IPS Service Account
The service account is the Windows account that executes all of the IPS Server processes.
As prerequisites for installing IPS Server, a Windows account must be created as the service account, and ports should be registered to this account, as described below. (The ports should not be shared with other applications; the IPS default port assignments can be changed in case there is a clash.)
The IPS and Planning Space install programs perform some of the configurations necessary for the IPS service account. If any of these seem to be a problem, or you need to modify the service account details, see IPS Service configuration.
Creating an account in Windows
The service account is recommended to be a Windows domain account, with a registered UPN. A registered UPN is required for version 16.5 Update 17 and later.
(The requirement for UPN registration is due to changes in Windows network security for inter-server communication; see ClusterEndpointIdentityType setting.)
For a single IPS server deployment, a locally-defined user account can be used. However the use of local Windows service accounts (such as LocalService) is not supported.
The account must have 'Log on as a service' user rights. (Use the program 'secpol.msc' to configure this, in the section 'Local Policies > User Rights Assignment > Log on as a service': right click and edit Properties to add the service account.)
Good security practice requires that this account should not be used for other purposes, and it should be given the minimal rights and permissions sufficient to run the IPS service.
Register the web port (HTTP or HTTPS) to the service account
The web port (default 80, or 443 for HTTPS) must be registered (reserved) to the service account. To do this, run this command in an elevated (Administrator) command prompt or PowerShell, substituting the domain and username for your IPS service account:
netsh http add urlacl url=http://+:80/ user=DOMAIN\SERVICEACCOUNTUSERor if port 443 is going to be used:
netsh http add urlacl url=https://+:443/ user=DOMAIN\SERVICEACCOUNTUSERSubstitute a different port number if you are not using the default number.
If the web port has been previously registered to a different service and/or account (you may get an error 'file already exists') you can check the existing reservations with the command:
netsh http show urlaclYou will need to un-register accounts on port 80 (or 443, etc.) before doing the registration above. Type the command:
netsh http delete urlacl url=http://+:80/or the command:
netsh http delete urlacl url=https://+:443/Important: The IPS Server web port should not be shared with other applications. You will need to disable any other services, or use different ports for the conflicting services.
Register the monitor port to the service account
An additional port is used as the IPS Monitor Port. Port 81 is the default number for this. To reserve this port for the service account, use the command:
netsh http add urlacl url=http://+:81/ user=DOMAIN\SERVICEACCOUNTUSERSecure HTTP (HTTPS) configuration
If you are going to use HTTPS there are additional steps required to configure the service certificate. It isn't possible to initiate HTTPS without starting up IPS Server: you will need to begin with an HTTP connection, perform the certificate installation, and then switch the configuration to HTTPS. See Setting up HTTPS (secure HTTP) for IPS Server.