Prerequisites

Before you install the Workspace Control Shield API, please make sure you are aware of the Known Issues and Limitations.

Shield API Installation Location

  • To ensure optimal security and system integrity, the Shield API should be installed on a server running IIS and that does not have other IWC components installed.

  • All machines running the Workspace Control Console and/or Agent must be able to communicate with the Shield API.

Active Directory Domain

All machines that have Workspace Control components (Console, Agent, Relay Server) installed, including the server that hosts the Shield API, should be joined to the same Active Directory domain.

Software Requirements

Shield API Server

IIS Server Configuration

Ensure that the server has the Web Server Role (IIS) installed with the following Role Services:

  • Web Server (IIS)

    • Web Server

      • Common HTTP features

        • Default Document

        • HTTP Errors

        • Static Content

      • Health and Diagnostics

        • HTTP Logging

      • Performance

        • Static Content Compression

      • Security

        • Request Filtering

        • Basic Authentication

        • Centralized SSL Certificate Support

        • Client Certificate Mapping Authentication

        • IIS Client Certificate Mapping Authentication

        • Windows Authentication

      • Application Development

        • .NET Extensibility 4.7 (or higher)

        • Application Initialization

        • ASP.NET 4.7 (or higher)

        • ISAPI Extensions

        • ISAPI Filters

        • Server Side Includes

        • WebSocket Protocol

    • Management Tools

      • IIS Management Console

The Microsoft Windows Server wizard 'Add Roles and Features' listing the required Roles

TLS Certificate Installation

  • Before installing the Workspace Control Shield API, a valid TLS certificate or a self-signed certificate must be installed in both the LocalMachine\Personal and LocalMachine\Trusted Root Certification Authorities folders on the server hosting the Shield API.

  • The TLS certificate must have the intended purpose set to Server Authentication.

  • Two TLS certificates will be required: one for the Primary Shield API server and another for the Secondary Shield API server. (Refer to the Active-Passive Shield API section for details.)

Ivanti strongly recommends using self-signed certificates only for testing purposes, not in a production environment.

Hardware Requirements

Ensure that the server meets or exceeds the below hardware configuration:

  • CPU: 16-32 cores

  • RAM: 64-128 GB

Database Driver

Same as for other Workspace Control components that connect directly to the Datastore, a database driver that is suitable for the type of database that holds your Datastore must be installed on the server that hosts the Shield API.
For the Shield API, the database driver must be the 64-bit version.