Setting up HTTPS: Difference between revisions
Line 47: | Line 47: | ||
In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Setting_up_HTTPS_for_NEOSYS_website Setting up HTTPS] as the case maybe. | In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Setting_up_HTTPS_for_NEOSYS_website Setting up HTTPS] as the case maybe. | ||
==Setting up HTTPS for installations where outside office access is usually restricted== | |||
To access NEOSYS via HTTPS, port 4430 must be open on the router and on the server and https binding with SSL certificate. During a new installation, on neosys support computer, staff must check if NEOSYS can be accessed via https as user neosys and as a non-neosys user. Since management has informed that outside access(https) is not allowed, port 4430 on server must be closed and binding to https must be removed. Do not close port 4430 on router. This is done to quickly give clients outside access if requested for in future. Setting up port forwarding on router can be time consuming, clients will appreciate if quick support is provided. | |||
== Troubleshooting setup of multiple HTTPS websites == | == Troubleshooting setup of multiple HTTPS websites == |
Revision as of 07:34, 30 November 2016
Setting up HTTPS for NEOSYS website
NEOSYS has a very simple way of enabling https for all the clients. Every client has been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.
Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported. Also refer to SSL certificate
If a client's URL is not as per NEOSYS standards, but has been in use for many years, do not change the URL without a good enough reason.
Creating a single HTTPS web site on Windows 2008
To create a single HTTPS web site on Windows 2008, follow three simple steps:
- Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server (password to be used is present in a text file in the same folder).
- Import the certificate to IIS without option to export and MUST be deleted after import. See Importing certificate in IIS for details.
- Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.
Test the site from explorer to make sure it works.
Creating a single HTTPS web site on Windows 2003
- Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
- Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See Installing imported certificate in Windows 2003 IIS for detailed steps to import.
Creating multiple HTTPS web sites on NEOSYS hosted server
All clients hosted on NEOSYS servers use the same IP address but unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.
- Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "*.hosts.neosys.com.pfx" certificate from the drop down and click OK.
Since the http access is not required for any Client on NEOSYS hosted server, this step of https binding can be performed while creating the client website as shown in the screen shot below.
Steps to follow while importing certificate and why
- It MUST be imported WITHOUT OPTION TO EXPORT and
- It MUST be deleted after import.
It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.
Setting up HTTPS for installations with more than 1 database
In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in Setting up HTTPS as the case maybe.
Setting up HTTPS for installations where outside office access is usually restricted
To access NEOSYS via HTTPS, port 4430 must be open on the router and on the server and https binding with SSL certificate. During a new installation, on neosys support computer, staff must check if NEOSYS can be accessed via https as user neosys and as a non-neosys user. Since management has informed that outside access(https) is not allowed, port 4430 on server must be closed and binding to https must be removed. Do not close port 4430 on router. This is done to quickly give clients outside access if requested for in future. Setting up port forwarding on router can be time consuming, clients will appreciate if quick support is provided.
Troubleshooting setup of multiple HTTPS websites
Error while binding COMODO signed certificate to NEOSYS website
You can fix this error by importing the certificate using the MMC (Microsoft Management Console) instead of directly doing it from IIS.
Follow the link for instructions: http://support.microsoft.com/kb/232137