📖 Overview

This article explains deployment options for hosting Microix Modern Server application on Microsoft Internet Information Services (IIS). Because customer environments vary, the recommended deployment model depends on whether the application is intended for:

This article also outlines infrastructure, security, authentication, SQL connectivity, and file storage considerations for each scenario.

🧭 Supported Deployment Scenarios

Microix Modern application hosted on IIS can generally be deployed in one of the following ways:

1. IIS Server on the Internal LAN (No WAN Access)
The application is accessible only from within the internal network. The IIS application can be installed either on the existing MIP/Microix server or on a separate IIS server within the LAN.

2. IIS Server on the Internal LAN with WAN Access
External users access the application through the internet. This typically requires the firewall to allow inbound HTTPS traffic on port 443, along with a properly configured SSL certificate in IIS.
In this scenario, the application should be deployed on a separate IIS server and should not be installedon the MIP/Microix SQL Server.

3. IIS Server Located in a DMZ for WAN Access

In this configuration, the IIS server is placed in a DMZ (Demilitarized Zone) to isolate the web application from the internal network. External users connect to the IIS server in the DMZ, and controlled firewall rules allow the application to communicate with required internal services. Because DMZ servers often do not have access to Active Directory, the application will need to use a SQL authentication account instead of a domain account for database access.

⭐ General Recommendation

The preferred deployment model should align with the customer’s security policy, network architecture, and access requirements.

Best practice summary

• For internal-only users, deploy the IIS service (web sockets enabled) 
• For external/WAN access, there are two common options:
• Host IIS on the LAN and publish it externally through the customer’s security infrastructure.
• Host IIS on a DMZ server when network segmentation and security controls require isolation from the internal LAN.

🖥️ Scenario 1: LAN Access Only

Description

In this model, the application is deployed to a Server located on the customer’s internal network (MIP\Microix Server for small deployment workload or a separate IIS Server). Users access the application only from within the LAN.

Recommended use case

• All users are internal users
• No internet-based access is required
• The simplest and most secure deployment model

Best practices

• Deploy IIS Service on a server within the LAN 
• Limit application access to internal network users only
• Use a non-administrative domain service account for the IIS application pool identity
• Grant that account only the permissions required to:
• Access the MIP\Microix SQL Server
• Access the network file path used to store attachments

🌐 Scenario 2: WAN Access with IIS Hosted on the LAN

Description

In this model, the IIS server remains on the internal LAN, but the application is made available for WAN access through the customer’s existing perimeter security controls, such as firewall/NAT, reverse proxy, VPN, or other secure publishing methods.

Recommended use case

• External users need access to the application
• The customer prefers to keep the IIS server inside the LAN 
• Internal infrastructure teams can securely publish the application for WAN access

Best practices

• Keep the IIS server on the LAN and use a separate server from the MIP\Microix Server
• Publish the application externally using the customer’s approved secure access method
• Use HTTPS/TLS for all external traffic
• Restrict inbound access to only required ports and sources
• Use a non-administrative domain account for the IIS application pool identity
• Grant that account only the permissions required to:
• Connect to the MIP\Microix SQL Server
• Access the network file share/path used for attachments

🛡️ Scenario 3: WAN Access with IIS Hosted in a DMZ

Description

In this model, the application is deployed to an IIS server located in a DMZ. This is typically used when the customer requires internet-facing services to be isolated from the internal LAN.

Recommended use case

• The customer requires strict network segmentation
• Security policy requires internet-facing web servers to reside in a DMZ
• The customer does not permit direct WAN publishing to an IIS server on the LAN

Best practices

• Deploy IIS to a DMZ server (with WebSocket Enabled)
• Allow only the minimum required ports and network flows between the DMZ and internal resources
• Use HTTPS/TLS for all external access
• Use least-privilege service configuration
• Avoid dependency on Active Directory if the DMZ server has no access to domain service