Documentation and help portal

Home
regify Provider
Version 5.2
Provider Technical Prerequisites
Deutsch
Français
regify provider technical information

Technical prerequisites

Running a regify provider requires the same capabilities that are needed to operate a public web server. This includes provisions to ensure availability and security.

In order to install a regify provider, the following prerequisites must be in place:

  1. Hosting and installation
    We are delivering the regify-provider as a ready-to-go software appliance based on a hardened Linux system. It includes Apache webserver, PHP, MySQL or MariaDB database and all needed tools and programs in order to run and administrate the regify-provider.
    We provide you with an ISO image to install and setup the system on virtualized environments. Take a look here for up to date key features reference:
    http://wiki.regify.com/index.php?title=Provider_appliance
    We do not support installation on custom operating systems (neither Linux nor Windows).

  2. Space and hardware requirements
    The power needed by your hardware/virtual machines is highly dependent on the assumed load. A single regify-provider on a light up-to-date machine is able to handle a few thousand users with no problems. The system scales very good and is able to grow on your needs. Please refer to the following page for more information about the virtual hardware requirements: http://wiki.regify.com/index.php?title=Hardware

  3. Connectivity

    1. Available ports from internet to your server (ingoing)

      • 80, 443 for HTTP and HTTPS

      • 22 (for SSH, only from internal network – secured by built-in firewall)

    2. Availability for outgoing connections

      • Best will be, if there are no restrictions.

      • At least, the system will need:

        • HTTP(s) access. Proxy-servers are supported.

        • DNS (UDP Port 53)

        • SMTP / TLS (not needed if you are using a separate smtp smarthost)

        • NTP (its possible to use an internal NTP server)

  4. E-Mail account to send messages from your regify-provider

    1. In order to send messages, the portal acts as its own MTA. In this case, a reverse DNS entry is required for the sending domain. SPF records may be required too, depending on your existing setup.

    2. Alternatively, the portal can use an existing SMTP mail server (relay) as smarthost. It does not support authentication for this, so it must be some in-house server.

  5. Internet connection

    1. Internet-connection with at least 2 mbit upstream.

    2. At minimum one fixed public internet IP address.

    3. The Admin needs Control over the used firewall.

  6. Domain

    1. A suitable domain like regify.providername.com incl. DNS and Reverse-DNS entry.

    2. Optional SPF-Entries (not needed if you are using an existing e-mail server as relay smarthost).

    3. SSL-certificate

      • Do not self sign a certificate. Instead, please use the regify provider software appliance functionality to generate a certificate request (SSH access).

      • The software appliance is able to generate you a certificate and corresponding certificate requests out of the box.

      • Please ensure the compatibility with Apache ModSSL while letting certificates get signed.

      • Wildcard certificates are also usable and can get imported by the appliance.

      • Multi-Domain Certificates are not supported. Please use single domain certificates or wildcard certificates only.

  7. Corporate identity (logo and design)

    1. In order to be able to adapt the e-mail templates and the appearance of your regify provider according to your corporate identity, you must be familiar with some HTML and CSS.

  8. Terms and Conditions

    1. The regify provider appliance is delivering a template for terms and conditions in English, German and French. It covers the cases for the regify products. But this are templates only and you have to verify the usability and applicability for your specific environment and business model. Please contact us if you want to have the templates in advance.

Solution architecture

image

These are the key attributes of the regify Provider Software Appliance:

  1. Software appliance, based on a special Linux version (comes as an ISO image).

  2. Hardened for 24/7 internet availability and security

    1. Built-in firewall blocking all unused ports.

    2. Application based intrusion detection system (IDS) to be a second firewall against various attacks (XSS, SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, DoS).

    3. All unused services, users and groups are stopped or removed.

    4. Continuously updated by "check for updates" function including all operating system and application components (Kernel, Apache, Database, OpenSSL etc).

