Solved

Reg TLS1.2 enable on Windows server 2012R2

Posted on 2016-10-04
7
86 Views
Last Modified: 2016-11-01
Hi Team
All our VM's are windows Server 2012R2
As our Application URL will work flow is like(Whenever the user hits URL, the requests comes from internet to our Web Servers{translates the 443 port to 80 and then it comes to our Application Servers-->it will goes to our endpoint(their it will gives the provided data).The issue is that As SSL Certificate is configured on our WEB VIPs at Load Balancer level,so if we are accessed/checked the TLS Version by installing wireshark and checked the logs it shown as TLSV1.2 but if we checked from App Servers its displaying as TLSV1.0 so we have to change the TLS version to 1.2 in App Servers.We haven't configured SSL Certificate on App Servers.What the next step we have to take?Please provide us the any resolution ASAP.
Thanking you in Advance!!!!
0
Comment
Question by:Viswanath Chilukuri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 63

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41829233
You need to create request (CSR) for new cert for your App servers and bind the new cert to the servers. See below.
>CSR - https://www.digicert.com/csr-creation-microsoft-iis-8.htm
>Install - https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm

Also use IISCrypto (https://www.nartac.com/Products/IISCrypto) to have TLS1.2 set but note that there may be issue as some may not support TLS1.2 totally assuming TLS1.0 is disabled.
- see powershell script to enabled PFSS and TLS1.2
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
2
 
LVL 23

Assisted Solution

by:Dirk Kotte
Dirk Kotte earned 125 total points (awarded by participants)
ID: 41829279
if the Loadbalancer uses port 80/http to Access the app-servers, the certificate at the app-servers are not used for this communication.

if your security policy states you have to encrypt internal traffic also, you have to configure your IIS as described by btan and to reconfigure the LB.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41829449
If the LB is F5 BIG-IP, you also need to setup the server SSL profile to be configured and import the App server CA cert (and its cert chain, if applicable) into its trusted CA store.
When a server presents a certificate to the BIG-IP system, the BIG-IP system uses the server trusted CAs file to determine which Certificate Authorities it can trust. Using this file is the primary way that the BIG-IP system attempts to verify a server certificate. The BIG-IP system automatically creates a default Server Trusted CAs file when you configure a server-side profile. You can either use the default file name specified in the profile, or specify a different file name.

There is also a server chain file, which the BIG-IP system sends to a server as part of the entire server certificate verification process. The default server chain file is the Server Trusted CAs file.
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
ID: 41830875
Given big-ip peeks inside traffic there is no reason to encrypt anything inside your premises.
0
 

Author Comment

by:Viswanath Chilukuri
ID: 41841877
Thanks for all the solutions we got resolution for the above Question. It involves adding a system property in .Net WCF client or web.config to reference TLS v1.2 while it makes a call to CTP endpoint.Then it got resolved.
0
 
LVL 63

Expert Comment

by:btan
ID: 41841937
thanks for sharing
0
 
LVL 63

Expert Comment

by:btan
ID: 41868058
As shared
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question