Configuring Secure Sockets Layer (SSL) to work with the Symantec Endpoint Protection reporting functions on Windows 2000

Article:TECH102244  |  Created: 2007-01-25  |  Updated: 2010-08-17  |  Article URL http://www.symantec.com/docs/TECH102244
Article Type
Technical Solution


Issue



You need to know how to configure Secure Sockets Layer (SSL) to work with Symantec Endpoint Protection reporting that is installed on Windows 2000.

 


Solution




Before you begin:




By default, Symantec Endpoint Protection Manager communicates with its clients using the HTTP communication protocol. You can change this communication protocol to HTTPS, which uses SSL. SSL uses certificates, which you must create and install manually. After you configure HTTPS communications, you can toggle between HTTPS and HTTP communications.

You can use these procedures for configuring SSL communications with Windows 2000 Server operating systems. These procedures assume that Internet Information Services and the Symantec Endpoint Protection Manager(SEPM) are already installed on the same computer and that you are configuring SSL communications on that computer.

To configuring SSL communications, you must do all of the following steps:

  1. Install the Microsoft Certificate Services
  2. Create a certificate request
  3. Submit a certificate request
  4. Install the CA certification path
  5. Issue the certificate
  6. Retrieve the certificate
  7. Install the certificate
  8. Configure the reporting Web site to use SSL
  9. Configure the Management Server List to use SSL
  10. Edit the conf.properties file
  11. Configure the Symantec Endpoint Protection Manager and agents to use SSL



Installing Microsoft Certificate Services
By default, Microsoft Certificate Services are not installed on Windows 2000 Server operating systems. If the services are installed, skip this procedure.

To install Microsoft Certificate Services, you first must manually stop the IIS services before starting the steps listed below.
 

  1. Insert your server installation CD. The Certificate Services installer requires a file named sertsrv.msc from the CD.
  2. Click Start > Settings > Control Panel > Add/Remove Programs.
  3. In the Add/Remove Programs window, click Add/Remove Windows Components.
  4. In the Windows Components dialog box, check Certificate Services, and then click Next.
  5. In the Certificate Authority Type dialog box, click Stand-alone root CA, and then click Next.
  6. In the CA Identifying Information dialog box, in all boxes, type identifying information, and then click Next.
  7. In the Data Storage Location dialog box, in all boxes, accept or change the default locations for directories and log files, and then click Next.
  8. When the installation completes, click Finish.



In order to obtain a certificate, you must create and submit a certificate request.

To create a certificate request do the following:

  1. Click Start > Settings > Control Panel > Administrative Tools > Internet Services Manager.
  2. In the left pane, expand the Reporting host node, right-click Default Web Site, and select Properties.
  3. In the Default Web Site Properties dialog box, on the Directory Security tab, under Secure Communications, click Server Certificate.
  4. In the Certificate Wizard dialog box, click Next.
  5. In the Server Certificate dialog box, click Create a new certificate, and then click Next.
  6. In the Delay or Immediate Request dialog box, click Prepare the request now, but send later, and then click Next.
  7. In the Name and Security Settings dialog box, in the Name box, type a name for your certificate.
  8. In the Bit length drop-down box, select the encryption key length, and then click Next.
  9. In the Organization Information dialog box, in the Organization and Organizational unit boxes, type your values, and then click Next.
  10. In the Your Site's Common Name dialog box, in the Common name box, type your value, and then click Next.
  11. In the Geographical Information dialog box, in all boxes, type your values, and then click Next.
  12. In the Certificate Request File Name dialog box, in the File name box, type the file name for the certificate quest, and then click Next.
  13. In the Request File Summary dialog box, click Next.
  14. In the Completed dialog box, click Finish.
  15. In the Default Web Site Properties dialog box, click OK.
  16. Exit all applications, and restart the computer.


To submit the certificate request do the following:

  1. Start Internet Explorer if it is not started.
  2. In the Address box, type http://<Reporting_Host_Computer>/certsrv.
  3. In the Welcome page, click Request a Certificate, and then click Next.
  4. In the Choose Request Type page, click Advanced Request, and then click Next.
  5. In the Advance Certificates Request page, click Submit a certificate request using a PKCS #10 file, and then click Next.
  6. With Notepad, open the certificate request file that you created.
  7. Click Edit > Select All > Edit > Copy. Verify that a blank line does not appear at the last line. The last line must be "----END NEW CERTIFICATE REQUEST----" without the quotes.
  8. In the Submit a Saved Request page, in the Saved Request box, click the mouse, and then click Edit > Paste.
  9. Click Submit.




Installing the CA certification path
You must install the CA certification path.

To install the CA certification path do the following:

  1. Start Internet Explorer if it is not started.
  2. Browse to http://<Reporting_Host_Computer>/certsrv
  3. In the Welcome page, click Retrieve the CA certificate, and then click Next.
  4. In the Retrieve the CA Certificate page, at the top, click Install this CA certification path.



Issuing the certificate
You must issue the certificate.

To issue the certificate do the following:

  1. Click Start > Programs > Administrative Tools > Certification Authority. You must have administrative privileges.
  2. In the Certification Authority page, expand your CA, and then click Pending Requests.
  3. In the right pane, right-click the request, and then click All Tasks > Issue.



Retrieving the certificate
You must retrieve the certificate.

To retrieve the certificate do the following:

  1. Start Internet Explorer if it is not started.
  2. Browse to http://<Reporting_Host_Computer>/certsrv.
  3. In the Welcome page, click Check on a pending certificate, and then click Next.
  4. In the Check On A Pending Certificate Request page, select the certificate, and then click Next.
  5. In the Certificate Issued page, click DER Encoded, and then click Download CA certificate.
  6. In the File Download dialog box, click Save this file to disk, and then click OK.
  7. Complete the download.


