Hello everyone 
.
We have installed LF on Azure.
Are there any special requirements or considerations for configuring the public portal on Azure?
Hi Chris,
Nothing Laserfiche/Azure specific for Forms Portal. I've uploaded a "Guidance for Laserfiche Deployments on Microsoft Azure" white paper you may find some generally useful info in.
The only specific note I'll make is that if you put Forms behind Azure WAF (via Azure Application Gateway or Front Door or Azure Firewall) be aware that you will almost certainly need to do some WAF tuning when using the default ruleset. Start out with the WAF in "detect mode" so it logs any rules that trip but doesn't block the traffic. Then test your processes and check the WAF logs. There are usually at least a few false positives for legitimate Forms traffic you'll need to put in exceptions for. This is true for putting Forms behind any WAF but thought I'd mention it here.
All other standard good system design and security practices applicable to any self-hosted Laserfiche system apply in Azure too.
Hi Samuel,
Is there any newer Azure Forms and Forms Portal reference material that Laserfiche can provide - specifically as regards Azure Front Door and Application Gateway etc? In particular I'm looking for any recommended set-up guide/diagram for Forms Portal in Azure using tools that would replace any need for a separate DMZ.
Alternatively - if a DMZ approach is still the preferred / best known method for Forms Portal in Azure, please let me know.
Thanks,
Duncan
What kind of guidance are you looking for? I recommend reverse proxies over DMZs for enabling public access to Forms in almost all circumstances.
For a Forms Portal setup, you're looking at a standard https:443 reverse proxy config. End to end TLS is strictly required. That means an https:443 frontend listener and an https:443 backend target (not http:80). The Microsoft docs cover that. See: Enabling end to end TLS on Azure Application Gateway and TLS encryption - Azure Front Door. Pay attention to the backend certificate requirements.
You need to configure the Forms instance to have the same Forms Host URL as the AppGw/Front Door listener. E.g., if users will connect to https://external.example.com/Forms/, that's what needs to go into the config. The TLS cert on the backend server needs to cover that name and ideally the actual server FQDN in its SAN field (avoids issues with other apps you might be running on the server). If the certificate is from a private certificate authority, you'll need to upload the public root certificate to the AppGw so it can validate the certificate chain.
Use path-based routing rules to restrict traffic. They pattern match in order, so you need to do something like:
# Routing rules processed in sequential order until match found
# block /FormsConfig access - must be first to take priority over /Forms* rule
1. if (host = external.example.com & path = /FormsConfig*) {return 404}
# allow /Forms traffic
2. if (host = external.example.com & path = /Forms*) {route to $webServerBackend}
# allow login page access if necessary (isn't for Forms Portal)
3. if (host = external.example.com & path = /LFDSSTS/*) {route to $webServerBackend}
# default/fallback rule
4. else {return 404}
Aside from those routing rules and the TLS certificate bits, nothing special about it.
Thanks Samuel - much appreciated.