    5. Appliance management is only available by SSH from internal IP address range or (optional) from dedicated external IP addresses.

  3. Supports database replication (Master-Slave, Cross-Master) for full redundancy and high availability setups.

  4. Offers easy SSL certificate generation and usage (menu guided).

  5. Fully supports all Subprovider features (handles multiple IP addresses, customizations etc).

  6. Included database (MariaDB, with MySQL as an alternative).

  7. Included Apache Webserver with PHP environment.

  8. Included MTA (Mail Tranfer Agent) which is also usable as relay with a company SmartHost.

  9. Automatic time-synchronisation using NTP.

  10. Fully supporting NAGIOS monitoring (more information below on this page).

  11. Supports external loadbalancers and SSL offloading.

  12. Use any network SMB shares for regibox storage (optional).

  13. Allows easy and automatic updates.

Setup process

The setup process is illustrated below (read from left to right):

image

The second step "preparing prerequisites" is making sure that the regify software can get installed, for further information look into the "Technical prerequisites" chapter. Please use the Installation Check-List below to make sure that everything is in place. The timeline for the setup of the solution is usually determined by the processes on the side of the regify-provider and on the time required to set up the infrastructure (VM host, firewalls, routing, network).

regify informs the regify clearing immediately after the contract was signed. The clearing organisation needs to know the public IP address from where the regify-provider software appliance will call him. Upon this, the regify-provider will receive a regimail with clearing ID and clearing password; needed by the appliance setup process.

The installation can be done by the technical staff of the upcomming regify-provider, assisted by the regify staff (remote). In addition, the new providers system-administrator(s) will receive a short introduction into the provider administration.

Please note that the regify-provider technical person must be a senior for IT. It will not be easy for someone without good knowledge in networking and servers.

If you want the installation and the initial training to take place on your side, please contact regify sales to offer you on-site installation-support by one of our technicians.

FAQ

When asked to install a regify-provider, some questions may come up. Please find these questions addressed as follows:

Q: Can we use other operating systems, webservers, database-servers?

A: No. We only support the regify provider software appliance. The software is not delivered in separate parts.

Q: What kind of SSL certificate do I need for regify?

A: We recommend a separate single domain certificate or a wildcard certificate for the appliance. Multi-Domain certificates are not supported. We recommend to create the single domain certificate request directly in the regify provider appliance. While ordering, please check Apache compatibility.

Please ensure, that your SSL certificate is also usable for mobile devices.

Q: What do I need for backup?

A: If you can make backups of your virtual host in operation, this is the optimal solution. If not, we recommend one (at least) daily backup of the system database and provider software by using the built in backup mechanism. It supports SMB protocol storages and several intervals and storage options.

Q: Do we need to buy additional software licenses?

A: In the default configuration, the simple answer is no. The regify provider software appliance runs on free Linux system using Open Source components and offers to use the MariaDB Community version (recommended) or alternatively MySQL. The regify-provider software is provided by regify and included by your contract.

Q: Which ports and protocols are used in the regify system?

A: The following ports and protocols are used:

  • The connection between the regify clients and the regify-provider only uses standard port 443 with HTTPS protocol.

  • Web-users reaching the regify-provider using ports 80 (HTTP) and 443 (HTTPS).

  • The clearing-connection only uses port 443. The clearing communication is always initiated by the regify provider.

  • The provider software appliance supports proxy servers for outgoing http(s) communication. They are used for updates and some setup dependent features.

  • The provider software appliance needs to do NTP and DNS requests!

Q: Does the software appliance support VLAN, interface bonding, proxy servers?

A: Yes, the appliance supports these techniques.

Q: Can I monitor the software with monitoring tools?

A: Yes, the system provides a special HTTP call, which can be used by common monitoring software. Upon complete loss of all clearing connections, the provider will change into maintenance mode automatically (customers will see "We are maintaining the system, please try again later"). Optionally, you can call a URL in case of automatic maintenance (for example, for sending an SMS to the administrators).

