cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

"Private internal SSL" certificate on HOPEX V5

AHassan
MEGA Partner
MEGA Partner

Hi,
I am looking for some help pls.
Scenario:

  • IIS server is hosting a HOPEX static website on port 443 (https://HopexTest.hopex.com:443/Web360)

  • Port 444 is used for HAS (https://HopexTest.hopex.com:444) one the same server.

     

  • It seems that I cannot use ARR/URL rewrite because it will always redirect to HAS page and static website will not be reached, so I am not using ARR/URL rewrite.

     

  • If I don't use the ARR/URL rewrite, then client machine (user windows 10 machine) doesn't pick up the internal self-signed certificate and I get the below error

asimhassan_0-1637766979645.png

 

The static website has no issue (https://HopexTest.hopex.com:443/Web360) as the public certificate is working fine.

 

Do I need to replace the "Private internal SSL" certificate with the "Public certificate" issued by the Certificate Authority to make it work without certificate error on client's machine?

6 Replies

Thanks - both questions are answered and it works now 🙂

 

In your post your are mixing 2 problems :

  1. The configuration of IIS with proper URL Rewrite Rules
  2. Deployment of HAS in HTTPS

 

Now, I will answers to you case of installation. You are getting confused with all the ports you defined. Because you mix them it fail to start.

 

Here is an example to clarify.

  • PORT 443 : is used by IIS and is a public port
  • PORT 5000 and 30100 are used by HAS for internal communication.

Here a schema of architecture :

 

 

oguimard_0-1637770182244.png

 

In you case your have :

  • IIS on port 443
  • You are trying to put the HAS instance on port 443 as well

It is not possible to have 2 different applications that are communicating on the same port.

 

So in your case you cannot use port 443 for the instance because the server already use IIS for port 443.

I suggest you leave the default value 5000. This port is for internal communication make sure you check use Enable SSL

 

This means that between IIS and HAS the communication will be in SSL on port 5000

oguimard_2-1637770590529.png

 

 

 

 

 

 

Here is an example of complex IIS configuration.

 

In your post your are mixing 2 problems :

  1. The configuration of IIS with proper URL Rewrite Rules
  2. Deployment of HAS in HTTPS

I will focus on point 1 for the answers

 

I will take an that example we have :

  • several server farms
  • several website under the "Default Web Site" of ISS all on port 443

 

To make it work it is a matter of setting properly URL Rewrite rules https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-... 

The binding in IIS :

Make sure you have the proper binding on the website. In my example I have 3 DNS pointing toward the same server on port 443.

 

Screenshot 11-24-21 at 04.20 PM.PNG

In your case you should have one for port 443.

 

Make sure the SSL certificate is aligned with the binding your defined. In my case the SSL certificate is a *.demomega.com

 

oguimard_0-1637768077200.png

 

Several website

In my example I have 2 different website :

  • BoldBI that is a complete .net website not related to HOPEX in this deployment
  • HOPEX360 that contains several static website

 

For the static pages :

 

Create an IIS Application "hopex360" to host the static website. Below the IIS Application I have created 4 sub application because I have 4 static website.

 

oguimard_0-1637767474757.png

 

Simply click on "Convert to Application" to convert the folder of the static Website to an IIS Application

oguimard_1-1637767563324.png

 

If you have only one static website it can be done directly under "Default Web Site"

 

If you want each website to be at the root level it is possible. Just repeat the operation at root level instead of Sub IIS Application

 

URL Rewrite configuration

Go at the root level of the IIS and click on "URL Rewrite"

 

oguimard_1-1637768173286.png

 

In that example I have 4 rewrites rules to manage :

  • The access to the website called BoldBI
  • the access to the website HOPEX360
  • The server farm called ONE
  • The server farm called REFERENCE

 

oguimard_2-1637768245871.png

 

What is important is to understand that the rules are executed in order and that we can decided not to execute the following rule if condition are met.

 

So in your case you need to create a rule for your static website to avoid to be redirect to "HAS" farm and stay on the static pages.

 

Here the action to do :

  1. create a new blank rule
  2. Name it "HOPEX Static website"
  3. Choose "Using Wildcards"
  4. In the pattern field pour *<<website name>>*   where <<website name>> is the name of the IIS Application you created. In my case hopex360
  5. Choose Ignore case
  6. Optional: you may want to put condition on PORT or DNS for you rule
  7. In action choose Action Type "None"
  8. Ensure "Stop processing of subsequent rule is checked
  9. Click Apply

See the screenshot below

oguimard_3-1637768640138.png

 

Make sure your rule are sorted properly.

Select the rule you just created and click  "Move Up" to make sure your rules appears before the redirection to the farm

 

oguimard_4-1637768735187.png

 

With that configuration you are able to have 

 

https://HopexTest.hopex.com/Hopex  => that will access the server farm 

https://HopexTest.hopex.com/Web360 => that will access the static webpage.

 

If you use default 443 port you can remove it from configuration as this is default web behavior that HTTPS is in port 443

Pls see the below screenshots:

asimhassan_0-1637767346736.png

 

 

asimhassan_2-1637767368129.png

The 360 website is hosted on port 443, so port 444 is being used for HAS instance. If both are possible on 443 then it will be even better but the HAS instance doesn't start on port 443.

asimhassan_4-1637767674293.png

 

asimhassan_3-1637767649365.png

2021-11-24T15:26:09.8141208+00:00 [Error] - An error occurs when executing command : System.Net.Sockets.SocketException (10013): An attempt was made to access a socket in a way forbidden by its access permissions.

 

But the main issue is the error on the client machine where it doesn't pickup the certificate and shows the error:

asimhassan_5-1637767751223.png

 

Also why do you need 443 or 443 ? you could have both in 443 ?

oguimard
Retired

Can you share screenshot of IIS  configuration please