How to configure TLS/SSL (HTTPS)
This article covers two different ways to configure TLS/SSL (HTTPS):
- How to configure TLS/SSL (HTTPS) during a new installation - this option can be used when using the downloadable installer.
- How to manually configure TLS/SSL (HTTPS) - this option can be used to configure TLS/SSL (HTTPS) at any time after installation.
How to configure TLS/SSL (HTTPS) during a new installation
When using the downloadable installer to install DS for SCOM you will need to choose whether you want to configure an SSL certificate.
When using the installer to create or apply an SSL certificate, the certificate will be applied to all HTTPS websites hosted on the server if their bindings use the same port (443 by default).
At any point you can change your certificate options in IIS, see How to manually configure TLS/SSL (HTTPS).
You have three options:
If you are accessing SquaredUp DS via a public IP address it is best practice to purchase a trusted SSL certificate.
If you are accessing SquaredUp DS internally you can use an AD domain issued certificate.
Existing certificate
What this does:
This option will create an IIS binding on port 443 using the hostname and certificate you specify.
When to use this:
Use this option to choose an existing SSL certificate from the computer's personal store.
Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should chooseNone and manually configure SSL see How to manually configure TLS/SSL (HTTPS).
You should choose this option if you have already acquired and imported a trusted certificate. For example, if you are deploying SquaredUp DS on a web server that has already previously had a trusted certificate configured. This could be for a different application or for a previous SquaredUp DS installation.
Create Self-Signed Certificate
What this does:
The installer will create a new self-signed certificate, set to expire after 12 months. This option will create a 443 binding using the hostname you specify.
If an appropriate self-signed certificate already exists, then this will be used (this may have less than 12 months remaining).
When to use this:
If you choose this option to use a self-signed SSL certificate then SquaredUp DS users will see a browser warning and will need to explicitly agree to proceed. In Chrome this is done by clicking Advanced.
If you are trialing SquaredUp DS, or unsure which option to choose, you may choose to use a self-signed certificate.
If you are using this on an internal domain joined machine you may choose to use a self-signed certificate and accept the security warning.
If you are accessing SquaredUp DS across the public internet it is best practice to use a trusted SSL certificate and not a self-signed certificate.
Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should chooseNone and you can manually configure SSL see How to manually configure TLS/SSL (HTTPS).
If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see How to generate a self-signed certificate.
None
This will not configure any SSL bindings. You can configure an appropriate binding manually within IIS later if you wish, see How to manually configure TLS/SSL (HTTPS).
How to manually configure TLS/SSL (HTTPS)
To configure Transport Layer Security (TLS/SSL) the steps in summary are:
1. Get an appropriate SSL certificate and install it on your SquaredUp server.
- If you are trialing SquaredUp DS, and unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial see How to generate a self-signed certificate.
- If you are accessing SquaredUp DS via a public IP address it is best practice to purchase a trusted SSL certificate.
- If you are accessing SquaredUp DS internally you can use an AD domain issued certificate.
2. Configure the site bindings, adding HTTPS 443 and selecting your certificate.
3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional).
1. Get an appropriate SSL certificate
- If you use a load balancer (see Enabling High Availability) the Subject Alternative Name of the TLS/SSL certificate you install will need to contain your load balancer's name.
- If the SquaredUp server is not behind a load balancer then the Subject Alternative Name should contain the name of the SquaredUp server name.
Subject Alternative Name entries can be wildcard names, such as *.squaredup.com or specific names such as monitoring.squaredup.com, however the entry should match what users will type in their browser to access SquaredUp DS, otherwise the browser will display a message indicating that the certificate is not trusted.
- Open IIS Manager on your SquaredUp server.
- Under Connections click on your SquaredUp server.
- Double-click Server Certificates in the central panel:
- Double-click on a certificate in the central panel.
- Click the Details tab in the certificate properties and then find Subject Alternative Names in the list:
- The entries for this property will be displayed in the lower pane.
How to import a new certificate
- Under Connections click on the SquaredUp server.
- Double-click Server Certificates in the central panel:
- From the right-hand menu click Import and follow the steps to import your certificate:
2. Configure the bindings for TLS/SSL (HTTPS) in IIS
- Under Connections expand Sites and click on the website that hosts the SquaredUp DS instance (this is normally Default Web Site).
- From the right-hand side menu click on Bindings.
- Click Add:
- Change the Type to https.
- Under SSL certificate select the TLS/SSL certificate you added:
- Click OK and then Close:
- From the right-hand menu click Restart:
- If you are using SquaredUp DS v4 you will probably need to change the Open Access Loopback URL. When you are using SSL the loopback URL should be https and the URL your SSL certificate is signed to, for example
https://SquaredUp.Company.com
See Open Access - "An error occurred loading this dashboard" - Checking the Open Access Loopback URL on v4. This is not necessary on SquaredUp DS v5 because Open Access does not use a loopback URL.
If there is an existing HTTPS binding configured on the web site (for example, because it hosts other applications in addition to SquaredUp DS) and the certificate being used for the existing binding does not have a Subject Alternative Name entry that is appropriate for users to use to access SquaredUp, then a new binding may need to be created for a new certificate. Either a different port number or host name will then need to be set in each HTTPS binding entry if they are bound to the same IP address.
3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional)
Set up a redirect to switch traffic from HTTP to HTTPS using the IIS Rewrite module:
To redirect all HTTP requests to HTTPS use the following steps:
- Open IIS Manager and click on the website that hosts the SquaredUp DS instance (this is normally Default Web Site).
- In the main panel, double-click on URL Rewrite.
- Click Add Rule(s)... on the right-hand menu.
- With Blank rule selected click OK.
- Give the rule a name, such as 'Redirect to HTTPS'.
- Copy the following and paste into the Pattern box in the Match URL section:
(.*)
- Click to expand the Conditions section.
- Click Add… to add a new condition to the configuration.
- Copy the following and paste into the Condition input box :
{HTTPS}
- Copy the following and paste into the the Pattern box:
^OFF$
- Click OK.
- Scroll down and in the Action section
- In the Action section change the Action type from Rewrite to Redirect.
- Copy the following and paste into the Redirect URL box:
https://{HTTP_HOST}/{R:1}
- Change the Redirect type from Permanent (301) to See Other (303).
- Click Apply on the right-hand menu under Actions.
- Click Back to Rules.
- If you have other redirects configured you should ensure that you move your Redirect to HTTPS redirect to be listed first as shown in the image below. You can do this using the Move Up and Move Down options on the right.
FAQs
What are the downsides to using a self-signed certificate?
If you choose the option to use a self-signed SSL certificate then SquaredUp DS users will typically see a browser security warning and will need to explicitly agree to proceed. For example, in Chrome this is done by clicking Advanced, in Edge by clicking Details.
It is best practice to only use self-signed certificates in internal (LAN) environments.
What if I don't want to use a self-signed certificate?
You need to acquire a trusted certificate either by purchasing one from a trusted Certificate Authority (CA), or one issued by your AD domain / internal certificate authority (CA).
Help my certificate is about to expire!
If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see How to generate a self-signed certificate.