The system automatically reactivates itself as soon as at least one clearing-connection is available.

The regify provider software appliance also offers NAGIOS support by already providing the NAGIOS agent software.

Q: Are we allowed to add additional Linux users on the regify provider?

A: No, as additional Linux users may affect security of the system. Please use the two users provided by the appliance (root and regify).

Q: Are we allowed to install additional Linux components on the regify provider?

A: No, we do not allow you to activate other rpm repositories except the regify ones. You are not allowed to install other software on the appliance.

The only exception is software needed for your virtualization environment or monitoring.

By doing this, you accept the following licence agreement for installing such software:

Installation of driver software and programs in the context of virtualisation technologies

regify provides support for customers who use the regify provider software appliance or the regigate software appliance on virtual servers (e.g. on VMWare or Microsoft Virtual PC) according to the maintenance agreement and in line with commercial practice. As virtualisation technologies emulate functions of physical computers, regify assumes that regify products work in virtual environments as they do in physical environments. Therefore, provisioning of the regify support is based on the assumption that a potential problem or error that is observed in a virtual environment can be replicated in a physical one.

A regify customer may install other software on a regify appliance if such software is critical for the operation of the virtual environment. The existing maintenance agreement between customer and regify also applies for such virtual setups. However, problems or errors that only occur on virtual systems or in combination with software that was installed by the customer are not covered by the maintenance agreement. In such cases, regify reserves the right to charge the customer for time and effort. Moreover, regify does not assume any liability for system failure or loss of data.

Installation check-list

In order to install and setup a regify provider appliance, you need to prepare the environment. The regify support team is able to help you answering open questions, but we can not help you in setting up your environment.

Please clarify and prepare all positions before installation date!
Pos Prerequisites Status

1

Prepare virtual machine(s)

  • Only regimail: 2CPU cores, 4GB RAM, 50GB hard-drive

  • Other regify products: 4 CPU cores, 8GB RAM,300GB hard-drive

  • If you want to offer regibox, prepare some SMB share

▢ Done

2

Prepare networking

  • Public IP adress for the provider (and sub-providers if applicable)

  • if it is installed inside of a DMZ:

    • Route all in-going traffic on ports 80 and 443

    • Allow out-going traffic on all ports to all destinations

  • By default, the appliance allows SSH access only from the local network rage. You can restrict SSH access from inside the appliance menu to allow single IP adresses or IP ranges and sub-nets.

▢ Done

3

Do you need a proxy server to access the internet?

  • If your regify appliance will not be able to connect to the internet through the gateway, please prepare all information for using a proxy server.

  • Please note that the regify provider appliance only supports proxy servers without authentification or PAC files.

▢ Done

4

Send regify the out-going IP address that will be used for internet access. The regify clearing service needs to white-list the IP address you are coming from and the sooner we know, the better.

▢ Done

5

Prepare your domain(s) like regify.yourCompany.com.

Please note that this can not get changed later without all customers having to reset their regify client software. We suggest to not mention a specific product as you may want to offer other regify products later on the same system.

▢ Done

6

Prepare DNS for your domain(s) (see pos 5)

  • DNS A-record for normal internet access

  • Reverse-DNS for the public IP adress, if your regify provider appliance is also acting as a MTA (default, not needed if you can use an existing smarthost).

▢ Done

7

Prepare the ISO image. Upon request, the regify technical support will send you the credentials for downloading the regify provider appliance ISO image. After downloading, you have to attach it to the virtual machine and allow temporary booting from it.

▢ Done

IP addresses and routing information

Please note your planned or created setup here to make sure that there is no confusion and everybody knows the details.

At least if you run the system inside a DMZ with NAT or routing, the following table will help you to remember the values.

(Sub)Provider Domain Public IP [1] Internal IP (if in DMZ)

 

 

 

 
1

Every sub-provider needs it’s own public IP address!