Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Reg TLS1.2 enable on Windows server 2012R2

Posted on 2016-10-04
7
Medium Priority
?
213 Views
Last Modified: 2016-11-01
Hi Team
All our VM's are windows Server 2012R2
As our Application URL will work flow is like(Whenever the user hits URL, the requests comes from internet to our Web Servers{translates the 443 port to 80 and then it comes to our Application Servers-->it will goes to our endpoint(their it will gives the provided data).The issue is that As SSL Certificate is configured on our WEB VIPs at Load Balancer level,so if we are accessed/checked the TLS Version by installing wireshark and checked the logs it shown as TLSV1.2 but if we checked from App Servers its displaying as TLSV1.0 so we have to change the TLS version to 1.2 in App Servers.We haven't configured SSL Certificate on App Servers.What the next step we have to take?Please provide us the any resolution ASAP.
Thanking you in Advance!!!!
0
Comment
Question by:Viswanath Chilukuri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points (awarded by participants)
ID: 41829233
You need to create request (CSR) for new cert for your App servers and bind the new cert to the servers. See below.
>CSR - https://www.digicert.com/csr-creation-microsoft-iis-8.htm
>Install - https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm

Also use IISCrypto (https://www.nartac.com/Products/IISCrypto) to have TLS1.2 set but note that there may be issue as some may not support TLS1.2 totally assuming TLS1.0 is disabled.
- see powershell script to enabled PFSS and TLS1.2
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
2
 
LVL 24

Assisted Solution

by:Dirk Kotte
Dirk Kotte earned 500 total points (awarded by participants)
ID: 41829279
if the Loadbalancer uses port 80/http to Access the app-servers, the certificate at the app-servers are not used for this communication.

if your security policy states you have to encrypt internal traffic also, you have to configure your IIS as described by btan and to reconfigure the LB.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points (awarded by participants)
ID: 41829449
If the LB is F5 BIG-IP, you also need to setup the server SSL profile to be configured and import the App server CA cert (and its cert chain, if applicable) into its trusted CA store.
When a server presents a certificate to the BIG-IP system, the BIG-IP system uses the server trusted CAs file to determine which Certificate Authorities it can trust. Using this file is the primary way that the BIG-IP system attempts to verify a server certificate. The BIG-IP system automatically creates a default Server Trusted CAs file when you configure a server-side profile. You can either use the default file name specified in the profile, or specify a different file name.

There is also a server chain file, which the BIG-IP system sends to a server as part of the entire server certificate verification process. The default server chain file is the Server Trusted CAs file.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points (awarded by participants)
ID: 41830875
Given big-ip peeks inside traffic there is no reason to encrypt anything inside your premises.
0
 

Author Comment

by:Viswanath Chilukuri
ID: 41841877
Thanks for all the solutions we got resolution for the above Question. It involves adding a system property in .Net WCF client or web.config to reference TLS v1.2 while it makes a call to CTP endpoint.Then it got resolved.
0
 
LVL 65

Expert Comment

by:btan
ID: 41841937
thanks for sharing
0
 
LVL 65

Expert Comment

by:btan
ID: 41868058
As shared
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question