Installing the certificate
You must install the certificate.

To install the certificate do the following:

  1. If Internet Services Manager is not started, click Start > Settings > Control Panel > Administrative Tools > Internet Services Manager.
  2. In the Internet Information Services window, expand the host node, right-click Default Web Site, and then select Properties.
  3. In the Default Web Site Properties window, on the Directory Security tab, nder Secure Communications, click Server Certificate.
  4. In the Certificate Wizard dialog box, click Next.
  5. In the Pending Certificate Request dialog box, click Process the pending request and install the certificate, and then click Next.
  6. In the Process a Pending Request dialog box, browse to and select the certificate .cer file that you saved.
  7. Click Next.
  8. In the Certificate Summary dialog box, click Next.
  9. In the Completed dialog box, click Finish.
  10. In the Default Web Site Properties window, on the Web Site tab, under Web Site Identification, click Advanced.
  11. In the Advanced Multiple Web Site Configuration dialog box, Under Multiple SSL identities for this Web Site, verify that the port number is 443.
  12. If the port number is not 443, change the number to 443.
  13. Exit the Default Web Site Properties window, but do not exit the Internet Information Services window.




Configuring the reporting Web site to use SSL
You must configure the reporting Web site to use SSL.

To configure the reporting Web site to use SSL do the following:

  1. In Internet Information Services, expand the host and Default Web Site, right-click Reporting, and then select Properties.
  2. In the Reporting Properties dialog box, on the Directory Security tab, under Secure Communications, click Edit.
  3. In the Secure Communications dialog box, check Require secure channel (SSL).
  4. Under Client certificates, check Ignore client certificates if it is not checked, and then click OK.
  5. In the Reporting Properties dialog box, click OK.



Configuring the Management Server List to use SSL
You must configure the Management Server List to use SSL.

To configure the Management Server List to use SSL do the following:

  1. In Internet Information Services, expand the host and Default Web Site, right-click Reporting, and then select Properties.
  2. In the Reporting Properties dialog box, on the Directory Security tab, under Secure Communications, click Edit.
  3. In the Secure Communications dialog box, check Require secure channel (SSL).
  4. Optionally check Require 128 bit encryption based your networking security policy.
  5. Under Client certificates, check Ignore client certificates if it is not checked, and then click OK.Services Manager is not started, click Start > Settings > Control Panel > Administrative Tools > Internet Services Manager.
  6. Open the console, then click Policies > Policy Components > Manager Server Lists > Add a Management Server List, then in the Shared Management Servers Lists window, at the top, name the list and add a description if you like or use the defaults. Don’t forget to check both the Use HTTPS protocol as well as verify certificates using https protocol check boxes.
  7. Then under Management Servers click ADD > New Priority > ADD > New Server. In the Host Address Box, under the server address, you must use the computer name of the server, not the I.P. address. Use the same computer name used in the creation of the self signed certificates created earlier, and then click OK.
  8. Finally, right-click the name of the new management server list that you created in steps 2 & 3 above, and click Assign To…. Choose all servers and groups to be included and finally click Assign > Yes > OK.



Manually Editing of conf.properties file
From this point, we need to edit a file named conf.properties that by default is located at Program Files\Symantec\Symantec Symantec Endpoint Protection Manager\tomcat\etc . Open this file in either notepad or wordpad.

Add the following two lines to the end of the file:
scm.use_https=1
scm.iis.https.port=443

You can now log into the Symantec Endpoint Protection Manager through SSL, but the clients can no longer communicate with the server.


Configuring clients to use SSL
You must configure all clients to use SSL. The configuration involves installing the certificate and implementing SSL communications.

To configure clients to use SSL (to be done on the client computer itself)

  1. Start Internet Explorer, in the Address box, type https://<Reporting_Host_Name>/Reporting
  2. In the Security Alert dialog box, click View Certificate.
  3. In the Certificate Dialog box, click Install Certificate.
  4. Complete the installation wizard and accept the defaults.
  5. In the Security Alert dialog box, click Yes.
  6. Log on to the reporting page.



Toggling between HTTP and HTTPS communications

After you configure reporting and the clients to use HTTPS Communications, you can then toggle between HTTP and HTTPS communications.
You must configure the reporting page.

To configure the reporting page follow the below steps:

  1. If Internet Services Manager is not started, click Start > Settings > Control Panel > Administrative Tools > Internet Services Manager
  2. In the Internet Information Services window, expand the host and Default Web Site nodes, right-click Reporting, and then select Properties.
  3. In the Reporting Properties dialog box, on the Directory Security tab, under Secure Communications, click Edit.
  4. In the Secure Communications dialog box, do one of the following:
    • To use HTTP communications, uncheck Require secure channel (SSL), and then click OK.
    • To use HTTPS communications, check Require secure channel (SSL), and then click OK.
  5. In the Reporting Properties dialog box, click OK.


Configuring the Management Server List
Toggling between HTTP and HTTPS communications

In the console, click Policies > Policy Components > Manager Server Lists > Edit the List… to pull up the Shared Management Server Lists window.

To configure the Management Server List to use HTTP or HTTPS do the following In the Shared Management Server Lists Window:

To use HTTP communications:
Click the Use HTTP Protocol box and then click OK.

To use HTTPS communications:
Click Use HTTPS protocol and click Verify Certificate when using HTTPS Protocol box as well, and then click >OK.

Wait a few minutes for the settings to propagate.






References
This document is available in the following languages:




 



Legacy ID



2007072512593748


Article URL http://www.symantec.com/docs/TECH102244


Terms of use for this information are found in Legal Notices