Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Reg TLS1.2 enable on Windows server 2012R2

Hi Team
All our VM's are windows Server 2012R2
As our Application URL will work flow is like(Whenever the user hits URL, the requests comes from internet to our Web Servers{translates the 443 port to 80 and then it comes to our Application Servers-->it will goes to our endpoint(their it will gives the provided data).The issue is that As SSL Certificate is configured on our WEB VIPs at Load Balancer level,so if we are accessed/checked the TLS Version by installing wireshark and checked the logs it shown as TLSV1.2 but if we checked from App Servers its displaying as TLSV1.0 so we have to change the TLS version to 1.2 in App Servers.We haven't configured SSL Certificate on App Servers.What the next step we have to take?Please provide us the any resolution ASAP.
Thanking you in Advance!!!!
0
Viswanath Chilukuri
Asked:
Viswanath Chilukuri
4 Solutions
 
btanExec ConsultantCommented:
You need to create request (CSR) for new cert for your App servers and bind the new cert to the servers. See below.
>CSR - https://www.digicert.com/csr-creation-microsoft-iis-8.htm
>Install - https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm

Also use IISCrypto (https://www.nartac.com/Products/IISCrypto) to have TLS1.2 set but note that there may be issue as some may not support TLS1.2 totally assuming TLS1.0 is disabled.
- see powershell script to enabled PFSS and TLS1.2
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
2
 
Dirk KotteSECommented:
if the Loadbalancer uses port 80/http to Access the app-servers, the certificate at the app-servers are not used for this communication.

if your security policy states you have to encrypt internal traffic also, you have to configure your IIS as described by btan and to reconfigure the LB.
0
 
btanExec ConsultantCommented:
If the LB is F5 BIG-IP, you also need to setup the server SSL profile to be configured and import the App server CA cert (and its cert chain, if applicable) into its trusted CA store.
When a server presents a certificate to the BIG-IP system, the BIG-IP system uses the server trusted CAs file to determine which Certificate Authorities it can trust. Using this file is the primary way that the BIG-IP system attempts to verify a server certificate. The BIG-IP system automatically creates a default Server Trusted CAs file when you configure a server-side profile. You can either use the default file name specified in the profile, or specify a different file name.

There is also a server chain file, which the BIG-IP system sends to a server as part of the entire server certificate verification process. The default server chain file is the Server Trusted CAs file.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
gheistCommented:
Given big-ip peeks inside traffic there is no reason to encrypt anything inside your premises.
0
 
Viswanath ChilukuriWintel AdminAuthor Commented:
Thanks for all the solutions we got resolution for the above Question. It involves adding a system property in .Net WCF client or web.config to reference TLS v1.2 while it makes a call to CTP endpoint.Then it got resolved.
0
 
btanExec ConsultantCommented:
thanks for sharing
0
 
btanExec ConsultantCommented:
As shared
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now