Changing HTTP connection defaults

By default, the installer sets up the HTTP port 54500 and HTTPS port 54501 connections. You can change the defaults for the ESI Service by using the following procedures:

       Setting up new IP ports with the default certificate

       Setting up default IP ports with a new domain certificate

       Setting up new IP ports with a new domain certificate

       Confirming HTTP connections

Note: All of these procedures require a Windows command prompt and not a PowerShell command prompt.

 

Setting up new IP ports with the default certificate

To set up new IP ports with the default certificate:

  1. On the ESI host machine, open a command prompt and type the following to delete the reserved URLs:

   netsh http delete urlacl "http://+:54500/esi/"

   netsh http delete urlacl "https://+:54501/esi/"

  1. Choose new IP port numbers. The industry standard is to choose an available port that is between port numbers 49152 and 65535. To get a list of used IP ports for your ESI Service or HA Extension, type the following command at a Windows command prompt on the ESI Service machine:

   netstat –an

  1. To reserve the new URLs, type the following, replacing <HttpPort> and <HttpsPort> with the new port numbers:

   netsh http add urlacl url="http://+:<HttpPort>/esi/" user="NT AUTHORITY\NETWORK SERVICE"

   netsh http add urlacl url="https://+:<HttpsPort>/esi/" user="NT AUTHORITY\NETWORK SERVICE"

For example:

   netsh http add urlacl url="http://+:56560/esi/" user="NT AUTHORITY\NETWORK SERVICE"

   netsh http add urlacl url="https://+:57570/esi/" user="NT AUTHORITY\NETWORK SERVICE"

  1. Delete the existing firewall rule for default ports:

   netsh advfirewall firewall delete rule name="ESI Service"

  1. To add the new firewall rule for the new ports, type the following replacing <HttpPort> and <HttpsPort> with the new port numbers:

netsh advfirewall firewall add rule name="ESI Service" dir=in action="allow" protocol="TCP" localport=<HttpPort>, <HttpsPort>

For example:

netsh advfirewall firewall add rule name="ESI Service" dir=in action="allow" protocol="TCP" localport=<56560>,<57570>

  1. Type the following to unbind the existing IP ports from the SSL certificate:

   netsh http delete sslcert ipport=0.0.0.0:54501

  1. To bind the ports with the SSL certificate, open Windows Internet Information Services (IIS) Manager and select the server name.

  2. Double-click ESIService-SSL, select Details, and copy the thumbprint. Remove any spaces between the thumbprint numbers and letters and use the thumbprint in place of <Thumbprint> in the following command. Keep appid the same and use the applicable port number in place of <HttpsPort>:

netsh http add sslcert ipport=0.0.0.0:<HttpsPort> certhash=<Thumbprint> appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

For example:

netsh http add sslcert ipport=0.0.0.0:57570 certhash=0794721c36f00902c6b9b6cb687f7a6b2997925d appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

  1. To set the registry keys and change the ports, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\EMC\WSI\Service folder and change the value of the Port key to the new HTTP port number and the SSLPort value to the new HTTPS port number. For example:

   Port: 12345   SSLPort: 12346

  1. To restart the ESI Service, go to Services and restart the ESI Service. Or you can run these commands:

   net stop esiservice

   net start esiservice

  1. Confirm the HTTP connection provides details for confirming the port setup.

Setting up default IP ports with a new domain certificate

To set up default IP ports with a new domain default certificate:

  1. On the ESI host machine, create a new domain certificate.

  2. Refer to your Windows documentation for more information.

  3. Open a Windows command prompt and type the following to stop the ESI Service:

   net stop esiservice

  1. Type the following to unbind the existing IP ports from the ESI Service SSL certificate:

   netsh http delete sslcert ipport=0.0.0.0:54501

  1. To bind the ports with the new certificate, open Windows IIS Manager and select the server name.

  1. Double-click the new certificate, select Details, and copy the thumbprint. Remove any spaces between the thumbprint numbers and letters and use it in place of <Thumbprint> in the following command. Keep appid the same and replace <HttpsPort> with the applicable number:

   netsh http add sslcert ipport=0.0.0.0:54501 certhash=<Thumbprint> appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

