In this workshop we will demonstrate how the Internet Information Server (IIS)
is configured to allow secure connections via HTTPS. Additionally, we will
explain some technical background information on SSL connections, as well
as the creation of a certificate.
2. Technical background
Nn Intrexx portal is usally used via a web browser. The request to the web
server in a portal call is normally achieved via a DNS name (e.g. "webserver")
together with the name of the associated portal (e.g. "portal1809").
By calling the URL http://webserver/portal1809 the portal will be
opened internally (LAN). If you want to access the portal via the Internet
(WAN) instead, then (in addition to a public IP address) an official domain
must be registered. For example, if you have registered the domain example.org,
then with the appropriate port forwarding of port 80 WAN-to-LAN/DMZ as well
as the registration of a DNS entry, the portal can be accessed via
the URL http://www.example.org/portal1809.
The request to this URL is then unencrypted. The authenticity of the server
entered on the URL http://www.example.org/portal1809 (in this case "webserver)
is not guaranteed. By using a so-called
a third party can pretend to respond to the DNS query, but can interpose an
external server to capture all of the traffic.
To ensure the authenticity of the requested server,
a digital certificate is required. A digital certificate is intended to verify
the identity and authenticity of a public key and therefore of a user,
computer or network. This confirmation is obtained from a so called CA
(Certification Authority). Official certification authorities include VeriSign,
Thawte or GlobalSign, which are already incorporated in the major browsers
Since the official certificate authorties usually charge for the issue of a
public certificate, it is also possible to issue a digital certificate
yourself (e.g. via a web server).
In the following section, the issue of an own digital certificate via
Microsoft IIS is described, which can then be used for an Intrexx portal.
Please note that self-issued certificates may cause security
warnings in the browser in certain circumstances, since the creator
of the certificate and the certified server are the same location,
and such a certificate is only suitable for test environments.
For productive use on externally accessible portals, a certificate from one of
the official certification authorities should be used.
3. Create a certificate
In the following, the steps which are required to create a digital
certificate yourself are explained, so that it can subsequently
be used for the Intrexx portal.
The server environment used in this example is as follows:
Server version: Windows Server 2008 R2
Server name: webserver
Internet Information Services (IIS) Version: 7.5 (incl. IIS Manager)
The SSL configuration for a Windows Server 2012 with IIS 8
(incl. IIS Manager) can be carried out in the same way.
First, start the IIS Manager and select the "Server Certificates" menu item.
On the right, under "Actions", select the "Create Self-Signed Certificate" option.
Next, a friendly name must be entered (in this case ssl). Confirm by clicking on "OK".
The certificate now appears under "Server Certificates".
4. IIS configuration
In the left column, select the menu item "Default Web Site",
then on the right, select "Bindings" (under "Edit Site")
Under Site bindings select the "Add" option.
Select "https" here. The port 443 will be assigned automatically.
Under SSL Certificate, the certificate created in the previous steps
(in this case "ssl") must now be selected.
In the "IP address" field you can define a binding type (e.g. http)
for every website or virtual directory. It is therefore possible for
many virtual directories with different IP addresses and the
associated bindings to exist together. Confirm the settings with "OK".
Then, in the left column, highlight the Intrexx portal website (in this case "portal1809")
and on the right, under "Actions", select "Advanced Settings...".
In the next window, enter "https" under "Enabled Protocols" and confirm with OK.
The entry "https" here enables both http and https to be used to access
the portal (http//.../Portalname and https//.../Portalname).
If necessary, you can configure the webserver so that it only allows
connections via HTTPS. Please proceed as follows:
On the left side, again select the appropriate page
(in this case, "portal1809") and select the "SSL Settings" option
In the "SSL Settings", you can now define whether SSL is always required.
If you select the SSL setting "Require SSL" and confirm this on the right with
"Apply", the specified portal will then only be accessible via https
(and no longer from http). In addition, with this option it is also
possible to differentiate different ways of handling client certificates.
Excerpt from the IIS Help:
Ignore: This is the default option. This setting does not accept
client certificates if they are provided.
This option does not require clients to verify their identity before
gaining access to your content. Therefore, this is the least
secure of these settings.
Accept: Select this setting if you want to accept client certificates
(if they are provided), and to verify client identity before allowing the
client to gain access to content.
Require: Select this option to require that certificates verify client
identity before allowing the client to gain access to content.
The request to the Intrexx portal is now made via HTTP or (preferably) HTTPS.
If HTTPS is used, the browser will display a certificate warning because
the certificate issued has not been confirmed by an official certificate
authority. When using self-issued certificates, this warning must
therefore always be ignored to continue.