This article shares recommendations for external web services which may be employed when schools or districts decide to integrate their user database using Directory Services.
Refer to the sections below for recommendations about each section:
Install DMZ (Demilitarized Zone) with the Directory Services server in a secure zone and keep all School Loop communication with the user-web service over SSL (Secure Sockets Layer).
For this, it is necessary to create a Keystore (if one doesn't exist) on the User Web Service server while optionally configuring SSL for secure communication between the web server and the Directory Services server by creating a Truststore.
For optimum security, the web server firewall should allow incoming traffic to the IP of the web service and port, only when the traffic origin is from the School Loop. (IP address listed in the documentation sent to district network engineers).
If you are using SSL to communicate between your web-server and your AD server, you will need to make sure your web-server can communicate with your AD server port 636.
Redundancy and Restarting
Redundancy: It is highly recommended that an alternate web-service be installed on an additional server (or servers) so that in case one web-server is down for maintenance or due to failure, your user's login authentication will not be interrupted.
School Loop’s Directory Services configuration allows any number of web-services to be running simultaneously, and will automatically try successive servers in case of connection failure.
Restarting: To prevent interruption of user authentication, School Loop recommends that the web-service start command (the 'run' bat file) be set up to automatically run on restart. This can be accomplished by adding the run command to the scheduled tasks command list.
In Windows follow these steps to configure:
- Go to Start > Programs > Accessories > System Tools > Scheduled Tasks.
- Add the run command to the "When my computer starts" scheduled task.