Best Practices

This topic includes suggestions and best practices regarding ISL Conference Proxy configuration and security.

Whenever you deploy ISL Conference Proxy to a server, no matter if it is a Linux or Windows machine, you should make sure it is as secure as possible.

Some of these steps are quite general (not ICP-specific, not OS-specific), but we listed them anyway for reference:

1. Reduce the possible attack surface, i.e. disable (or even better, uninstall if possible) everything you do not need on the server (ICP does not have any external dependencies such as web server, database etc., so you do not need those roles).
2. Keep the server (OS and installed programs) up to date at all times.
3. Allow access only to ports you need for ICP (check this manual topic for more information) and your access (SSH, RDP), drop/block the rest.
4. Use strong passwords for both the machine itself and for ICP administration login.
5. Add an exception to your antivirus / firewall for ISL Conference Proxy installation folder. Check this guide for default installation directory for different operating systems. 
6. Make sure you have configured the mail server and related settings so that you will receive error reports and notification emails from ICP:
   Configuration -> General -> Outgoing mail server (SMTP)
   Configuration -> General -> SMTP port
   Configuration -> General -> Default e-mail from address
   Configuration -> General -> System e-mail goes to
7. Enable SSL for ICP web pages - check this manual topic for more information.
8. Check the SSL protocols and cipher suite settings (sample values included below) and make sure they match your security and compatibility requirements. Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values.
   Configuration -> General -> HTTPT SSL protocol: 0x0301-0x10000 
   Configuration -> General -> HTTPT SSL cipher suite: 0x1302 0x1301 0x1303 0xc02c 0xc02b 0xcca9 0xc030 0xc02f 0xcca8 0xc024 0xc023 0xc028 0xc027 0xc00a 0xc009 0xc014 0xc013 0x9d 0x9c 0x3d 0x3c 0x35 0x2f 0xa

Important: Before making any permanent changes to protocol or cipher suite settings we strongly suggest testing all your main use cases to make sure these changes will not break backward compatibility where this is not acceptable. Suggested further reading:

• https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption [wikipedia.org]
• https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations [mozilla.org]

9. By default ICP administration is only possible from localhost - if you plan to access the ICP administration machine via RDP or through an SSH tunnel, you can keep this default setting. If you would like direct access to ICP administration from another machine, make sure you have an SSL certificate on your ICP and you force SSL for administration:
   Configuration -> Security -> Must use SSL for server administration: Yes
   Then you can set the trusted network address(es) and/or subnets that should have access to the ICP administration:
   Configuration -> Security -> Allowed IP addresses for server administration
10. Force SSL for all ICP user web pages, websockets and webapi:
    Configuration -> Security -> Redirect HTTP to HTTPS for all user web pages: Yes
    Configuration -> Security -> Require HTTPS for WebSockets when HTTP to HTTPS redirect is enabled: Yes
    Configuration -> Security -> Require HTTPS for WebAPI when HTTP to HTTPS redirect is enabled: Yes
    Configuration -> Security -> Require HTTPS for WebAPI2 when HTTP to HTTPS redirect is enabled: Yes
11. You might want to generate custom crypto keys (software signatures, client to server, client to client). For more information you can check this guide.

Important: Make sure you read the note on top. All old (already downloaded) programs will fail to connect if you generate new keys! In other words, if you want to do it, do it immediately, before putting the server into production. If you have existing machines with old keys, you will need to remove them from registry - remove the appropriate entry for your server from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ISL Online\Grid and/or HKEY_CURRENT_USER\SOFTWARE\ISL Online\Grid, then download a new program and run it.

12. Create regular backups using our backup module - check this manual topic for more information on how to setup regular backups for your ISL Conference Proxy
13. Authenticode certificates that are provided by ISL Online have expiration dates. Authenticode certificate is part of .license file for your ISL Conference Proxy. When the expiration date of the currently active codesign certificate on your ISL Conference Proxy server is getting close, you will start receiving emails with "authenticode expiry warning ".
    If you take no action, then the signature past the reported date will no longer be valid for any executable (e.g. ISL Light Client) downloaded from your server, causing security warnings, issues or even blocks by security software when trying to run such executables. 
    In order to prevent such issues and make sure the downloaded executables from your server remain properly signed for you and your users, you should login to your ISL Online account, check that you have valid ESS (if not, purchase ESS), create a new packet, upload the resulting new license file to your server and restart your ISL Conference Proxy to apply it.
    You can check the following manual topic for more information about code signing on ISL Conference Proxy.
13. You can find a list of distinct paths (URLs) that ISL Conference Proxy uses here.