One HUB Install Guide
This document covers the installation and configuration for the ONE Hub windows service. This service allows the ONE platform to securely read and write data to on premise systems.
- A physical or virtualized windows server installation
- Windows Server 2012 or later
- .NET Framework 4.7.1 (full Installation)
- A CPU with at least two cores
- 4 GB RAM
- 10 GB free disk space
The ONE HUB configuration settings and user credentials are stored in an encrypted SQL database. This requires a SQL Server instance (2008 or higher)
There are three connectivity modes for the Hub to connect to the ONE Cloud Platform.
- TCP Relay mode (Preferred): This mode provides the best performance but is not compatible with a web proxy configuration.
- HTTP Relay mode (uses Web sockets): This mode is required in organizations that use web proxies to connect to the Internet.
- HTTPS Queue mode: This mode should only be used when the previous two modes have failed in successfully connecting to the ONE Cloud platform. This mode is the least performant and is discouraged.
- West US (California)
- West Europe (Netherlands)
The ONE Hub service requires connectivity to the given backend systems it is expected to access.
This requires that customers use a dedicated Azure Service Bus namespace for each of their production Hub installations. This ensures that all of an organization's traffic is segregated, private and secured when communicating with the ONE cloud infrastructure. Your organization has two options in acquiring a dedicated Service Bus namespace.
This option provides the most control for organizations that already have an existing Azure subscription. To learn how to create and manage an Azure Service Bus namespace, see the following documentation.
It is recommended that to select the location that is the geographically closest to a customer's specific ONE Hub instance.
Shared Access Policy
The required shared access policies configuration for the ONE Hub is send and listen. Limeade recommends that to not provide manage rights to the service bus access policy.
For organizations that do not have an existing Azure subscription or do not want the responsibility of managing their own Service Bus namespace, Limeade is happy to create and manage this for your organization. Just consult your customer success manager for details.
If your organization uses a web proxy for Internet access, a proxy configuration is required.
The proxy, need to be configured manually in the config file for the Hub. The config file is located, by default, in the folder C:\Program Files\Sitrion\Sitrion ONE Service\Sitrion.One.Hub.Service.exe.config. The configuration is a standard .NET application configuration file. The configuration of a proxy is covered in this article. A sample configuration is supplied in the installed configuration file.
After starting the installation file, the user will be presented with a welcome screen. Click Next to continue.
Choose the folder for the Hub Service to be installed in. Click Next to continue.
The Hub requires an encryption certificate to keep confidential information stored in the Hub secure. The certificate to use for encryption is identified by the certificate's thumbprint. Once someone knows the thumbprint of the certificate, enter it in the Certificate Thumbprint field. The user can then use a self-signed certificate or a domain certificate, whichever is preferred.
The account that the Hub will run under will need permissions to access the private key of the certificate a user species. Here are instructions for modifying the private key permissions:
Self-signed certificates can be generated easily using PowerShell 4.0. PowerShell 4.0 can be downloaded here:
In an admin level PowerShell window - once PowerShell 4.0 is installed - use this command to generate a self-signed certificate:
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -Subject HubConfigEncryption -FriendlyName "Encryption Certificate for Hub Config Settings" -notAfter 2039-12-31 -KeyLength 2048 -KeySpec KeyExchange;
Note: the instructions above apply to Windows 10 or Windows 8.1.
For Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 please refer to: https://technet.microsoft.com/en-ca/library/cc753127(v=ws.10).aspx
Click Next to continue,
Configure the user for the Windows Service. If not changed, it will install with the Local System account on the installed machine.
Note: If you choose a custom user please make sure that the user has the appropriate rights to run a Windows service.
Click Next to continue.
The Hub requires a SQL server database, you can now connect to a SQL server instance. Also, you can configure your SQL User and create a SQL Server Database.
- When reinstalling the Hub during an upgrade, uncheck the Check to create database / uncheck to update checkbox. If a user does forget to uncheck the checkbox, no user data will be lost.
- In order to set up to create the database, please make sure that the user who runs the install has the permissions to create the databases on the specified SQL server.
Click Next to continue.
The Company Id and Shared Key are the identifiers of a tenant. The company Id can be retrieved on .
The environment name should, by default, target to https://one.sitrion.com.
US Connection Settings:
Configure the datacenter that should be used by the Hub to connect with and provide all information (Namespace, key and access key) for the private service bus namespace. See details about for more details.
Limeade recommends that the TCP/IP Service bus relay mode be used. If this mode does not work, please consult with Limeade before using the other protocols as they have performance constraints that may affect the end-users' experience. More info about this can be found in the section Connectivity in the prerequisites.
Click Install to start the installation of the Hub Service on the machine.
The Hub Service is now installed and the Windows service has automatically been started on the machine.
Note: To check if the Windows service has been started, go to Start > Control Panel > Administrative Tools > Services.
Click Finish to exit the setup.
To upgrade a ONE Hub service, just use a newer installer, which will guide users through the upgrade process.
Multiple ONE Hub service servers can be deployed to add fault tolerance to the on-premise ONE Hub service.
