Architecture

Stack Overflow for Teams consists of the following components. Note that in a cloud-hosted scenario, we provide all but the blue components. In an On-Premises environment, you will need to provide hardware (or virtual machines) and licenses for all components.

• One or more hosts running Stack Overflow for Teams, running on top of ASP.net and IIS on Windows Server
• One or more hosts running Redis - as a cache and pub/sub system (can be the same as the host running Stack Overflow for Teams)
• One or more hosts running Elasticsearch - for search functionality(can be the same as the host running Stack Overflow for Teams)
• Two SQL Server databases, running on a server or cluster provided by you (for On-Premises deployments) or us (for Cloud deployments)
• An Authentication Provider/Directory Service (provided by you) for users to authenticate against
• A place to store uploaded Images. This can be a network share that the Web Servers can read from/write to.
• An SMTP Server for Stack Overflow for Teams to send emails through

System Requirements

On-Premises Server Requirements

Hardware Requirements

Exact hardware requirements will vary with the size, scope, and environment of your deployment.

The Stack Overflow Engine is highly scalable and can be ramped up on hardware as needed - for instance, the public StackOverflow.com site is one of the top 60 most visited sites in the world, and it can run (if necessary) on one very strong physical server.

You can see the detailed architecture of the public family of StackExchange sites via the following blog post: http://nickcraver.com/blog/2016/02/17/stack-overflow-the-architecture-2016-edition/.

Operating System Server Platform

• Microsoft Windows Server 2016 or 2019 with Desktop Experience
• English-language version required

Please be aware that Windows Server Core and Nano Server deployments are not supported.

Neither are Windows Server versions no longer supported by Microsoft. Please refer to https://support.microsoft.com/en-us/lifecycle/search/ for support lifecycle information.

Operating System Components

• Ability to run powershell scripts for installation and upgrades
• net Framework 4.6.2 or newer
• Latest Oracle Java 8 Java SE Runtime Environment (JRE) on Servers hosting Elasticsearch

Database Requirements

• Microsoft SQL Server 2016 SP1+/2017/2019 Standard or Enterprise
• You need to provide two empty databases - these can be named any way you prefer, however in all documentation we'll refer to them as SitesEE and StackOverflowEE
• Collation should be SQL_Latin1_General_CP1_CI_AS at the Database Engine level
• The User running the setup script will need db_owner permissions to create the necessary objects, and its default schema needs to be set to "dbo" for both databases.
• The Service Account running the IIS Application Pool for Stack Overflow for Teams needs db_datareader and db_datawriter permission
• SQL Server Authentication is supported, but Windows Authentication is recommended.

Hosting Requirements

• Stack Overflow for Teams runs on top of the IIS Web Server and requires HTTPS
• You are responsible for providing an HTTPS Certificate for the Hostname(s) that you want to use (e.g., "stackoverflow.example.com")

Firewall Requirements

• Stack Overflow Enterprise redirects traffic from Port 80 to 443, and requires inbound firewall rules on the server for Port 443 (TCP Protocol) to allow access to the site.
• (Optional) Allow inbound Port 80 (TCP Protocol) so users accidentally using a http url won't get a connection error.
• (Optional) Having ACLs will prevent/impact the use of third-party integrations like Slack, Microsoft Teams, Jira and GitHub since most of them requires 2-way communication. For Slack, a reverse proxy can be used (refer to documentation for details).

High Availability / Load-Balanced Environments

Stack Overflow for Teams can support High Availability/Load Balanced Environments. Please contact your sales representative about licensing requirements.

Please see the section about support for HA/Load Balanced Environments below.

Authentication Requirements

Stack Overflow for Teams requires users to login and create an account in order to view content and participate on the site.

Stack Overflow for Teams requires an existing directory service that handles authentication.

We support these protocols:

• SAML 2.0, either IDP or SP initiated
• Active Directory

Please see the section about setting up Authentication below.

Other Requirements

The application requires the details of an SMTP Server that the application can send email through. We support SSL and authentication.

