Migrating from port 80 to 443 (SSL)

K

Kevin W Flanagan

We have had our implementation on the Intranet LAN for the past three years.
We are now getting requests to move our system into our DMZ so external
customers can access Project Server. I orginally installed using Port 80 and
now want to implement SSL. I read that WSS does not do well with just
changing in the Admin tool, but rather you should reinstall with SSL. Can
anyone tell me if this is true and how to successfulyy configure after
switching to SSL?

Thanks,

Kevin
 
R

Rolly Perreaux

Hi Kevin,

If you change the SharePoint web site to use HTTPS (SSL) configuration,
it will automatically change the URL to display https:// at the
beginning of all links.


If your Project Server is configured with WSS on the same server, just
remember with using SSL for WSS is just a matter of making sure that you
use a different port number than port 443 as that is typically assigned
to Project Server. The deal here is that you cannot share port numbers
between web sites.

Here's how you do it in two steps:


A. To add a Web Certificate to Project Server web site
======================================================
1. Open IIS Manager and expand to Web Sites, in the results pane (right
side) it will list all the current port numbers assigned.

2. Right click the Project Server web site to add a web certificate and
click Properties.

3. At the Web Site tab, click Directory Security tab.

4. Under Secure Communications, click Server Certificate.

5. In the Web Server Certificate Wizard dialog box, click Next.

6. In the Server Certificate dialog box, select "Create a new
certificate" and click Next.

7. In the Delayed or Immediate Request dialog box, select "Prepare the
request now, but send it later" and click Next.

** VERY IMPORTANT STEPS **

8. In the Name and Security Settings dialog box, in the Name box, type
the FQDN of the server and click Next.
For example, on my demo server, the web site name is called
ProjectServer, but the FQDN is prjsvr.contoso.msft. Remember that web
server certificates are based machine name and not web sites. So that
means that you will only need one web server certificate for both web
sites. Remember they can't be sharing the default port numbers.

9. In the Organization Information dialog box, in the Organization box,
type your company name, and in the Organization Unit box, type your
department name and click Next.

10. In the Your Site's Common Name dialog box, in the Common name box,
type the FQDN of the server (same as in step 8) and click Next.

11. In the Geographical Information dialog box, fill in the appropriate
geographical information where the web server will be located and click
Next.

12. In the Certificate Request File Name dialog box, accept the default
of C:\Certreq.txt and click Next.

13. In the Request File Summary dialog box, click Next.

14. In the Completing the Web Server Certificate Wizard dialog box,
click Finish.

15. Open C:\Certreq.txt with Notepad

16. Press Ctrl + A (Select All) and then press Ctrl + C (Copy)

17. Open Internet Explorer and navigate to your favourite SSL provider.
In my example I will use GeoTrust as my provider.
http://www.geotrust.com/products/ssl_certificates/quick_ssl.asp

18. Click Buy $189 and then click the Stay with QuickSSL link.

19. At the QuickSSL Enrollment page, select your geographic location and
click Continue.

20. At the QuickSSL Enrollment page, select your Validity Period and
additional information and click Continue.

21. At the Enter CSR page, click in the Certificate Signing Request *
box and press Ctrl + V (Paste) and click Continue.

22. At the Verify Server URL, verify that the URL for the external
server is correct and click Continue.
IMPORTANT NOTE: The value for the Common Name must exactly match the
name of the server you plan to secure. If you continue and there is a
typo in the name, you will need to purchase another Web Certificate.

23. At the Site Administrator Contact Information page, fill out the
information and click Continue.
Please note that the Administrator of the domain name will be contacted
as a 2 step verification and authorization process. This administrator
is listed in the WHOIS information for the domain name.

For example, open Internet Explorer to http://www.whois.net and in the
WHOIS Lookup box and type your domain name (mine is epmknowledge.com)
and click Go! In the results page, it displays that the Administrative
Contact email is (e-mail address removed). This is the email address
that GeoTrust will use to authorize the creation of the web certificate.
No authorization, no certificate. So make sure you advise the
administrator of your purchase in advance.

24. Once your Administrator has authorized the creation of the web
certificate, you should expect an email from either GeoTrust or your
Administrator with a web server certificate within the email.
25. In the email copy everything starting at -----BEGIN CERTIFICATE-----
and ending -----END CERTIFICATE-----

For example:

