Solved

Reg TLS1.2 enable on Windows server 2012R2

Posted on 2016-10-04
7
36 Views
Last Modified: 2016-11-01
Hi Team
All our VM's are windows Server 2012R2
As our Application URL will work flow is like(Whenever the user hits URL, the requests comes from internet to our Web Servers{translates the 443 port to 80 and then it comes to our Application Servers-->it will goes to our endpoint(their it will gives the provided data).The issue is that As SSL Certificate is configured on our WEB VIPs at Load Balancer level,so if we are accessed/checked the TLS Version by installing wireshark and checked the logs it shown as TLSV1.2 but if we checked from App Servers its displaying as TLSV1.0 so we have to change the TLS version to 1.2 in App Servers.We haven't configured SSL Certificate on App Servers.What the next step we have to take?Please provide us the any resolution ASAP.
Thanking you in Advance!!!!
0
Comment
Question by:Viswanath Chilukuri
7 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41829233
You need to create request (CSR) for new cert for your App servers and bind the new cert to the servers. See below.
>CSR - https://www.digicert.com/csr-creation-microsoft-iis-8.htm
>Install - https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm

Also use IISCrypto (https://www.nartac.com/Products/IISCrypto) to have TLS1.2 set but note that there may be issue as some may not support TLS1.2 totally assuming TLS1.0 is disabled.
- see powershell script to enabled PFSS and TLS1.2
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
2
 
LVL 23

Assisted Solution

by:Dirk Kotte
Dirk Kotte earned 125 total points (awarded by participants)
ID: 41829279
if the Loadbalancer uses port 80/http to Access the app-servers, the certificate at the app-servers are not used for this communication.

if your security policy states you have to encrypt internal traffic also, you have to configure your IIS as described by btan and to reconfigure the LB.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41829449
If the LB is F5 BIG-IP, you also need to setup the server SSL profile to be configured and import the App server CA cert (and its cert chain, if applicable) into its trusted CA store.
When a server presents a certificate to the BIG-IP system, the BIG-IP system uses the server trusted CAs file to determine which Certificate Authorities it can trust. Using this file is the primary way that the BIG-IP system attempts to verify a server certificate. The BIG-IP system automatically creates a default Server Trusted CAs file when you configure a server-side profile. You can either use the default file name specified in the profile, or specify a different file name.

There is also a server chain file, which the BIG-IP system sends to a server as part of the entire server certificate verification process. The default server chain file is the Server Trusted CAs file.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 61

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
ID: 41830875
Given big-ip peeks inside traffic there is no reason to encrypt anything inside your premises.
0
 

Author Comment

by:Viswanath Chilukuri
ID: 41841877
Thanks for all the solutions we got resolution for the above Question. It involves adding a system property in .Net WCF client or web.config to reference TLS v1.2 while it makes a call to CTP endpoint.Then it got resolved.
0
 
LVL 61

Expert Comment

by:btan
ID: 41841937
thanks for sharing
0
 
LVL 61

Expert Comment

by:btan
ID: 41868058
As shared
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now