The application supports uploading of images (e.g., Profile Pictures or images in Questions/Answers). There are several storage options:

• A file system, either local or on a network share. In a load-balanced environment, you need to make sure it is stored on a location that all servers can reach.
• Azure Cloud Blob Storage if you have your own Azure Storage Service
• Storing Images in SQL Server directly. Images will be stored in the StackOverflowEE database, in a table called "Images"

Cloud-Hosted Server Requirements

In a Cloud-Hosted environment, Stack Overflow will provide the databases and server hosting components.

Hosting Requirements

Stack Overflow for Teams provides a default URL for your site, but you may choose your own domain name for your site.

Stack Overflow for Teams requires HTTPS.

If you would like to use your own custom URL, you are responsible for providing an HTTPS Certificate for the Hostname(s) that you want to use (e.g., "stackoverflow.example.com").

Authentication Requirements

Stack Overflow for Teams requires users to login and create an account in order to view content and participate on the site.

Stack Overflow for Teams requires an existing directory service that handles authentication.

For Cloud-hosted deployments, we support these protocols:

• SAML 2.0, either IDP or SP initiated

Please see the section about setting up Authentication below.

Security Requirements

Please contact us about possible security options (e.g., VPN Setup, IP Whitelisting).

Client Requirements

We support the latest versions of all common browsers: https://browsers.stackoverflow.design

Desktop Browser Support

• Google Chrome
• Mozilla Firefox
• Apple Safari (macOS only)
• Microsoft Edge (Windows 10 only)
• Opera browser

Mobile Browser Support

We support the latest versions of these mobile browsers:

• Apple Safari (iOS)
• Google Chrome (Android)

Please be aware that in case of SAML 2.0 authentication, you are responsible for making sure the Identity Provider is compatible with the mobile platform.

HTTPS Support

If you use an internal CA to create the HTTPS certificate, you are responsible for making sure that it is trusted by clients, otherwise you will get security warnings. In our Azure Hosted environment, all connections must be over TLS 1.2 (the latest version of all browsers listed above are compliant)

Authentication Setup

SAML 2.0

Please see here for detailed setup instructions: https://support.stackenterprise.co/solution/articles/22000215170-saml-authentication-configuration

Application Requirements for Configuration of SAML 2.0 SSO:

• Assertion Consumer Service URL, e.g. https://stackoverflow.your-org.com/auth/saml2/post
• Public x509 certificate string so we can validate the signature of the SAML Response sent by the Identity Provider
• Issuer ID passed by the Identity Provider in the SAML Response
• Identity Provider URL so that the Stack Overflow for Teams application knows where to redirect login requests to

We require the following attributes to be sent by the Identity Provider in the SAML Response:

• Some unique identifier (e.g. employee id), preferably not the email address
• Email Address
• Full Name or Displayed Name

(Optional) IDP-initiated SAML 2.0

• Option to disallow SP-initiated SAML 2.0 login, which prevents the app from sending Authentication Requests to your Identity Provider
• Option to set the IDP-initiated URL from which to login and access the site

Signed SAML Authentication Requests

• Option to enable signed SAML AuthN Requests to the Identity Provider
• Option to upload your own or a self-signed x509 certificate and private key to sign the Authentication Request

Encrypted XML/Assertion in the SAML Response

• Option to enable decryption of encrypted XML/Assertion in the SAML Response
• Option to upload or generate the private key to decrypt the XML/Assertion

Active Directory (On-Premises only)

• We support basic authentication with Active Directory on a Windows Server 2008 or higher domain controller.
• We do not officially support LDAP or Lightweight Directory Services, but they can work with our AD configuration

Provided

On-Premises

You provide the following:

• One or more Windows 2016 Servers, along with a Windows and Network Administrator
• Admin access to two empty databases on a SQL 2016 SP1+/2017 Server
• Authentication configuration information
• Details of an SMTP Server that the application can use

We provide a zip file with the application and a set of powershell scripts that handle the following:

