KBA-01668: sfATC and Public IIS Servers


What is the best practice for setting up sfATC with a public IIS site?


Some pre-decision points:

  • How many IIS servers?
  • Will sfATC run on the same server as ICTool?

IIS Servers

sfPMS can run as a single IIS server, or many servers can be deployed in a farm configuration (see KBA-01567). A hybrid approach is to use two IIS servers: one with ICTool and sfATC, and a second for live users. This dual IIS server configuration avoids the complexity and overhead of a farm (no load balancer, for example), but improves OLTP (link) throughput by removing sfATC workload and overhead.

Co-locating sfATC and ICTool

It is also possible to move sfATC to another Windows server.  This configuration is not often used.  We recommend that sfATC be kept on the same server as ICTool.

sfATC and Web App Communication

sfATC must communicate with the sfPMS Web Application.  The default is to use the same URL as OLTP users, but this is not best practice when the site is publicly accessible.  sfATC traffic is best directed via a non-SSL, internal-only web address.

  1. In INETMGR, establish a site binding for which traffic only flows internally.
  2. Specify the hostname (and port) on the sfATC tab. (Do not include the application root.)
  3. On the sfATC Target IP Tab, review the two IP addresses.
    1. The Listen On IP is often if ATC is on the web server. Otherwise, use an internal IP and open ports 14491 and 14492.
    2. The Xmit IP is the Resolved IP if sfATC is on the same server as ICTool. Otherwise, specify the ATC IP. The sfPMS log should help: look for Rejected SFATC Credentials, and use the address specified.  Ideally, the address should be an internal IP4 or IP6 address, otherwise reread this section and establish an internal binding.

sfatc local site url

sfatc Target TP


Additional Comments:

Installation is fun!

KBA-01668; Last updated: September 20, 2017 at 8:51 am;