For this posting I have used one of mine SCOM R2 test environments based on Windows Server 2008 R2 with an enterprise CA in place. The SCOM R2 Web Console installation uses Windows Authentication. The procedure described in the posting will also work with Web Consoles using the Forms Authentication.
Also good to know is that in this scenario the SCOM R2 Web Console is NOT going to be accessed by any external party. So no external CA is needed here for obtaining a SSL certificate, so the own enterprise CA will suffice.
01 – Test your Web Console
First and foremost, TEST your Web Console while SSL is not in place! Be sure the SCOM R2 Web Console is up & running. Also test it from a system which is NOT the server hosting that Web Console. This way you are sure all is well. 
02 - Requesting a certificate
- On the server hosting the SCOM R2 Web Console, start the Internet Information Services 7.0 IIS Manager console and double click on the IIS server.
Double click on the icon Server Certificates.
- The Actions Pane will show the available options. Click Create Domain Certificate.
What? Why I do not choose Create Certificate Request? Good question! This option is at order when an external CA like VeriSign is going to be used. That would be interesting when the SCOM R2 Web Console is going to be accessible for external parties who use systems which are outside your forest where your CA reside.
- The Create Certificate wizard appears with the Distinguished Name Properties options. One of the most important fields here is the Common name field. The name being used here needs to match the name of the website. For this one needs to drop the prefix http:// and the needed port as well. So the web address http://SV01:51908/default.aspx becomes just SV01.
Click Next.
- Hit the Next button near the field Specify Online Certification Authority:
Select your CA and click OK
Give a Friendly Name and click Finish.
- The certificate is successfully created:
03 - Adjusting the Bindings of the Web Console
All these actions are done from the Internet Information Services 7.0 IIS Manager console.
- Go to the node Sites under the IIS server hosting the SCOM R2 Web Console. Select the website which is the SCOM R2 Web Console. In the Actions Pane under the header Edit Site the option Bindings is displayed. Click it.
- Click Add and select as Type: https with Port: 443. From the drop down menu for the SSL Certificate select the earlier created SSL certificate.
Click OK.
- Now two bindings are shown:
Click Close.
04 – Requiring SSL connections only to the SCOM R2 Web Console
All these actions are done from the Internet Information Services 7.0 IIS Manager console. Make sure to have the website which is the SCOM R2 Web Console selected. For this see step 1 of procedure 03.
- In the middle section of the IIS console there is an icon named SSL Settings.
Double click it.
- Change the settings to the website so SSL is required.
In the Action Pane click Apply. This message will be shown:
05 – Adjusting the settings in the SCOM R2 Console
- Open the SCOM R2 Console with SCOM Admin permissions. Go to Administration > Administration > Settings > General > Web Addresses. Double click it.
- Change the settings for the Web Console to https:// and drop the :51908 stuff. Click Apply.
- Click the button Test and check it out:
06 – Redirection from HTTP to HTTPS
HTTP will not work any more and will show a 403.4 error instead. This can be easily circumvented by using some code. This webpage describes exactly how to go about that. It is best to use the option where the custom code page is being used at server level, not at website level.
No comments:
Post a Comment