- A Microsoft SQL Server that is configured for high availability
- Two physical or virtualized Windows servers to run the Hub windows service
- Two Azure service bus connections
- Install Hub 1 using the normal install instructions as outlined above using Server A and Service Bus Connection A.
- Install Hub 2 using the normal install instructions as outlined above using Server B and Service Bus Connection B.
Note: All Hub Services must share a single database on a High Availability SQL Server deployment.
The ONE Hub is a windows service. To administer this service, navigate to the windows service management console. This console allows users to do the following:
- Start service
- Stop service
- Restart service
- Set the user context (log on) for the service
- Set recovery settings for the service
If the Hub is offline, the following steps should be taken before contacting
- Ensure the on-premise ONE Hub service started
- Restart the service and try again
- Review logs in the Event Viewer
- ONE Hub event logs can be found in the following location:
- Windows Event Viewer > Applications and Services > Sitrion HUB
- ONE Hub event logs can be found in the following location:
- Ensure the user context set in the login tab of the service is a user that has the following permissions:
- Run windows services
- SQL Server permissions to the Sitrion One HUB database.
- Run windows services
- Ensure the SQL server hosting the Hub database is operational
For those customers who block outgoing connections from the Hub service, the firewall will need to be configured to allow certain outgoing connections to the ONE infrastructure. The Hub service uses Azure Service Bus as the underlying technology to be able to communicate between https://one.sitrion.com and the on-premise Hub service.
There are three possible ways to configure a corporate firewall that will allow the Hub service to connect. None of these options require any port forwarding or opening the firewall to allow inbound traffic (aka poking a hole in the firewall).
- Allow the Hub service server(s) to connect to any IP for a given set of TCP ports
- Allow the Hub service server(s) to connect using DNS name for a given set of TCP ports
- Allow the Hub service server(s) to connect using a destination IP address for a given set of TCP ports.
This is the easiest option to configure.
Configure the firewall to accept outbound traffic from the Hub service server(s) for the given set of TCP ports:
- TCP port 80
- TCP port 443
- TCP port range 5671-5672
- TCP port range 9350-935
This configuration is the most desirable when allowing all outbound traffic for a port range is not possible.
There are three DNS hostnames who will be referenced when creating firewall rules:
- https://one.sitrion.com: this is ONE ’s web service
- <yournamespace>.servicebus.windows.net: the hostname for the Service Bus connection itself
- The Azure Service Bus relay hostname: this is a Microsoft internal hostname of whichever internal Azure resource is hosting the service bus connection itself. This resource is the endpoint which receives and transmits information from the Hub to https://one.sitrion.com
In these steps <yournamespace>.servicebus.windows.net will be the service bus URL. You should replace the service bus URL with the one provided to you by Limeade.
- Open a Command Prompt window
- Enter the command
- Nslookup <yournamespace>.servicebus.windows.net
- This command will output something like this:
The hostname in bold is the relay host for your service bus connection.
The above address is ONLY for demonstration purposes. The hostname and IP will be different for your service bus connection.
Once the Service Bus relay for the Service Bus namespace has been determined, the firewall can be configured.
The following ports will need to be opened by for the Hub Service server(s):
- TCP Port 80 and 443 to one.sitrion.com
- TCP Port 80 and 443 to <yoursnamespace>.servicebus.windows.net
- TCP Port 80 and 443 to <Service Bus Relay DNS address>
- TCP Port 5671-5672 to <yoursnamespace>.servicebus.windows.net
- TCP Port 5671-5672 to <Service Bus Relay DNS address>
- TCP Port 9350-9354 to <yoursnamespace>.servicebus.windows.net
- TCP Port 9350-9354 to <Service Bus Relay DNS address>
The above firewall rules should always use DNS names. If the firewall rules are created using IP addresses, the underlying IPs used by the Service Bus connection and the relay will change over time.
This configuration is the least desirable configuration method. Anytime the underlying IP address changes, the firewall configuration will need to be updated to match the new values.
There are two IPs who will be referenced when creating firewall rules:
- https://one.sitrion.com: this is ONE’s web service. This IP can be determined by resolving the DNS entry for one.sitrion.com
- <yournamespace>.servicebus.windows.net: the hostname for the service bus connection itself. This IP can be determined by resolving the DNS entry for the service bus connection itself
When resolving IP addresses, it should be done from the Hub server itself. This will ensure the IP address is the correct one for a given service region.
The following ports will need to be opened for the Hub Service server(s).
- TCP Port 80 and 443 to one.sitrion.com (see Appendix B for the list of IPs)
- TCP Port 80 and 443 to Service Bus connection IP
- TCP Port 5671-5672 to Service Bus connection IP
- TCP Port 9350-9354 to Service Bus connection IP
Using IP addresses in the above firewall rules has a major disadvantage. Microsoft will change the Service Bus connection IP addresses over time breaking any firewall rules pointing to the old IPs.
Quoting Microsoft’s Documentation:
Q: How often and how much do these IPs change?
A:There is no contract on this, but our expectation is that between 10-20% of the IPs will change every month.
Limeade strongly recommends using DNS filtering to simplify proxy/firewall management.
Note: During service outages, additional IP addresses may be required. Once the underlying outage is resolved, an IP in the above set will be used.