Sitrion One Hub Install Guide
This document covers the installation and configuration for the Sitrion ONE Hub windows service. This service allows the Sitrion ONE platform to securely read and write data to on premise systems.
- Physical or virtualized windows server installation
- Windows Server 2012 or later.
- .NET Framework 4.7.1 (Full Installation)
- A CPU with at least two cores
- 4 GB RAM
- 10 GB free disk space
The Sitrion ONE HUB configuration settings and user credentials are stored in an encrypted SQL database. This requires a SQL Server instance (2008 or higher)
There are tree connectivity modes for the Hub to connect to the Sitrion ONE Cloud Platform.
- TCP Relay mode (Preferred) – This mode provides the best performance but is not compatible with a web proxy configuration.
- HTTP Relay mode (uses Web sockets)– This mode is required in organization who use web proxies to connect to the Internet.
- HTTPS Queue mode – This mode should only to be used when the previous two modes have failed in successfully connecting to the Sitrion ONE Cloud platform. This mode is the least performant and is discouraged.
- West US (California)
- West Europe (Netherlands)
The Sitrion ONE Hub service requires connectivity to the given backend systems it is expected to access.
Sitrion requires that customers use a dedicated Azure Service Bus namespace for each of their production Hub installations. This ensures that all your organizations traffic is segregated, private and secured when communicating with the Sitrion ONE cloud infrastructure. Your organization has two options in acquiring a dedicated Service Bus namespace.
This option provides the most control for organizations that already have an existing Azure subscription. To learn how to create and manage your own Azure Service Bus namespace see the following documentation.
It is recommended that you select a location that is the geographically closest to your Sitrion ONE Hub instance.
For organizations that do not have an existing Azure subscription or do not want the responsibility of managing their own Service Bus namespace, Sitrion is happy to create and manage this for your organization. Just consult your customer success manager for details.
If your organization uses a web proxy for Internet access, a proxy configuration is required.
The proxy, need to be configured manually in the config file for the Hub. The config file is located, by default, in the folder "C:\Program Files\Sitrion\Sitrion ONE Service\Sitrion.One.Hub.Service.exe.config". The configuration is a standard .NET application configuration file. The configuration of a proxy is covered in this article. A sample configuration is supplied in the installed configuration file.
After starting the installation file, you will be presented with a welcome screen. Click Next to continue.
Choose the folder for the Hub Service to be installed in.
Click Next to continue.
The hub requires an encryption certificate to keep confidential information stored in the Hub secure. The certificate to use for encryption is identified by the certificate's thumbprint. Once you know the thumbprint of the certificate, enter it in the Certificate Thumbprint field. You can use a self-signed certificate or a domain certificate, whichever is preferred.
The account the Hub will run under will need permissions to access the private key of the certificate you specify. Here are instructions for modifying the private key permissions:
Self-signed certificates can be generated easily using PowerShell 4.0. PowerShell 4.0 can be downloaded at the following:
In an Admin level PowerShell window, once PowerShell 4.0 is installed, use this command to generate a self-signed certificate:
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -Subject HubConfigEncryption -FriendlyName "Encryption Certificate for Hub Config Settings" -notAfter 2039-12-31 -KeyLength 2048 -KeySpec KeyExchange;
**NOTE: the instructions above apply to Windows 10 or Windows 8.1.
For Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 please refer to
Click Next to continue
Configure the user for the Windows Service. If not changed, it will install with the Local System account on the installed machine.
Note: If you choose a custom user please make sure that the user has the appropriate rights to run a Windows service.
Click Next to continue.
The Hub requires a SQL server database, you can now connect to a SQL server instance. Also, you can configure your SQL User and create a SQL Server Database.
Note: If you are reinstalling the Hub during an upgrade, uncheck the "Check to create database / uncheck to update" check box. If you do forget to uncheck the check box, no user data will be lost.
Note: If you want the setup to create the database, please make sure that the user which runs the install has permissions to create the databases on the specified SQL server.
Click Next to continue
Configure the datacenter which should be used by the Hub to connect with and provide all information (Namespace, key and access key) for your private service bus namespace. See details about for more details
Sitrion recommends that the TCP/IP Service bus relay mode be used. If this mode does not work, please consult with Sitrion before using the other protocols as they have performance constraints that may affect your end user experience. More info about this can be found in the section Connectivity in the .
Click Install to start the installation of the Hub Service on your machine
The Sitrion Hub Service is now installed and the Windows service has automatically been started on your machine.
Note: To check if the Windows service has been started, see Start > Control Panel > Administrative Tools > Services.
Click Finish to exit the setup.
To upgrade a Sitrion ONE Hub service, just use a newer installer and it will guide you through the upgrade process.
Multiple Sitrion ONE Hub Service servers can be deployed to add fault tolerance to the on-premise Sitrion ONE Hub Service.
- A Microsoft SQL Server that is configured for High Availability
- Two physical or virtualized Windows Servers to run the Hub Windows Service
- Two Azure Service Bus connections
- Install Hub 1 using the normal install instructions as outlined above using Server A and Service Bus connection A.
