Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

ARCHIVED This content is retired and no longer maintained. See the latest version here.

Recommended reading 

This document provides an introduction to the deployment of EPiServer Commerce solutions. It is recommended to also study the Deployment section in the EPiServer CMS Developer Guide, to get a general understanding of how to deploy EPiServer solutions.

Commerce-specific deployment checklist

In the following you will find a deployment checklist that can be followed and used to mark off different tasks that need to be verified for a successful deployment.


Ensure that you have reliable, scheduled backups for the EPiServer Commerce Application as well as the database using SQL backup jobs.

Deployment tools

There are different tools available to deploy your EPiServer Commerce site. If you are pushing changes made on a development and test/QA environment, then it is a matter of copying web files to the production server and ensuring that each config file is pointing to the correct servers. For example, an easy method for copying web files over to a new server is Richcopy, a powerful GUI wrapper for Robocopy, the standard file duplication command-line utility included with Windows and Windows Server. There are numerous copy utilities available to users; if you currently use a utility that suits your need, then it should be a capable deployment tool.

Syncing files from development to live site

Deploying files

When deploying .NET sites on the production server, all you need is the non-compiled files, for example *.asax; *.aspx; *.ascx; *.asmx; *.gif; *.jpg; *.html; *.js; *.xml; *.png; *.css and so on. You do not need the *.cs and *.resx files. You also need to transfer all of the files in the /bin directory. This is where the compiled code is. You do not need the *.pdb files (debug files) in this directory. Also, do not forget any updated configuration files as well.

Deploying ECF directories

The built-in ECF directories are all needed. Remember that these directories only need to be deployed once, unless you make any changes to them. However, changing the built-in directories is not recommended, since they get updated if you upgrade the ECF application later.

Updating DLLs only

When updating an ECF site later on and you have only made changes to the server-side code, only the custom dlls in the bin catalog need to be deployed on the production server. If you make any changes to the aspx/ascx files, you will also have to deploy those files.

When the site has been recompiled, transfer the updated dlls. When the HTML code is changed, transfer the updated *.aspx or *.ascx files. If changes have been made to both dlls and HTML, transfer both.

Deployment security and access

Once your site is deployed, protecting and securing your deployment becomes a high priority. Here are some high-level security checks you can do to ensure that Commerce Manager is restricted to only authorized users.

  • Change the default password after a fresh installation.
  • Enable a firewall to restrict remote access to Commerce Manager.
  • Keep Commerce Manager available only within your internal network--not publicly accessible. If you need remote access to Commerce Manager, a VPN solution is highly recommended.
  • Setup roles and permissions for users that do have access to Commerce Manager. Refer to the User Guide for more information.
  • Limit database access by enabling SQL or Windows authentication.
  • Enable SSL on your public site.
  • Set appropriate file and folder permissions.

Setting up automatic updates and disabling automatic restart

It is important to update Windows regularly to keep it secure and prevent attacks. Make sure that automatic restart is disabled so that the server does not go down unexpectedly after updates are installed. Restart and maintain the server during scheduled downtime. Also utilize a staging and version control system to deploy updates. In addition:

  • Create an app_offline.htm file so customers will see a user-friendly downtime message.
  • Set up an error logging system.

Configuring e-mail notifications and alerts

Setup e-mail notifications and alerts to be immediately notified if there are problems with the site.

Setting up Secure Socket Layer (SSL) security

Every website that handles personal data in one form of another should have SSL security to encrypt traffic and secure customer information. This is especially important when customers are checking out and purchasing items directly from the site.

  • Purchase an SSL certificate and install it on your website.
  • Configure SSL after installation.
  • Sync up Files.

Other things to check


  • Turn ON caching. Make sure <cache enabled="true"> is set to true in relevant config files.
  • Turn OFF debug mode. Make sure <compilation debug="false"> is actually set to false in application config files.
  • Turn OFF tracing. Make sure that <trace enabled="false"/> is false in applicable config files.

SEO/Web analytics

  • Set up and configure Web Analytics to track site traffic, visitors, and increase conversion.
  • Use an XML sitemap so that search engines can crawl your site more intelligently.
  • Learn the difference between 301 and 302 redirects: it is not the same for search engines!
  • Set up a robots.txt file.

Internet Information Services (IIS)

  • Create a new Application Pool for your website to increase its reliability.
  • Set the memory limit for your Application Pool. Specify the memory time limit instead of using the default. It is recommended that you configure the memory recycling feature in IIS.
  • Enable GZIP in IIS (reduces size of pages/css/javascript).
  • Double-check IIS permissions.

See also

  • Deployment in the EPiServer CMS Developer Guide
Do you find this information helpful? Please log in to provide feedback.

Last updated: Oct 21, 2014

Recommended reading