For example:

   netsh http add sslcert ipport=0.0.0.0:54501 certhash=0794721c36f00902c6b9b6cb687f7a6b2997925d appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

  1. At the Windows command prompt, type the following to restart the ESI Service:

   net start esiservice

  1. Confirm the HTTP connection provides details for confirming the port setup.

Setting up new IP ports with a new domain certificate

To set up new IP ports with a new domain certificate:

  1. On the ESI host machine, open a Windows command prompt type the following to delete the reserved URLs:

   netsh http delete urlacl "http://+:54500/esi/"

   netsh http delete urlacl "https://+:54501/esi/"

  1. Choose new IP port numbers.

  2. The industry standard is to choose an available port that is between port numbers 49152 and 65535. To get a list of used IP ports for your ESI Service, type the following command at a Windows command prompt on the ESI Service machine:

   netstat –an

  1. To reserve the new URLs, type the following replacing <HttpPort> and <HttpsPort> with the new port numbers:

   netsh http add urlacl url="http://+:<HttpPort>/esi/" user="NT AUTHORITY\NETWORK SERVICE"

   netsh http add urlacl url="https://+:<HttpsPort>/esi/" user="NT AUTHORITY\NETWORK SERVICE"

For example:

   netsh http add urlacl url="http://+:12345/esi/" user="NT AUTHORITY\NETWORK SERVICE"

  1. Type the following to delete the existing firewall rule for default ports:

   netsh advfirewall firewall delete rule name="ESI Service"

  1. To add the new firewall rule for the new ports, type the following, replacing <HttpPort> and <HttpsPort> with the new port numbers:

   netsh advfirewall firewall add rule name="ESI Service" dir=in action="allow" protocol="TCP" localport=<HttpPort>, <HttpsPort>

For example:

   netsh advfirewall firewall add rule name="ESI Service" dir=in action="allow" protocol="TCP" localport=<56560>,<57570>

  1. Type the following to unbind the existing default IP ports from the SSL certificate:

   netsh http delete sslcert ipport=0.0.0.0:54501

  1. Create a new domain certificate. Refer to Windows documentation for more information.

  2. To bind the ports with the new certificate, open Windows IIS Manager and select the server name.

  3. Double-click the new certificate, select Details, and copy the thumbprint. Remove any spaces between the thumbprint numbers and letters and use the thumbprint in place of <Thumbprint> in the following command. Replace <HttpsPort> with the applicable port number and keep appid the same:

netsh http add sslcert ipport=0.0.0.0:<HttpsPort> certhash=<Thumbprint> appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

For example:

netsh http add sslcert ipport=0.0.0.0:57570 certhash=0794721c36f00902c6b9b6cb687f7a6b2997925d appid="{4024FDC3-B30D-43CA-8707-A50940B4BD14}"

  1. To set the registry keys and change the ports, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\EMC\WSI\Service folder and change the value of the Port key to the new HTTP port number and the SSLPort value to the new HTTPS port number. For example:

   Port: 56560   SSLPort: 57570

  1. To restart the ESI Service, go to Services and restart the ESI Service. Or you can use this command:

   net stop esiservice

   net start esiservice

  1. Confirm the HTTP connection provides details for confirming the port setup.

Confirming HTTP connections

To confirm the HTTP connection is set up correctly:

  1. Open a web browser that supports Windows Authentication and browse to the ESI Service console with the applicable IP port numbers:

  1. In the Services applet on the ESI host system, confirm that the ESI Service is installed and started as a network service.

  2. On the ESI host system, confirm that the ESIService-SSL or your new domain certificate is listed in the \Personal\Certificates folder on the local computer. How to: View Certificates with the MMC Snap-in at http://msdn.microsoft.com/en-us/library/ms788967.aspx describes how to view certificates.

  3. On the host, open the Start menu and search for firewall to locate the Windows firewall.

  4. In the search results, select Windows Firewall with Advanced Security.

  5. Select Inbound rules, and confirm that ESI Service is listed and enabled as the new ESI Service firewall rule for the default 54500 and 54501 ports or your new port numbers.

 

Related links

 

 Setting up ESI Service

 ESI overview

 Publishing and unpublishing systems to the ESI Service

 Home window

 Changing the system refresh interval

 

 Viewing and setting up the security policy