- Install Hub 2 using the normal install instructions as outlined above using Server B and Service Bus Connection B.
Note: All Hub Services must share a single database on a High Availability SQL Server deployment.
The Sitrion ONE Hub is a windows service. To administer this service, navigate to the windows service management console. This console allows you to do the following:
- start service
- stop service
- restart service
- set the user context (log on) for the service
- set recovery settings for the service
- Ensure the on premise Sitrion ONE Hub service started
- Restart the service and try again
- Review logs in the event viewer
- Sitrion ONE Hub event logs can be found in the following location:
- Windows Event Viewer -> Applications and Services -> Sitrion HUB
- Sitrion ONE Hub event logs can be found in the following location:
- Ensure the user context set in the logon tab of the service is a user that has the following permissions:
- Run windows services
- SQL Server permissions to the “Sitrion One HUB" database.
- Ensure the SQL server hosting the Hub database is operational.
For those customers who block outgoing connections from the Hub Service, the firewall will need to be configured to allow certain outgoing connections to the Sitrion ONE infrastructure. The Hub Service uses Azure Service Bus as the underlying technology to be able to communicate between one.sitrion.com and the on-premise Hub Service.
There are three possible ways to configure a corporate firewall that will allow the Hub Service to connect. None of these options require any port forwarding or opening the firewall to allow inbound traffic (aka poking a hole in the firewall).
- Allow the Hub Service server(s) to connect to any IP for a given set of TCP ports
- Allow the Hub Service server(s) to connect using DNS name for a given set of TCP ports
- Allow the Hub Service server(s) to connect using a destination IP address for a given set of TCP ports.
This is the easiest option to configure.
Configure the firewall to accept outbound traffic from the Hub Service Server(s) for the given set of TCP ports
- TCP port 80
- TCP port 443
- TCP port range 5671-5672
- TCP port range 9350-9354
This configuration is the most desirable when allowing all outbound traffic for a port range is not possible.
There are three DNS hostnames who will be referenced when creating firewall rules:
- One.sitrion.com - this is Sitrion’s web service
- <yournamespace>.servicebus.windows.net – the hostname for the Service Bus connection itself
- The Azure Service Bus relay hostname – this is a Microsoft internal hostname of whichever internal Azure resource is hosting the service bus connection itself. This resource is the endpoint which receives and transmits information from the Hub to one.sitrion.com
In these steps <yournamespace>.servicebus.windows.net will be the service bus URL. You should replace the service bus URL with the one provided to you by Sitrion.
- Open a Command Prompt window
- Enter the command
- Nslookup <yournamespace>.servicebus.windows.net
- This command will output something like this:
The hostname in bold is the relay host for your service bus connection.
The above address is ONLY for demonstration purposes. The hostname and IP will be different for your service bus connection.
Once you have determined the Service Bus relay for your Service Bus namespace, your firewall can be configured.
The following ports will need to be opened by for the Hub Service server(s).
- TCP Port 80 and 443 to one.sitrion.com
- TCP Port 80 and 443 to <yoursnamespace>.servicebus.windows.net
- TCP Port 80 and 443 to <Service Bus Relay DNS address>
- TCP Port 5671-5672 to <yoursnamespace>.servicebus.windows.net
- TCP Port 5671-5672 to <Service Bus Relay DNS address>
- TCP Port 9350-9354 to <yoursnamespace>.servicebus.windows.net
- TCP Port 9350-9354 to <Service Bus Relay DNS address>
The above firewall rules should always use DNS names. If the firewall rules are created using IP addresses, the underlying IPs used by the Service Bus connection and the relay will change over time.
This configuration is the least desirable configuration method. Anytime the underlying IP address changes, the firewall configuration will need to be updated to match the new values.
There are two IPs who will be referenced when creating firewall rules:
- One.sitrion.com - this is Sitrion’s web service. This IP can be determined by resolving the DNS entry for one.sitrion.com
- <yournamespace>.servicebus.windows.net – the hostname for the service bus connection itself. This IP can be determined by resolving the DNS entry for the service bus connection itself
When resolving IP addresses, it should be done from the Hub server itself. This will ensure the IP address is the correct one for a given service region.
The following ports will need to be opened for the Hub Service server(s).
- TCP Port 80 and 443 to one.sitrion.com (see Appendix B for the list of IPs)
- TCP Port 80 and 443 to Service Bus connection IP
- TCP Port 5671-5672 to Service Bus connection IP
- TCP Port 9350-9354 to Service Bus connection IP
Using IP addresses in the above firewall rules has a major disadvantage. Microsoft will change the Service Bus Connection IP addresses over time breaking any firewall rules pointing to the old IPs.
Quoting Microsoft’s Documentation:
How often and how much do these IPs change?
There is no contract on this, but our expectation is that between 10-20% of the IPs will change every month.
We do strongly recommend using DNS filtering to simplify proxy/firewall management.
Note: During service outages, additional IP addresses may be required. Once the underlying outage is resolved, an IP in the above set will be used.