Reg TLS1.2 enable on Windows server 2012R2

Hi Team
All our VM's are windows Server 2012R2
As our Application URL will work flow is like(Whenever the user hits URL, the requests comes from internet to our Web Servers{translates the 443 port to 80 and then it comes to our Application Servers-->it will goes to our endpoint(their it will gives the provided data).The issue is that As SSL Certificate is configured on our WEB VIPs at Load Balancer level,so if we are accessed/checked the TLS Version by installing wireshark and checked the logs it shown as TLSV1.2 but if we checked from App Servers its displaying as TLSV1.0 so we have to change the TLS version to 1.2 in App Servers.We haven't configured SSL Certificate on App Servers.What the next step we have to take?Please provide us the any resolution ASAP.
Thanking you in Advance!!!!
Viswanath ChilukuriWintel AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You need to create request (CSR) for new cert for your App servers and bind the new cert to the servers. See below.
>CSR - https://www.digicert.com/csr-creation-microsoft-iis-8.htm
>Install - https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm

Also use IISCrypto (https://www.nartac.com/Products/IISCrypto) to have TLS1.2 set but note that there may be issue as some may not support TLS1.2 totally assuming TLS1.0 is disabled.
- see powershell script to enabled PFSS and TLS1.2
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dirk KotteSECommented:
if the Loadbalancer uses port 80/http to Access the app-servers, the certificate at the app-servers are not used for this communication.

if your security policy states you have to encrypt internal traffic also, you have to configure your IIS as described by btan and to reconfigure the LB.
0
btanExec ConsultantCommented:
If the LB is F5 BIG-IP, you also need to setup the server SSL profile to be configured and import the App server CA cert (and its cert chain, if applicable) into its trusted CA store.
When a server presents a certificate to the BIG-IP system, the BIG-IP system uses the server trusted CAs file to determine which Certificate Authorities it can trust. Using this file is the primary way that the BIG-IP system attempts to verify a server certificate. The BIG-IP system automatically creates a default Server Trusted CAs file when you configure a server-side profile. You can either use the default file name specified in the profile, or specify a different file name.

There is also a server chain file, which the BIG-IP system sends to a server as part of the entire server certificate verification process. The default server chain file is the Server Trusted CAs file.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

gheistCommented:
Given big-ip peeks inside traffic there is no reason to encrypt anything inside your premises.
0
Viswanath ChilukuriWintel AdminAuthor Commented:
Thanks for all the solutions we got resolution for the above Question. It involves adding a system property in .Net WCF client or web.config to reference TLS v1.2 while it makes a call to CTP endpoint.Then it got resolved.
0
btanExec ConsultantCommented:
thanks for sharing
0
btanExec ConsultantCommented:
As shared
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.