Some security-conscious administrators of ListManager may want to use a stripped-down version of the ListManager Web Server that can be used for action tracking only, not for administrator or discussion forum access. They may then make this web interface available outside their firewall, while having the complete version accessible inside for administrative purposes.
By stripping out these interfaces, the only interaction that an outside user can have is to get responses to tracking-type events, such as clickthroughs, clickstreams, Interest Tracking, and Purchase Tracking.
Check with your sales representative before you create a second webserver; most ListManager licenses are restricted to allowing one webserver to connect to a ListManager instance
Installing and configuring the secondary Webserver
The secondary (secure) webserver can be run on the same machine as ListManager and the primary (admin) webserver, or set up on another machine. In order for the secondary webserver to run on the same machine as the primary webserver, it's necessary that the combination of IP address and port number are unique. The best practice would be to have two IP addresses on the machine, and have each webserver bind to one of the IP addresses. Then access to the webserver can be controlled at the corporate (or even machine) firewall.
Here are the steps for creating the secondary web server.
Secondary Web Server
1. Check with your sales representative before you create a second webserver; most ListManager licenses are restricted to allowing one webserver to connect to a ListManager instance.
2. If installing on a secondary machine, run the ListManager installer on the secondary machine. Provide bogus information for the database configuration, and skip over database creation.
3. Copy the whole tclweb directory structure to a new location (either on the same server or to another server)
4. Edit the tclhttpd.rc to specify the IP address and port number for the server. You will need to edit the following entries.
5. Config host
6. Config https_host
7. Config port
8. Config ipaddr
9. Config https_ipaddr
10. Config tclport_ip (IP address of the server hosting ListManager.
11. If the webserver is installed on another server, you will need to specifically allow it to connect in ListManager's GUI security settings. In the left Navigation bar, click Utilities: Administration: Server: Server Settings: Security: GUI Hosts, and add the IP address of the webserver host to the TCLPORT hosts textbox
Secondary Webserver Service
To install the secondary webserver as a Windows service on the same host as the primary server:
1. Copy tclweb\bin\reg.txt to reg2.txt
2. In the two places ListManagerWeb appears, replace with ListManagerWeb2
3. Fix the directory path in these two variables:
4. Application
5. AppDirectory
6. Copy tclweb\bin\mksrv.bat to mksrv2.bat
7. Where ListManagerWeb appears, replace with ListManagerWeb2.
8. Where reg.txt appears, change to reg2.txt.
9. Run mksvr2.bat to install the ListManagerWeb2 service, and make sure it runs.
Securing the secondary webserver
1. Open a command prompt.
2. Change directory to ~tclweb/htdocs/css.
3. Remove all files in the css directory except .tclaccess.
4. Change directory to ~tclweb/htdocs, and then remove all subdirectories EXCEPT css, libtml, img, scripts, subscribe, templates and utilities.
5. Change directory to ~tclweb/htdocs/utilities and remove everything except the directory path utilities/debug/logs (needed for web logs) and the file utilities/tclhttpd/notfound.html
6. Change directory to ~tclweb/htdocs and remove all files with the pattern *.* except home.tcl, .tml and sitemap.tcl.
Following the above steps should leave you with the following in the htdocs directory:
Subdirectories:
css
img
libtml
scripts
subscribe
templates
utilities
Files:
.tml
home.tcl. (These files need to be present for the webserver to function.)
sitemap.tcl
7. Change directory to ~tclweb/htdocs and replace the contents of sitemap.tcl with:
proc get_sitemap_data {} {
return ""
}
set sitemap_proc get_sitemap_data
*Note: If a browser is pointed to the stripped-down web interface, a page with URL not found will be displayed.
Once you've created a stripped-down web interface, you will need to redirect users to use this secure webserver instead of your administration web server. In the administrative web interface, go to Utilities: Administration: Sites: Edit Site: Essentials and add the URL for the secure webserver to URL to Web Interface. All future clickthroughs will be sent through that webserver.
Additional steps can be taken to lock down privileges in a manner that can be used in conjunction with the above steps, or instead of those steps.
ListManager allows you to lock-down the IP addresses of users who are allowed to log in as certain roles. In the Server settings, you can go to Utilities: Administration: Server: Server Settings: Security: Web, and provide IP addresses and IP address ranges for allowing logins. Typically, you might have the following entries:
10.0..0-10.255..255
127.0..1
which would allow you to access the interface from the internal network only, and from the machine hosting the web server. You need to adjust the ranges for your network, and you can add IP addresses for people outside your network to log in as administrators as well.