Configuring Notification Server to use SSL

Article:DOC1240  |  Created: 2006-10-04  |  Updated: 2006-10-05  |  Article URL http://www.symantec.com/docs/DOC1240
Article Type
Documentation



Description



Question
How can I configure Notification Server to use SSL?

Answer
From Notification Server 6.0 SP3 Help Documentation

Configuring Notification Server to use SSL

Notification Server can use either HTTP or HTTPS when accessing the Altiris Console and when communicating with managed computers.

If you want to use HTTPS, configure your Notification Server to use SSL.
When installing Notification Server, if the Default Web site is set to Require secure channel (SSL), the Notification Server and the Altiris Agent will automatically use HTTPS. No additional steps are required.
When installing Notification Server, if the Default Web site is NOT set to Require secure channel (SSL), or has no Server Certificate installed, the Notification Server and the Altiris Agent will automatically use HTTP.


Note
HTTPS has a significant overhead on Web servers in general that is specific to the operating system you are running. Please refer to Microsoft documentation for the overhead that HTTPS places on communication to determine the hardware needs and server load that will be generated if you change from HTTP to HTTPS for all Altiris Agent communication. Example: in some publicly available Web server test results, smaller servers could handle only 10-20% of the same Web browsing traffic when configured to use HTTPS instead of HTTP. Available hardware can significantly improve HTTPS communication. Many public Web sites will purchase network cards that off-load the encryption/decrypting processing from the CPU to the network card, thereby largely bypassing the overhead of HTTPS.

For HTTPS to function, you must install a certificate on the Notification Server. If you choose to purchase your certificates from a public Certificate Authority, then your Notification Server and Altiris Agent configuration is the same as if you are using HTTP. If you choose to configure a private Certificate Authority, then configure your managed computers to trust your Certificate Authority (see Setting up managed Computers to Trust a Private Certificate Authority section below)

After you obtain the certificate from a private or public authority, you must install it on the Notification Server.

Requesting a certificate

1. Open Internet Services Manager.
2. Browse to Default Web site.
3. Right-click and select Properties.
4. Select the Directory Security tab.
5. Click the Server Certificate button.

·          Create the certificate request file.

·          Be sure to use the FQDN for the Notification Server for the common name.

6. Submit the text file that is generated (typically certreq.txt) to the Certificate Authority (public or private).

Installing the certificate

1. Open Internet Services Manager.
2. Browse to Default Web site.
3. Right-click and select Properties.
4. Select the Directory Security tab.
5. Click the Server Certificate button.
6. Follow the wizard to import the certificate file you received from the Certificate Authority.


Note
To always use HTTPS for all Notification Server communication, we recommend that you install the certificate and require SSL on the Default Web site before you install Notification Server. When SSL is required on the Default Web Server in IIS, the setup program configures all shortcuts to HTTPS and installs the Altiris Agents to use HTTPS. If you configure IIS to require SSL after Notification Server installation, you will need to transfer all previously installed Altiris Agents to HTTPS (including the Notification Server) and manually change the shortcuts installed on the Altiris Console (see Migrating Altiris Agents from HTTP to HTTPS section below).


Migrating Altiris Agents from HTTP to HTTPS

After you have installed Notification Server and deployed the Altiris Agent, you can migrate your Altiris Agent.


Note
When you want to change how managed computers communicate with Notification Servers, you need to ensure that communication can occur using the current port setting and the new port setting. Otherwise Altiris Agents will lose communication with Notification Server and have to be manually configured from the managed computer or re-deployed from the Notification Server to regain communication.

Before making any changes to the Altiris Agent Settings policies, ensure that the new port setting is already configured. If you want to change the Notification Server that the Altiris Agents communicate with, you need to have Notification Server installed on that computer before changing the Altiris Agent Settings policy in the Altiris Console. If you want to configure the Altiris Agents to use a different TCP port (other than 80 for HTTP or 443 for HTTPS), you must configure IIS to communicate on both the current port setting and the new port setting before making changes to the Altiris Agent Settings policies in the Altiris Console.

Migrating from HTTP to HTTPS

1. In IIS, install the Server Certificate, but do not select Require secure channel (SSL) yet.
2. For each Altiris Agent Settings policy for which you want to change communication settings (found in the Altiris Console by clicking the Configuration tab, then navigating to Configuration Altiris Agent > Altiris Agent Configuration), do the following:

Note
You may want to clone one of the existing policies and use a collection you define to get granular enough to only target the computers you want.

a. Click Advanced Settings.
b. Select Specify an alternate URL for the Altiris Agent to use to access the NS.
c. Change the Server Name if needed. We recommend using the FQDN.
d. Change the Server Web address to HTTPS, and also change the port number within this address (443 for HTTPS).
    The Server Web address should be in the following format:
          http: //<NS_FQDN> :<port>/Altiris/
          https: //<NS_FQDN> :<port>/Altiris/
e. Click Apply.