• Installation of the server roles and features on the Windows Server
• Installation of the ElasticSearch dependency on the Windows Server
• Installation of the Redis dependency on the Windows Server
• Creation of the two database schemas that the application requires
• Installation or upgrade of the application on the Windows Server
• Configuration of the application in IIS

Azure Cloud Hosted

You provide the following:

• Provide a Brand Kit so that our design team can apply a customized theme for your site
• Determine the Domain (Host) Name of your site undefined
• SAML 2.0 Configuration Details from your Directory or Identity Services Team
• (Optional) Details of an SMTP Server, or you may use the Sendgrid SMTP Service that we configure by default.

Once we get the brand kit and determine the domain name of your site we do the following:

• Provision the infrastructure for your site in our Azure Subscription and deploy the application.
• Coordinate a meeting with your Directory or Identity Services team to configure and validate the SAML 2.0 Configuration
• Once the first user has logged in, we will hand off to our Customer Success Team for Product Training and Community Building

Components

The Stack Overflow Enterprise product is comprised of the following components:

• Application / IIS
• SQL
• Redis
• ElasticSearch
• Storage
• Email

Below is a brief description of each component.

Application / IIS

The application is deployed as a site in Internet Information Services (IIS) on the provisioned Windows Server. The application can only serve the site over HTTPS. Users connect to the site via a javascript-enabled browser. The application is configured to talk to a Redis server, an ElasticSearch server, a SQL Server, and an email server.

SQL Databases

The application requires the creation of two empty databases with db_owner privileges along with the connection strings to these two databases. The databases should be named a variant of SitesEE and StackOverflowEE. The default schema for the user needs to be set to "dbo" for both databases. These two databases store the data for the site, and the logs and exceptions from the application. We currently require SQL Server 2016 SP1+/2017 Standard Edition or Enterprise Edition or Azure SQL Database Services. The SQL Server may reside on a VM in the Cloud. You may also use AWS RDS SQL Server 2016/2017, but we do not officially provide support for it.

Redis

Redis is used by the application to cache values in order to minimize queries and expensive computations performed in the SQL databases. Redis is also used as a publish and subscribe mechanism where one Redis server can publish a message and all other subscribers receive it - including downstream clients on Redis slaves. We currently ship version 2.8.2402 for Windows. For Load Balanced setups, we support running Redis in a master-slave configuration on CentOS 7 servers.

Elasticsearch

Elasticsearch is used by the application to index data in order to perform searches on the site, calculate related questions, and provide suggestions when asking a question. Up to version 2.0.3826, we ship Elasticsearch 1.7.1 for Windows. Starting version 2018.1.x, we ship Elasticsearch 5.6 for Windows. For Load Balanced setups, we support running Elasticsearch in a 3-node cluster on a set of CentOS 7 servers.

Storage

The application supports image uploads for question/answer posts and user profile images. For a single-node setup, you may use a folder on the local web server. We also support Azure Storage Service via the use of an access key. For a load-balanced setup, you will need to use a UNC path to a network share, or a locally mounted network drive on each web server.

Email

The application can send notifications and subscription emails if you provide the details of an SMTP Server. The application supports SSL and authentication.

Load Balanced and High Availability Setups

Azure Hosted

The Azure Hosted service is configured by default, in one region, load-balanced over two web

servers. You may upgrade to a multi-region HA setup, along with additional web servers for an additional cost.

On-Premises

We do not provide support for a load-balanced setup for installs with less than 1000 users. Instead, the application, Redis, and Elasticsearch are installed on a single Windows Server.

We provide support for a load-balanced (HA) setup for installs with at least 1000 users. This includes:

• Support for multiple web servers running IIS
• Support for a 2 or 3-node Elasticsearch cluster running on Windows 2016 or CentOS 7
• Support for 2 Redis servers running Windows 2016 or CentOS 7 in a master-slave configuration
• You may use SQL Server Availability Groups, but we do not provide technical support for this feature.