locked
Basic IIS security questions RRS feed

  • Question

  • User-1169702982 posted

    Hi, I'm using SBS2003 with IIS6 and am struggling to get a web site using https working.  Here is what I have done:

    1.  Installed an Enterprise CA.

    2.  Created a server certificate.

    3.  Assigned the server certificate to the Default Web Site (this now shows 443 in its identitiy).

    4.  Against a virtual directory specified 'Require secure channel (SSL)' in Secure Communications dialog.  Currently I am ignoring client certificates.

    5.  Test connecting to virtual directory using https://domain/virtualDirName/index.htm and get error (if I uncheck 'Require secure channel' and then do http://domain/virtualDirName/index.htm it works).

    6.  After doing some research....turned on firewall and added ports 80 and 443.

    7.  Retest point 5) still does not work.

    8.  Desktops can no longer access internet

    9.  Turn off firewall

    10.  Desktops can now access internet.

    I think I'm digging myself into a hole.  Can anyone tell me whether or not I should have the firewall on or not in order for SSL to work (I'm guessing the answer is yes).  If the firewall is on why do the desktops no longer have access to the internet?

    Sorry for the length of the post.

    Steve

     

     

    Saturday, March 21, 2009 8:01 AM

All replies

  • User690216013 posted
    Well, you simply said you met errors, but there was no error page, or error message mentioned. Then it is so hard to help you.
    Saturday, March 21, 2009 9:29 PM
  • User-1169702982 posted

    At point 5 the error I get is

    'Internet Explorer cannot display the webpage'

    <!-- What you can do --> <!-- Check Connection --> <!-- InfoBlock -->

    Most likely causes:

    • You are not connected to the Internet.
    • The website is encountering problems.
    • There might be a typing error in the address.
     

     

     

     

     

    <NOSCRIPT></NOSCRIPT>

     

    Monday, March 23, 2009 4:28 AM
  • User-823196590 posted

    Turn off friendly error messages in IE.

    Monday, March 23, 2009 6:50 AM
  • User-1169702982 posted

    Hi tom, I've cleared the check box 'Show friendly HTTP error messages', but it does not change the error message.

    I've turned off my Firewall (otherwise I cannot access the internet) so I am not sure if my server exposes port 443.

    Thanks, Steve

    Monday, March 23, 2009 10:04 AM
  • User690216013 posted
    An easy way to determine if IIS is monitoring port 443 is to run "netstat -aon" in a command prompt on the IIS server . You may see if there is a process monitoring 443 port and then check in Task Manager which process it is (if your Task Manager does not display PID column by default, it can be turned on under View menu).
    Wednesday, March 25, 2009 7:02 PM
  • User1073881637 posted

    Turn on firewall, enable firewall logging and see what is being dropped.

    http://technet.microsoft.com/en-us/library/cc787462.aspx

    Wednesday, March 25, 2009 7:57 PM
  • User-1169702982 posted

    Hi Lex.  I did a netstat into a text file because I got hundreds of lines.  I then searched the text file for 443 and I only found lines like

    UDP     0.0.0.0:44323        *:*        1352

    Process 1352 is the dns service.

    Exactly how would the port 443 appear if IIS was listening on it?

    Regards, Steve

    Friday, March 27, 2009 7:53 AM
  • User-1169702982 posted

    Hi Steve.  I've turned on firwall logging and then tried to access the internet via my desktop and this appeared in the log file

    2009-03-27  11:59:49 DROP UDP 192.168.1.2  192.168.1.3 55694 53 62 - - - - - - RECEIVE

    I got 4 lines like this.  192.168.1.2 is the desktop and 192.168.1.3 is the server.  I'm afraid i'm none the wiser, but persumably the server was receiving a UDP packet from the desktop and dropped it.  My router is 192.168.1.1 and is never mentioned in the log file.

    Regards, Steve

     

    Friday, March 27, 2009 8:04 AM
  • User690216013 posted
    Interesting that your IIS is not listening to port 443 for HTTPS. This is normally caused by your incorrect configuration in IIS Manager. Can you review the following KB to see if you configured every pieces? http://support.microsoft.com/kb/299875
    Saturday, March 28, 2009 2:03 AM
  • User-2064283741 posted

    Use SSLDiag

    http://www.iis.net/downloads/default.aspx?tabid=34&i=1251&g=6

     Reading

    "

    5.  Test connecting to virtual directory using https://domain/virtualDirName/index.htm and get error (if I uncheck 'Require secure channel' and then do http://domain/virtualDirName/index.htm it works).

    6.  After doing some research....turned on firewall and added ports 80 and 443.

    7.  Retest point 5) still does not work.

    8.  Desktops can no longer access internet

    9.  Turn off firewall

    10.  Desktops can now access internet."

    I am confused. Access the Internet or access this 1 website? Are the desktop machines using the SBS server to access the internet? you think adding an IIS website is causing problems here? Are you using ISA server for this? If so, you have configured you ISA server wrong and this is nothing to do with IIS.

    Can you access SSL website from the server itself?

     

    Saturday, March 28, 2009 9:59 AM
  • User-1169702982 posted

    Interesting that your IIS is not listening to port 443 for HTTPS. This is normally caused by your incorrect configuration in IIS Manager. Can you review the following KB to see if you configured every pieces? http://support.microsoft.com/kb/299875

    I've gone through the article and I think I've done everything correctly.

    Sunday, March 29, 2009 5:24 AM
  • User-1169702982 posted

    Use SSLDiag

    http://www.iis.net/downloads/default.aspx?tabid=34&i=1251&g=6

     Reading

    "

    5.  Test connecting to virtual directory using https://domain/virtualDirName/index.htm and get error (if I uncheck 'Require secure channel' and then do http://domain/virtualDirName/index.htm it works).

    6.  After doing some research....turned on firewall and added ports 80 and 443.

    7.  Retest point 5) still does not work.

    8.  Desktops can no longer access internet

    9.  Turn off firewall

    10.  Desktops can now access internet."

    I am confused. Access the Internet or access this 1 website? Are the desktop machines using the SBS server to access the internet? you think adding an IIS website is causing problems here? Are you using ISA server for this? If so, you have configured you ISA server wrong and this is nothing to do with IIS.

    Can you access SSL website from the server itself?

     

    Using SSLDiag has shown some errors.  Firstly the server certificate is producing the error 'CertVerifyCertificateChainPolicy returned error -2146762480'.

    I then did a simulated handshake and got 'Error 0x800b0110 The server certificate is not valid for the requested page'.

    I think the firewall is what is causing me the internet connection problems.  And I am only turning on the firewall because I thought it was necessary for IIS/SSL to work.  Is it not the firewall that enables port 443?

    I'll continue on with SSLDiag.

    Regards, Steve

    Sunday, March 29, 2009 5:56 AM