Webhook Listener Site - WLS

We separate the Webhook listener from the Admin Portal because we need to open access from Microsoft via the internet. This Listener Server can be installed in the DMZ of the organization.

It is recommended to install the WLS on a separate site with a separate application pool. When the deployment is large (1000 user and more ) it is best to be done on a separate host

 Installation

• Enable IIS on target machine (all the checkboxes)

• Copy all the content from the package payload: C:\Agat\SphereShield.Setup\Payload\SphereShield.Listener into a new folder under Inetpub.

• Replace these files with the ones from AccessPortal folder:

  • SphereShield.CasbCommon.dll

  • SphereShield.CasbMessagingBL.dll

  • SkypeShield.Infrastructure.dll

  • SkypeShield.Cryptography.dll

  • SkypeShield.File.dll

  • SkypeShield.Ldap.dll

  • SkypeShield.Mdm.dll

  • SkypeShield.Messaging.dll

  • SkypeShield.ServiceManagement.dll

  • SkypeShield.Settings.dll

  • SkypeShield.Skype.dll

  • SkypeShield.Validation.dll

  • SphereShield.Common.dll

  • SkypeShield.Infrastructure.Entities.dll

  • CasbMsOfficeApplication.dll

• Create new site in the IIS manager and set the Physical path to new folder created.

• Make sure all options under IIS are selected for the server, especially the development ones which include ASP versions.

• Create an https URL for this site so that Microsoft can send events to the site. We should assign a hostname like “listener”.

• Set ConnectionString and IV / KEY .

• Set Webhook certificate in the Configuration folder, you can verify it in following page Production Key Vault and Certificate

• Change the C:\Agat\Listener_site\Configuration\Log4net.config file so the logs will write in this location: D:\Agat\Logs\ListenerSite

• Make sure the AWS instance has the Security group that leaves 443 open to all.

• Navigate to the site and you should see this Welcome page:

Open

In IIS Manager, open Application Pools

Open

open Advanced Settings of your portal

set “Load User Profile” to “True”

open Advanced Settings of your Listener

set “Load User Profile” to “True”

Heartbeat

Connection Check

• Url: /api/Heartbeat

• Method: GET

• Good Response: 200 “I am alive.... :-)“

• bad Response: 404

Admin Portal configuration

A new setting was added to the Cloud Service Integration section:

Need to Enter the URL of the Webhook site created.

In case that AP already gets Webhooks, You will need to turn off the CasbAdapter for 1 hour, for new Webhook Subscription to be created.

Note: When external site URL is left empty the Webhook will be set to the portal URL as before this change.

Slack

In order to get webhooks for Slack, need the followings:

• Update the bin folder with the latest dlls

• Add CasbSlackApplication version 1.2.0 on

• Settings table , add “Slack” to the value of CasbCloudServices (update this row)

• Update in Settings table where name is CasbSlackAccessBotToken with the encrypted bot token taken from Slack configuration

• Insert to settings table an empty value for SlackBotConfigurations, if no record is found for this name

• Update Slack with the new URL. Should look like https://listener-bgd15.agatdemo.com/rest/v1/casb/webhook/slack/inspect , convention is https://{your-domain}/rest/v1/casb/webhook/slack/inspect

• In applicationSettings.config of the listener add this line for the BusinessGPT address

<add key="BusinessGPTApiUrl" value="https://bgd15-firewall.agatdemo.com/firewallApi/v1/chat" />