As a part of your new iPaaS implementation, we’ll be installing CPHive to facilitate data between Counterpoint and iPaaS. One of the requirements for installation is an IIS server configuration and Red Rook has created a Suggested Network Configuration Diagram for CPHive. Note that this is suggested, and the typical configuration we see, but not required. 

Please work with your IT provider to discuss IIS server configuration options and address the CPHive server action items and let us know if you have any questions. 

Install Server Application Requirements:

     CPHive Server Requirements: IIS and SSL 

Procure and apply SSL certificate to the IIS server website.

This SSL certificate will either be a Wildcard certificate in the form of * or it can be an SSL certificate for a specific subdomain such as

  • If this certificate is already owned, skip forward to the installation section. Otherwise, this certificate will need to be purchased from your domain name provider such as, or any other domain name provider.
    • A CSR will be required to request an SSL certificate for a specific subdomain. The process of applying for an SSL certificate and fulfilling the subsequent request can be found from the domain provider. Here is an example from
    • If a CSR is generated from this IIS server, the Certificate will be installed by default upon completing the CSR request using this IIS server. You can skip the next step.
  • Install the certificate onto the server using the IIS
    • Export the certificate .PFX file and maintain the private key during export. 
    • Place .PFX file onto the IIS server and double click to install the certificate into the "Personal" certificate store. It can also be installed to the "web hosting" store if that makes more sense for your organization. 
    • Verify the cerficate is available in IIS by accessing the base server within IIS:
    • The certificate will be listed in the proceeding window (if installed):

Enable whitelisted traffic to reach the IIS server using HTTPS. 

The following configuration is done on your organizations edge router/firewall and this section may require a member of your network management team.

  • Whitelist inbound traffic to the below IPs/domain for port 443 (default HTTPS port. If in use, please assign a new port and notify RR Team)
    •  (This is the priority address as it allows us to update DNS entries without requiring them to update their whitelisting policy)
      • The host name will automatically resolve to the new IP address ( if using DNS. If the host name can be used for the “allow” rules instead of the IP address, that would be preferable as it may prevent future firewall changes from being necessary as the host name should dynamically apply to any new IP addresses.
    • (Our current production Azure cluster address. It's the same as the above domain name but an IP address)
    •  (Our staging and development environments)
    • (Deprecated production Azure cluster address. ONLY share this IP to allow them to remove old whitelist entries. This azure cluster has been shut down permenantly) 
  • For Firewall configuration, These can be configured as either a direct port forwarding on a dedicated Public IP address or as a NAT rule on any available Public IP address. 
  • Port forwarding requires that port 443 is available on a Public IP address owned by your organization. If 443 is not available use a NAT rule instead to translate the port traffic and send the new port to Red Rook. 

Configure a Public DNS entry to resolve a new subdomain to the public IP address of the DNS IIS server (set in previous step)

  • A DNS entry may also be required to redirect this new subdomain to the proper server IP. This is also done within the management site for your domain provider. 
    • This entry will be added in your DNS management section for your organizations domain name provider website such as
    • This entry is suggested to be an "A record" that resolves the subdomain to an IP address such as:
      • resolves to (This IP address needs to match the firewall configuration that opens port 443 to the server that is hosting the CPHive IIS instance.) This will be a Public IP address that is provided by your internet service provider. 
      • Example:

Provide Red Rook with Permissions to access Counterpoint and DB:

  • Counterpoint version or greater
    • A Counterpoint User account within every Company that exists within the cp database. 

  • SQL 2008R2 or greater
    • A SQL Server account (using SQL database authentication) with DBOwner permissions to the Counterpoint Database. This allows database access limits instead of full rights to every DB on the server.
    • A Windows Domain account with Administrative rights on the SQL server would be required if you wish to use Windows Auth to provide SQL server access. This option provides full access to EVERY database on the SQL server. 
  • User Login to NCR Counterpoint 
    • User Login with db_owner permissions to Counterpoint Production database.
      • This permission needs to be set on the SQL server instance.

  • A Windows Domain user account with Administrative rights to the IIS Server and Counterpoint Application server. 
  • If required for remote access, a set of credentials that are permitted to log onto a VPN client to access the internal network remotely may be necessary for remote access. 
    • If a VPN is not available, we also offer GoToAssist remote access. This remote access application can be configured to allow us either monitoring or unattended access if after hours work is expected.