To configure Transport Layer Security (TLS/SSL) the steps in summary are:
1. Get an appropriate SSL certificate and install it on your SquaredUp server.
-
If you are trialling SquaredUp, and unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial.
-
If you are accessing SquaredUp via a public IP address it is best practice to purchase a trusted SSL certificate.
-
If you are accessing SquaredUp internally you can use an AD domain issued certificate.
2. Configure the site bindings, adding HTTPS 443 and selecting your certificate.
3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional).
1. Certificate
- If you use a load balancer, the Subject Alternative Name of the TLS/SSL certificate you install will need to contain your load balancer's name.
- If the SquaredUp server is not behind a load balancer then the Subject Alternative Name should contain the name of the SquaredUp server name.
Subject Alternative Name entries can be wildcard names, such as *.squaredup.com or specific names such as monitoring.squaredup.com, however the entry should match what users will type in their browser to access SquaredUp, otherwise the browser will display a message indicating that the certificate is not trusted.
How to view the Subject Alternative Name entries for a certificate
- Launch IIS Manager on your SquaredUp server.
- Under Connections click on your SquaredUp server.
- Double-click Server Certificates in the central panel:
- Double-click on a certificate in the central panel.
- Click the Details tab in the certificate properties and then find Subject Alternative Names in the list.:
- The entries for this property will be displayed in the lower pane.
How to import a new certificate
- Launch IIS Manager on your SquaredUp server.
- Under Connections click on the SquaredUp server.
- Double-click Server Certificates in the central panel:
- From the right-hand menu click Import and follow the steps to import your certificate:
2. Configure the Bindings for TLS/SSL (HTTPS) in IIS
- Under Connections expand Sites and click on the website that hosts the SquaredUp instance (this is normally Default Web Site):
- From the right-hand side menu click on Bindings.
- Click Add:
- Change the Type to https.
- Under SSL certificate select the TLS/SSL certificate you added above:
- Click OK and then Close:
- From the right-hand menu click Restart:
- If you are using SquaredUp v4 you will probably need to change the Open Access Loopback URL. When you are using SSL the loopback URL should be https and the URL your SSL certificate is signed to, for example
https://SquaredUp.Company.com
See Checking the Open Access Loopback URL on v4
This is not necessary on SquaredUp v5 because Open Access does not use a loopback URL.
If there is an existing HTTPS binding configured on the web site (for example, because it hosts other applications in addition to SquaredUp) and the certificate being used for the existing binding does not have a Subject Alternative Name entry that is appropriate for users to use to access SquaredUp, then a new binding may need to be created for a new certificate. Either a different port number or host name will then need to be set in each HTTPS binding entry if they are bound to the same IP address.
3. IIS Rewrite
Set up a redirect to switch traffic from HTTP to HTTPS using the IIS Rewrite module:
See Configuring a redirect using the IIS Rewrite module
FAQs
What are the downsides to using a self-signed cert?
If you choose to use a self-signed SSL certificate rather than one issued by a trusted public Certificate Authority then SquaredUp users will typically see a browser security warning and will need to explicitly agree to proceed. For example, in Chrome this is done by clicking Advanced, in Edge by clicking Details.
It is best practice to only use self-signed certificates in internal (LAN) environments.
What if I don't want to use a self-signed cert?
You need to acquire a trusted certificate either by purchasing one from a trusted Certificate Authority (CA), or one issued by your AD domain / internal certificate authority (CA).
Help my certificate is about to expire!
If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate.