AMT Help Files
Home
chevron_forward
AMT Admin
chevron_forward
Installation and Configuration
chevron_forward
Advanced Installation Topics
chevron_forward
Advanced Configuration of the Control Center
chevron_forward
Control Center Web.config Settings

Control Center Web.Config Settings

This page lists settings of the Control Center Web.Config file that are relevant to the customer. The file can be located in the following directory: ..\<AMT_Environment>\AmtTools\ControlCenterCore.

 

All settings changed in the Web.Config file for the Control Center should also be changed for the Application Center.
The directory for it can be found in the following location:

  • ..\<AMT_Environment>\AmtTools\ApplicationCenterCore

 

Custom Headers

The settings of this section have been added to increase security of the AMT web applications.

With the exception of HSTS (see below), it is not advised to change these settings before consulting with our Customer Support via the Avanade Service Portal.

 

HTTP Strict Transport Security (HSTS)

HSTS is not enabled by default in an AMT environment. The "Strict-Transport-Security" custom header should be uncommented to enable HSTS, resulting in the following:

<customHeaders>
  <add name = Content-Security-Policity" value= ( ... )
                                                   />
  <!-- Remove to enforce HSTS communication -->
  <add name="Strict-Transport-Security" value="max-age=31536000" />
  
  <add name="X-Content-Type-Options" value = "nosniff"/>
  ( ... )
</customHeaders>

 

Suppressing IIS server header


From IIS version 10.0 and onwards it is possible to suppress sending the HTTP server header to clients.

This can be achieved by uncommenting the <security> node as demonstrated below:

<!--Remove the comments for security improvements for IIS 10-->
<security>
  <requestFiltering removeServerHeader="true" />
</security>

Uncommenting the node when using an earlier version of IIS will result in an error upon loading the AMT Control Center.

 

Redirect HTTP to HTTPS

Besides HSTS (see above) the Web.Config also contains a section to forcibly redirect users from the HTTP to the HTTPS protocol. To enable this functionality, the IIS URL Rewrite module must be installed on the server hosting the AMT applications (E.g. Control Center, Application Center & Web Client application). The module can be downloaded from the Microsoft URL Rewrite website.

Once the IIS module is installed, the redirect functionality can be enabled by uncommenting the <rewrite> node as demonstrated below:

<rewrite>
      <rules>
        <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:443}" redirectType="Permanent" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add the STS header in HTTPS responses">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite>

 
Uncommenting the rewrite node when the URL Rewrite module is not installed will result in a server error upon loading the AMT Control Center.

 


© Copyright 2025, Avanade
 Go to top 
❮ Previous Next ❯