-----BEGIN CERTIFICATE-----
MIIDtzCCAyCgAwIBAgIDBAuyMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDYwNTI5MjM1MDU3WhcN
Ft53dMDcwNTMwMjM1MDU3WjCB9DELMAkGA1UEBhMCQ0ExGjAYBgNVBAoTEW1haW4
bWFnbmEubmV0MTgwNgYDVQQLEy9idXNpbmVzc3Byb2ZpbGUuZ2VvdHJ1c3QuY29t
L2dldC5qc3A/R1QyNzU0NTk5NTExMC8GA1UECxMoU2VlIHd3dy5nZW90cnVzdC5j
b20vcmVzb3VyY2VzL2NwcyAoYykwNTFAMD4GA1UECxM3RG9tYWluIENvbnRyb2wg
VmFsaWRhdGVkIC0gR2VvVHJ1c3QgUXVpY2tTU0wgUHJlbWl1bShSKTEaMBgGA1UE
AxMRbWFpbi50cmltYWduYS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AN0t7x3FT/4pqaEf0W1vxlZdEetcsh3VD9yEFI5kCE8xEGJJc/c9TfWQVuKKu2FW
xuwjkcc45R+snyey64aQs1wOSJXEHy28GtnEMCyTtTuWojDbFPI8rTWn7oSXF3pR
18TPXWz01E30Pg500gQi65TmVfTfRiKlP8oZUScdpdtFAgMBAAGjge8wgewwDgYD
VR0PAQH/BAQDAgTwMB0GA1UdDgQWBBSzuTfLeH2bTsINCucT+E8zY4EPhjA7BgNV
HR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2dsb2Jh
bGNhMS5jcmwwHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDAGA1UdEQQpMCeCCGV4dHJhbmV0ggN0
bTGCA3RtMoIRbWFpbi50cmltYWduYS5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQQFAAOBgQCZZBkgIFjEtJUzuxiZjjgLu88gfUY0bVTb1kklboTGU5GHKcgf
TkIcSLlDtbgEeoVynOho4yHyAKg24fg/967igcNOm2jgBRzQBsmrG/QDIQzRcKVt
xFOaMsBIDxIqKj7B+EMkj/pOGTCcChzcDygvAtW9y/La+a1LQgs9tXUpwA==
-----END CERTIFICATE-----

26. Open Notepad, paste the certificate and Save As the following:
File Name: C:\SSLWebCert.cer
Save as type: All Files
Encoding: ANSI

27. Back to IIS Manager

28. Right the web site that you created a web certificate request and
click Properties.

29. At the Web Site tab, click Directory Security tab.

30. Under Secure Communications, click Server Certificate.

31. In the Web Server Certificate Wizard dialog box, click Next.

32. In the Pending Certificate Request dialog box, select "Process the
pending request and install the certificate" and click Next.

33. In the Process a Pending Request dialog box, in the Path and file
name box type C:\SSLWebCert.cer and click Next.

34. In the SSL Port dialog box, type 443 and click Next.

35. In the Certificate Summary dialog box, click Next.

36. In the Completing the Web Server Certificate Wizard dialog box,
click Finish.

37. At the Directory Security tab, under Secure Communications, click
Edit.

38. At the Secure Communications dialog box, select Require secure
channel (SSL) and select Require 128-bit encryption, and click OK.
What this does is force the remote web client to use HTTPS. Without
selecting "Require secure channel (SSL)" it allows the remote web client
to use either HTTP or HTTPS. (not a good thing)

39. At the <Project Server Web Site> Properties dialog box, click OK

40. Test accessing PWA using https://<FQDN>/projectserver



B. To add the newly added SSL Web Certificate to the WSS web site
=================================================================
1. Right click the WSS web site to add a web certificate and click
Properties.

2. At the Web Site tab, click Directory Security tab.

3. Under Secure Communications, click Server Certificate.

4. In the Web Server Certificate Wizard dialog box, click Next.

5. In the Server Certificate dialog box, select "Assign an existing
certificate" and click Next.

6. In the Available Certificates dialog box, select the certificate
recently added in Procedure A and click Next.

7. In the SSL Port dialog box, type 444 and click Next. (remember that
port numbers cannot be shared between web sites)

8. In the Certificate Summary dialog box, click Next.

9. In the Completing the Web Server Certificate Wizard dialog box, click
Finish.

10. At the Directory Security tab, under Secure Communications, click
Edit.

11. At the Secure Communications dialog box, select Require secure
channel (SSL) and select Require 128-bit encryption, and click OK.
What this does is force the remote web client to use HTTPS. Without
selecting "Require secure channel (SSL)" it allows the remote web client
to use either HTTP or HTTPS. (not a good thing)

12. At the <WSS Web Site> Properties dialog box, click OK

13. Test accessing PWA using https://<FQDN>:444/sites/projectserver_
<projectnumber> For example:
https://demo.contoso.msft:444/sites/projectserver_101
(assuming that there is already a project workspace site for project
number 101 created.)


Additional quick pointers
=========================
1. Make sure to add the FQDN in the list of Trusted Sites in Internet
Explorer

2. Make sure to add an alias (CNAME) DNS entry for the FQDN as the FQDN
name needs to be resolved to an IP.

Good Luck and please let us know how it turns out


--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
http://www.trimagna.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top