Advanced Techniques - SSL configuration of IIS

1. Introduction

In this workshop we will demonstrate how the Internet Information Server (IIS) is configured to allow secure connections via HTTPS. Additionally, we will explain some technical background information on SSL connections, as well as the creation of a certificate.

2. Technical background

Nn Intrexx portal is usally used via a web browser. The request to the web server in a portal call is normally achieved via a DNS name (e.g. "webserver") together with the name of the associated portal (e.g. "portal1809"). By calling the URL http://webserver/portal1809 the portal will be opened internally (LAN). If you want to access the portal via the Internet (WAN) instead, then (in addition to a public IP address) an official domain must be registered. For example, if you have registered the domain example.org, then with the appropriate port forwarding of port 80 WAN-to-LAN/DMZ as well as the registration of a DNS entry, the portal can be accessed via the URL http://www.example.org/portal1809. The request to this URL is then unencrypted. The authenticity of the server entered on the URL http://www.example.org/portal1809 (in this case "webserver) is not guaranteed. By using a so-called Man-in-the-middle attack, a third party can pretend to respond to the DNS query, but can interpose an external server to capture all of the traffic.

To ensure the authenticity of the requested server, a digital certificate is required. A digital certificate is intended to verify the identity and authenticity of a public key and therefore of a user, computer or network. This confirmation is obtained from a so called CA (Certification Authority). Official certification authorities include VeriSign, Thawte or GlobalSign, which are already incorporated in the major browsers "ex works".

Since the official certificate authorties usually charge for the issue of a public certificate, it is also possible to issue a digital certificate yourself (e.g. via a web server). In the following section, the issue of an own digital certificate via Microsoft IIS is described, which can then be used for an Intrexx portal.

Please note that self-issued certificates may cause security warnings in the browser in certain circumstances, since the creator of the certificate and the certified server are the same location, and such a certificate is only suitable for test environments. For productive use on externally accessible portals, a certificate from one of the official certification authorities should be used.

3. Create a certificate

In the following, the steps which are required to create a digital certificate yourself are explained, so that it can subsequently be used for the Intrexx portal. The server environment used in this example is as follows:
The SSL configuration for a Windows Server 2012 with IIS 8 (incl. IIS Manager) can be carried out in the same way.



First, start the IIS Manager and select the "Server Certificates" menu item.



On the right, under "Actions", select the "Create Self-Signed Certificate" option.



Next, a friendly name must be entered (in this case ssl). Confirm by clicking on "OK".



The certificate now appears under "Server Certificates".

4. IIS configuration




In the left column, select the menu item "Default Web Site", then on the right, select "Bindings" (under "Edit Site")



Under Site bindings select the "Add" option.



Select "https" here. The port 443 will be assigned automatically. Under SSL Certificate, the certificate created in the previous steps (in this case "ssl") must now be selected. In the "IP address" field you can define a binding type (e.g. http) for every website or virtual directory. It is therefore possible for many virtual directories with different IP addresses and the associated bindings to exist together. Confirm the settings with "OK".



Then, in the left column, highlight the Intrexx portal website (in this case "portal1809") and on the right, under "Actions", select "Advanced Settings...".



In the next window, enter "https" under "Enabled Protocols" and confirm with OK. The entry "https" here enables both http and https to be used to access the portal (http//.../Portalname and https//.../Portalname). Optional:
If necessary, you can configure the webserver so that it only allows connections via HTTPS. Please proceed as follows:



On the left side, again select the appropriate page (in this case, "portal1809") and select the "SSL Settings" option



In the "SSL Settings", you can now define whether SSL is always required. If you select the SSL setting "Require SSL" and confirm this on the right with "Apply", the specified portal will then only be accessible via https (and no longer from http). In addition, with this option it is also possible to differentiate different ways of handling client certificates.

Excerpt from the IIS Help:

Ignore: This is the default option. This setting does not accept client certificates if they are provided.

This option does not require clients to verify their identity before gaining access to your content. Therefore, this is the least secure of these settings.

Accept: Select this setting if you want to accept client certificates (if they are provided), and to verify client identity before allowing the client to gain access to content.

Require: Select this option to require that certificates verify client identity before allowing the client to gain access to content. The request to the Intrexx portal is now made via HTTP or (preferably) HTTPS. If HTTPS is used, the browser will display a certificate warning because the certificate issued has not been confirmed by an official certificate authority. When using self-issued certificates, this warning must therefore always be ignored to continue.