3. The next time the Altiris Agents request Altiris Agent Settings, they will receive the new Notification Server details and contact the Notification Server using HTTPS from then on.
4. After all of the Altiris Agents have received the new Altiris Agent Settings, you can select the Require secure channel (SSL) option in IIS for the Altiris Web.
5. Manually update your Shortcuts on the Altiris Console to HTTPS.

Setting up managed Computers to Trust a Private Certificate Authority

If you set up your Web server to use HTTPS and you use a private Certificate Authority, your managed computers must be configured to trust that private Certificate Authority.
The following sections provide suggestions of ways to do this:

·                      Setting up Windows 9x/NT or non-Active Directory managed Computers to Trust a Private Certificate Authority

·                      Setting up Windows 2000 (or later) managed Computers to Trust a Private Certificate Authority

Setting up Windows 9x/NT or non-Active Directory managed Computers to Trust a Private Certificate Authority
The following provides steps for getting your managed computers to trust a private Certificate Authority. Use these steps if you are installing to Windows 9x/NT managed computers or managed computers that are not members of an Active Directory domain.
Steps to Follow:
1. Preliminary
2. Obtain the Root Certificate of the Certificate Authority
3. Import the Root Certificate

Preliminary

1. Verify that the common name for the certificate is the DNS name of the Notification Server.
2. Install Internet Explorer 5.5 SP2 on the target computer and restart.

Obtain the Root Certificate of the Certificate Authority

Three ways to obtain a root certificate of the certificate authority. Choose the one that works best for you:

Option 1 - Get the root certificate from a certificate file.

1. Double-click the CER file.
2. Click on the Certification Path tab.
3. Click on the root in the tree.
4. Click Install Certificate.
5. Click Next.
6. Click Place all certificates into the following store.
7. Click Browse.
8. Click Show physical stores.
9. Expand trusted root certificate authorities.


Note
This name may be different depending on the version of Windows you are using. Choose the name that most resembles trusted root certificate authorities.


10. Select Local computer.
11. Click OK.
12. Click Next.
13. Click Finish.

Option 2 - Get the root certificate by using the secure server's CER file.

1. Double-click the CER file.
2. Select Certificate path.
3. Select the root certificate (usually the top entry).
4. Click View Certificate.
5. Click Install Certificate.
6. Click Next.
7. Click Place all certificates into the following store.
8. Click Browse.
9. Click Show physical stores.
10.Expand trusted root certificate authorities.

Note
This name may be different depending on the version of Windows you are using. Choose the name that most resembles
trusted root certificate authorities.

11. Select Local computer.
12. Click OK.
13. Click Next.
14. Click Finish.

Option 3 - Get the certificate by using Windows Internet Explorer.

1. Browse into the server with HTTPS.
2. You should get a warning with an option to view the certificate.
3. Click View Certificate.
4. Select Certificate Path.
5. Select the root certificate (usually the top entry).
6. Click View Certificate.
7. Click Install Certificate.
8. Click Next.
9. Click Place all certificates into the following store.
10.Click Browse.
11.Click Show physical stores.
12.Expand trusted root certificate authorities.
Note
This name may be different depending on the version of Windows you are using. Choose the name that most resembles
trusted root certificate authorities.
13.Select Local computer.
14.Click OK.
15.Click Next.
16.Click Finish.

Import the Root Certificate

Now you need to verify that the certificate and appropriate root certificates are trusted by the target computer.
You need to install the root certificate to all managed computers that will need to trust all certificates it receives from Notification Server. The following method automates the installation of the root certificate file.
1. Use Microsofts Certificate Manager Tool to install the root certificate of the certificate authority (the user must be a local administrator). The Certificate Manager Tool (Certmgr.exe) can be downloaded from the Microsoft Web site. You can use Deployment Solution or some other method to script the install of the root certificate to your computers.
Use the following command line:
Certmgr.exe -add <cert file path> -s -r localMachine root Example:
Certmgr.exe -add c:\sydney-dc.crt -s -r localMachine root

Setting up Windows 2000 (or later) managed Computers to Trust a Private Certificate Authority

The following provides steps for getting your managed computers to trust a private Certificate Authority. Use these steps if you are installing to Windows 2000 managed computers that are members of an Active Directory domain.
Steps to Follow:
1. Preliminary
2. Configure the Group Policy to Trust the Authority

Preliminary

1. Verify that the common name for the certificate is the DNS name of the Notification Server.
2. Install Internet Explorer 5.5 SP2 on the target computer and reboot.

Configure the Group Policy to Trust the Authority

1. In Active Directory Users and Computers, right-click on the domain and select Properties.
2. Select the Group Policy tab.
3. Edit the default domain policy or create a new policy (Microsoft recommends creating a new policy for each different area you are configuring and leaving the default domain policy as the last in the list).
4. Browse to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. 5. Right-click on the results pane and IMPORT the root certificate.


Legacy ID



28283


Article URL http://www.symantec.com/docs/DOC1240


Terms of use for this information are found in Legal Notices