Sharepoint 2010 https communication enforcement.

r4kieta
r4kieta used Ask the Experts™
on
Hello Expert Exchangians.

I am trying to inquire how we can completely disable http communications and enforce https on all SharePoint services,
So far I am aware of
a. IIS where there is
--- Webserver
   ---Default-Website - running only on port 80
   ---servername-hostname - where it is a main /SitesPages/Home.aspx - running only on port 80
   --- SharePoint Central Administration v4 - running only on port 13723
   --- SharePoint Web Services - running on http(32843) and https(32844)
      +++ we have seven different subpages containing random generated 32 character name pages running on the same ports as webservices
      +++ SecurityTokenServiceApp - running on the same ports as Web Service
      +++ Topology - running on the same ports as Web Services.

b. is there anything else we need to be aware off?

c. we have AD intergration is there a way to change this to encrypted AD to SP2010 communiacation as well.

d. all databases are on separate SQL server, is there a way to entyrp traffic between SQL and SP2010 as well.

e. we have mail server setup thru central admin console and inside IIS global settings is there a way to set that up as well to be encrypted.

f. am I missing anything else.

Appreciate all the help I can get

Krzysztof

Happy Holidays
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Indeed mostly to do with IIS doing since Sharepoint is running latter as the web front tier to any client connecting to it. I see it as overall hardening of Sharepoint which I suggest you looked into it as well
By default, communication between Web servers and service applications within a farm takes place by using HTTP with a binding to TCP 32843. When you publish a service application, you can select either HTTP or HTTPS with the following bindings:
HTTP binding: TCP 32843
HTTPS binding: TCP 32844
Additionally, third parties that develop service applications can implement a third choice:
net.tcp binding: TCP 32845
You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then click Publish.
https://technet.microsoft.com/en-us/library/cc288143(v=office.14).aspx

Note also the significance of configuring the web.config compared to machine.config
System-wide configuration settings for the .NET Framework are defined in the Machine.config file. The Machine.config file is located in the %SystemRoot%\Microsoft.NET\Framework\%VersionNumber%\CONFIG\ folder. The default settings that are contained in the Machine.config file can be modified to affect the behavior of applications that use the .NET Framework on the whole system.

You can change the ASP.NET configuration settings for a single application if you create a Web.config file in the root folder of the application. When you do this, the settings in the Web.config file override the settings in the Machine.config file.

When you extend a Web application by using Central Administration, SharePoint 2010 Products automatically create a Web.config file for the Web application.
Specifically for the HTTPS enforcement, consider
change the Access Mapping for the Default Zone by selecting Application Management and then Configure Alternate Access Mappings in Central Admin.  From there you can click on Edit Public URL's and change the Default Zone from http to https.  You will need to add the binding for the SSL certificate once this change has been made.

If you only have one IP address you may have to use SSL host headers in IIS which can be configured as documented in the following link:

http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

If you're using IIS 7.5 you can actually configure this using the GUI.

You can also remove the binding for HTTP in IIS and create a new site in IIS that will redirect all traffic from HTTP to HTTPS.  Also, you may want to check the Content Sources section in your Search Service Application and ensure only the HTTPS versions of the sites are listed after the changes have been made.
Also see this example for HTTP Redirect under the IIS group. http://sharepoint.stackexchange.com/questions/68158/sharepoint-2010-http-to-https-redirection-iis-7-5
Walter CurtisSharePoint AED
Distinguished Expert 2018

Commented:
Great information - give the man the points!

Author

Commented:
@btan : Hey, thanks for your replay, this is very good this is actually something I was looking for. Appreciate your input. Happy New Year.
@SneekCo : no doubt it is. Point givens. Also Happy New Year.

KP
btanExec Consultant
Distinguished Expert 2018

Commented:
thanks folks !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial