Understanding the Web Access server privileges

When using Web Access with a default installation of Internet Information Services, updating thumbnails, synchronizing properties and other functionality may seem to fail without any direct cause. Users may also receive Access denied errors.

All Meridian Web Access users and the IIS service account require the following minimum privileges on the server running Internet Information Services, whether it is also the Meridian application server or another server:

• Read access to C:\Inetpub\AMM.
• Modify access to C:\Inetpub\AMM\AMTemp.
• Full access to C:\Inetpub\AMM\Profiles.
• Full access to the folder specified by the Windows TEMP system variable.
• Full access to the local workspace folder, C:\BC-Workspace by default.
• Read access to C:\Program Files\BC-Meridian\Program.
• In early versions of Internet Information Services, the Application Protection setting for the Web Access virtual directory of the Default website should be set to Low (IIS Process) instead of the default Medium (Pooled), which causes the Web Access application to run under the IWAM_<ComputerName> account. In later versions, the Web Access application should be assigned to the Classic .NET AppPool and a server administrator account set as the Application Pool Identity option of the Process Model setting.

If Web Access will only be used on your organization’s intranet, no additional configuration is necessary. Web Access is as secure as any other IIS website. But if you want to allow access from outside of the organization for remote users, contractors, vendors, or other business partners, you will need to:

• Create a separate domain in the demilitarized zone (DMZ). The DMZ is the zone between a first and second firewall. There you place computers that are accessible from the Internet (like DNS, SMTP, and IIS servers, and so on).
• Enable a one-way trust relationship between the DMZ domain and your corporate domain.

Note    We recommend that you use the Secure Sockets Layer (SSL) for connections to Web Access sites from the Internet because, depending on the authentication method used, IIS may need to forward passwords to the Meridian application server. If SSL is not used, the passwords will be in clear text between the Web Access clients and the IIS server.