Implementing an SSL security on
AppliDis Servers running under
Windows 2008 Server R2
Fiche IS00265Version 1.00
Limited diffusion: Systancia, membership of the program AppliDis Partners and clients or prospects of Systancia or of membership of the program AppliDis Partners.
Table of Contents
1 Introduction ... 3
2 Settings... 3
2.1 Self-Signed Certificate creation ... 3
2.2 Adding a new binding ... 5
2.3 Require SSL to connect to the user web portal and to the AppliDis Administration Console ... 7
1 Introduction
This technical sheet presents the process to follow to setup an SSL security on an AppliDis Administration Server or AppliDis Presentation Server running under Microsoft Windows 2008 Server R2.
In this document, a self-signed certificate will be used to secure IIS. In an enterprise environment, the SSL certificate needs to be issued by a public certification authority, or by the Active Directory services.
2 Settings
2.1 Self-Signed Certificate creation
In order to implement an SSL certificate on IIS, follow the steps below:
1. On the AppliDis server on which the SSL security must be implemented, open the IIS management console by clicking on "Start", then "Run", and entering "InetMgr.exe".
2. Once the IIS management console is opened, select the AppliDis server’s hostname in the left pane, and click on "Server Certificates" in the IIS functionalities displayed in the right pane.
Figure 1 - Server Certificates entry within IIS management console 3. In the "Server Certificates" menu, click right in the tab, and select the entry
Figure 2 - Self-Signed Certificate creation
4. Enter a friendly name for this self-signed certificate and press on "OK".
2.2 Adding a new binding
To allow IIS to accept connection on another port as "80" (default HTTP port), a new binding needs to be added.
1. In the IIS management console, select the default web site in the left pane, and then click on "Bindings" in the right pane:
Figure 4 - Adding a new binding – Step 1 2. Click on "Add".
Figure 5 - Adding a new binding – Step 2
3. Select "HTTPS" in the drop down list "Type", and select the SSL certificate you want to use for this new binding.
Figure 6 - Adding a new binding – Step 3
4. After this new binding has been added, the IIS server must be reachable with HTTPS
Figure 7 - IIS server reachable using HTTPS
The IIS server does now accept HTTPS connections. However, it still accepts HTTP connections.
2.3 Require SSL to connect to the user web portal and to the AppliDis
Administration Console
Because a new binding has been added for the default web site in IIS, the server
accepts HTTP and HTTPS connections. In order to force usage of HTTPS to access to the virtual directory "AppliDis", follow the steps below:
1. In the IIS management console, select the virtual directory "AppliDis" in the left pane, and double click on "SSL Settings" in the middle pane:
Figure 8 - Require SSL - Step 1
2. Check the box "Require SSL" in the middle pane, and press on "Apply" in the right pane.
Note:
• After this modification has been applied, the IIS server does no more accept HTTP connection on the virtual directory "AppliDis".
• The SSL connection must only be required for the virtual directory "AppliDis". If it is applied on the others virtual directory, a communication issue can be encountered with the others AppliDis Servers.
3 Manual installation of a Self-Signed Certificate on a client
computer
If a Self-Signed Certificate has been used to setup the new binding on the default web site in IIS, this certificate must be installed on the client computers in order to allow the access to AppliDis with HTTPS, without obtaining a certificate error.
If the Self-Signed Certificate is not installed properly on the client computer, an error will while trying to access the IIS site using HTTPS.
Figure 10 - Server certificate error
For test purposes, the server certificate can be installed manually on the client computer. However, in enterprise environment, GPOs or other deploying tools can be used.
To manually install the server certificate on the client computer, follow the steps below: 1. Double click on the error message "Certificate Error" which is displayed on the top
of Internet Explorer when trying to access to IIS with HTTPS without having the appropriate certificate installed.
Figure 11 - IIS certificate error 2. Click on "View Certificates"
Figure 12 - IIS certificate error 3. Click on "Install Certificate…"
4. Click on "Next"
Figure 14 - Manuel installation of the SSL certificate - Step 2 5. Select the option "Place all certificates in the following store", and choose the
Figure 15 - Manuel installation of the SSL certificate - Step 3 6. Click on "Finnish"
Figure 16 - Manuel installation of the SSL certificate - Step 4 7. Click on "Yes"
Figure 17 - Manuel installation of the SSL certificate - Step 5
8. After the certificate has been installed on the client, the IIS server can be accessed using HTTPS:
References Keywords:
Reference:
Creation time: 07/19/2004 Last update: 27/01/2011
For any comment on this sheet, please send us an e-mail at info@systancia.com specifying the number of the sheet.
LEGAL NOTE
Copyright © Systancia 2010 – All rights reserved
The data provided in this document is provided for informational purposes. Due to this fact, it is not subject to any engagement from Systancia. This data can be modified without notice from Systancia.
The audience targeted by this document is users that have a good understanding of Microsoft Windows operating systems and principles. Systancia cannot be held responsible for the misuse of the AppliDis software. The use of this product is entirely at your own risk. All brand names and product & service names used in this document are registered trademarks, trade names, service marks or copyright. No permission is given for the use of such brand names and product & service names by any other person, and such use may constitute an infringement of the holder's rights, and are the property of their respective owners. In particular, Microsoft, Windows, Windows 2000, Windows 2003, Windows 2008 Server are branded by Microsoft Corporation in the United States of America and in other countries.
Systancia
Actipolis 3, Bât C11 3, rue Paul Henri Spaak 68 390 SAUSHEIM France
Phone: +33 3 89 33 58 20 Fax: +33 3 89 33 58 21