Beacon Deployment

The Beacon is installed via the Workflow Services installer, which you can obtain from the Breezy Dashboard.

 

You will be prompted for some initial binding information (this will change in future installer versions). For now, just enter a valid hostname that will resolve to this host, e.g. "host.local" or "breezy.somedomain.com".

Most likely, you will get one or more TLS warnings during the diagnostics (below). There are various discussions about this on the web, but basically you will need to run this powershell script (probably with elevated privileges). Basically, the script makes registry changes that enable TLS 1.2 (which is not configured out-of-the-box with .NET Framework 4.5) and deprecates SSL 2.0.

 

As an aside, there are several reason why we are not more heavy-handed in the installer and force these kinds of configurations to run from the installer itself. One major reason (wrt certs) is that this host may not be allowed to import certificates at all - the load-balancer/reverse proxy may be terminating TLS/SSL traffic to this host and the whole subject is moot (i.e. you can just ignore the warning). When the diagnostics start to support hyperlinks to our support articles, this kind of background information will be directly accessible to clients (or whoever is doing the installation).

One the installation completes, we need to open IIS Manager and make some decisions about how traffic will reach this service.

If there are other Breezy Web Services that were installed (e.g. Buffer, Message Queue) you'll see those as virtual applications within the Breezy Web Services node (below). By default, the Beacon advertises the IPP service (via Bonjour) over the url "<host>.local:8631/beacon/ipp/print" where <host> is just the local hostname. 

The TLS/certificate issue was already discussed, i.e. if the client is load-balancing the traffic (most likely over port 80) just make sure the binding reflects that. In most cases, you can leave the hostname in the binding blank and bind to all traffic on a given port. Because the Beacon's mDNS/Bonjour is configured to advertise on the local link, you will probably need to 

1) Enable TLS by running this script: TLS powershell script

2) Create a self-signed cert in IIS and bind to it

 

 

 

Within the web.config file of the Beacon service, there are four additional parameters that can be configured as needed (these parameters will be moved to the Dashboard in subsequent versions).

<add key="Host"/>

This is only useful if you have a load-balancer on the local link (subnet). Normally you leave this blank.

<add key="Port"/>

If you want to advertise IPP/Airprint over some other port (not default 8631). Just make sure that this matches the binding you've setup in IIS.

<add key="ForceHttps" value="true"/>

We force traffic over HTTPS because the Beacon cannot upgrade it's connection (RFC 2817 is not supported natively in Windows). Recent iOS clients will not authenticate if the traffic is not running over TLS 1.2 or higher.

<add key="IppPath" value="beacon/ipp/print/"/>

The default configuration is to run Beacon as a virtual app under Breezy Web Services. If for whatever reason Beacon is configured to run as a root web site (same level as Breezy Web Service in the screenshot above), then Beacon will serve traffic on https://<host>.local:<port>/ipp/print instead of /beacon/ipp/print and this IppPath should be updated to reflect that.

 

 

Enabling TLS powershell script

 

# Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

 

 

 

 

 

 

=====

Things to check:

  • Is Bonjour (>=3.0) installed?
  • Check bindings: 443, 631 (and maybe 8631 but probably deprecated)
  • Step next: visit localhost/beacon and enter Breezy creds
  • If it doesn't authenticate, make sure program files x86\breezy\beacon\app_data\settings is writeable
  • open cmd prompt and run 

    dns-sd -B _ipp._tcp local.
    ... and then confirm that the UQueue, at least, is listed

  • AdvertiseViaDnssd should be "true" in web.config
  • IPPPath should be "beacon/ipp/print" in web.config
  • Restart WWW Publishing Service after config changes

 

NOTE: Every time you change anything in web.config, IIS will detect and will invalidate the connection pool and restart, but it won't advertise via Bonjour again until a request has come through to the /beacon endpoint. (So in other words, whenever you change something in web.config, ping localhost/beacon on the host.)

Have more questions? Submit a request

Comments

Powered by Zendesk