AMT Help Files
Home
chevron_forward
AMT Admin
chevron_forward
Installation and Configuration
chevron_forward
Advanced Installation Topics
chevron_forward
Advanced Configuration of the Application Center
chevron_forward
Application Center Web.config Settings

Application Center Web.config Settings

This page lists the customer relevant settings of the Application Center Web.config file.
Which is located in the folder: <AMT environment>\AmtTools\ApplicationCenterCore\

 

Custom Headers

The settings of this section have been added to increase security of the AMT Web applications.

With the exception of HSTS (see below), it is not advised to change these settings before consulting with the Avanade Customer Support via the Avanade Service Portal.

 

HTTP Strict Transport Security (HSTS)

By default HSTS is not enabled in an AMT environment. To enable HSTS, the "Strict-Transport-Security" custom header should be uncommented near line 16 of the web.config, resulting in the following:

<customHeaders>
  <add name = Content-Security-Policity" value= ( ... )
                                                   />
  <!-- Remove to enforce HSTS communication -->
  <add name="Strict-Transport-Security" value="max-age=31536000" />
  
  <add name="X-Frame-Options" value = "SAMEORIGIN"/>
  ( ... )
</customHeaders>

If uncommented in the Application Center web.config, the same section should also be uncommented in the Control Center web.config file.

 

Suppressing IIS server header

From IIS 10.0 on wards it is possible to suppress sending the HTTP server header to clients.

This can be achieved by uncommenting the <security> node near the bottom of the web.config, making the node look like this:

<!--Remove the comments for security improvements for IIS 10-->
<security>
  <requestFiltering removeServerHeader="true" />
</security>

 
Uncommenting the node when using an earlier version of IIS will result in an error upon loading the AMT Application Center.

 

Redirect HTTP to HTTPS

Besides HSTS (see above) the web.config also contains a section to forcibly redirect users from the HTTP to the HTTPS protocol. To enable this functionality, the IIS URL Rewrite module must be installed on the server hosting the AMT applications (E.g. Control Center, Application Center & Web Client application). The module can be downloaded from the Microsoft URL Rewrite website.

Once the IIS module is installed, the redirect functionality can be enabled by uncommenting the <rewrite> node near the bottom of the web.config, making the node look like this:

<rewrite>
      <rules>
        <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:443}" redirectType="Permanent" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add the STS header in HTTPS responses">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite>

 

If uncommented in the Application Center web.config, the same section should also be uncommented in the Control Center web.config file.

 
Uncommenting the rewrite node when the URL Rewrite module is not installed will result in a server error upon loading the AMT Application Center.

 

 

© Copyright 2025, Avanade
 Go to top 
❮ Previous Next ❯