www6 Staging Server is Now Available

by Wilson Wong

Numerous websites and applications have been deployed on the Central IIS production Web Server, namely the www6.cityu.edu.hk. Without proper User Acceptance Testing (UAT), site owners cannot guarantee the new sites are delivering the expected quality or the new applications may even cause undesirable effects on the hosting servers, worse still affecting other websites hosted on the same server. To ensure quality of websites and stability of the production server, a proper environment for UAT and user training is now provided through a staging www6 server.  This staging server allows site administrators to test their new websites thoroughly before deploying them to the production server.

Development guidelines

With the www6 staging server in place, website administrators/developers are required to follow the development, staging, and production cycle for website development as described below:


This is a working environment for developers.  It may be the developer’s local workstation for a single developer, or a department’s/vendor’s local server for a development team.  Developers should test and complete the development of their websites on their local servers before uploading them to the staging server for UAT.
This is a centrally provided environment, which has system architecture identical to the production server. Site administrators should carry out UAT and user training on the staging server and make sure the website and corresponding web application, if any, are working properly and security vulnerability free before deploying them to the production server.
NO testing, development, and user training should be done on www6.cityu.edu.hk, i.e. the production server.
How to access the staging servers cluster?
When your website is ready for UAT or user training, please submit an online Computing Services Centre (CSC) Work Request and state the required period for the staging account. The CSC will then create the requested account on the staging servers cluster and email the account details to you.
Tips for site administrators on website revamp (with the help of vendors/external developers)
  • It is recommended to include and request for the followings in the tender specifications for website development. If technical advices are needed, you may invite the CSC to meet with your vendor by submitting an online CSC Work Request:
    • a full documentation on maintaining and updating your website;
    • a detailed procedure for changing the database password if your website is associated with a MS SQL database;
    • a full documentation on the website and database design, complete source code of web applications, raw graphics files in Adobe Photoshop format (if any), raw Adobe Flash files (if any),  etc., which are useful for future developments.
  • Ask if your vendor will use any third-party software. If so, make sure those software are compatible with the Central IIS servers cluster environment and are properly licensed.
  • Ask the vendor to complete the development on their own server.
  • When the new website is ready for UAT, submit an online CSC Work Request for creating the staging account. If your website is associated with a MS SQL database, ask your vendor for a fixed IP. The CSC will grant direct access to your vendor for connecting to the Central MS SQL staging server through the provided IP.
  • Pass the account information to your vendor and ask them to upload the completed website to the staging servers cluster for UAT.
  • After UAT (or the first round of UAT), ask the CSC to perform a web application security scan on the new website by submitting an online CSC Work Request. After the scan, the CSC will send you a scan report and you should ask the vendor to fix all vulnerabilities found, if any.
  • When the website is ready to go live, ask your vendor to deploy the website to the production server on-site.
Changing passwords regularly
For security reasons, site administrators should change the passwords of the web and database accounts regularly.  Although changing the database account password involves modifying the program code or settings of your web application, it is still highly recommended to change it regularly to reduce security risk.
If your website is associated with a database and was developed by student helpers or external vendors, you should ask your developer to document the detailed procedure for changing the database password which involves modifying program code or settings, and you should change the account password once the partnership with your developer terminates so that any unauthorized access can be avoided.
More tips and best practices on web development
Please refer to the article on “Technical best practices for Web development on the CityU Web” in this issue of Network Computing.