vertec.ini file with Monitoring Ban Minutes, e.g. to 15 minutes:
[CloudServer] Monitoring = True Monitoring Ban Minutes = 15
If the Vertec Cloud Server is running as a service on an English Windows Server, the Cloud Clients for Swiss regions may display the numbers in the wrong format despite the correct regional setting. The problem can be solved by running the Vertec Cloud Server service as a Windows user instead of via the system: