How to configure TLS/SSL (HTTPS)
This article covers two different ways to configure TLS/SSL (HTTPS):
How to configure TLS/SSL (HTTPS) during a new installation - this option can be used when using the downloadable installer.
How to manually configure TLS/SSL (HTTPS) - this option can be used to configure TLS/SSL (HTTPS) at any time after installation.
How to configure TLS/SSL (HTTPS) during a new installation
HTTPS is required to login to Azure Edition.
When deployed by the Marketplace Dashboard Server can either be configured with a self-signed certificate with 12 months expiry, or a What is a Let's Encrypt certificate?. It is best practice to replace a self-signed certificate with a trusted certificate prior to moving into production.
When deployed by the Marketplace Dashboard Server will have configured a self-signed certification with 12 months expiry. It is best practice to replace this with a trusted certificate prior to moving into production.
When using the downloadable installer to install Azure Edition you will need to choose
At any point you can change your certificate options in IIS, see How to manually configure TLS/SSL (HTTPS).
You have three options:
If you are trialing Dashboard Server, and are unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial.
If you are accessing Dashboard Server via a public IP address it is best practice to purchase a trusted SSL certificate.
If you are accessing Dashboard Server internally you can use an AD domain issued certificate.
Existing certificate
What this does:
This option will create an IIS binding on port 443 using the hostname and certificate you specify.
When to use this:
Use this option to choose an existing SSL certificate from the computer's personal store.
Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should choose
You should choose this option if you have already acquired and imported a trusted certificate. For example, if you are deploying Dashboard Server on a web server that has already previously had a trusted certificate configured. This could be for a different application or for a previous Dashboard Server installation.
Create Self-Signed Certificate
What this does:
The installer will create a new self-signed certificate, set to expire after 12 months. This option will create a 443 binding using the hostname you specify.
If an appropriate self-signed certificate already exists, then this will be used (this may have less than 12 months remaining).
When to use this:
If you choose this option to use a self-signed SSL certificate then Dashboard Server users will see a browser warning and will need to explicitly agree to proceed. In Chrome this is done by clicking Advanced.
If you are trialing Dashboard Server, or unsure which option to choose, you may choose to use a self-signed certificate.
If you are using this on an internal domain joined machine you may choose to use a self-signed certificate and accept the security warning.
If you are accessing Dashboard Server across the public internet it is best practice to use a trusted SSL certificate and not a self-signed certificate.
Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should choose
If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see How to generate a self-signed certificate
Configure later
What this does:
This will not configure any SSL bindings, you will need to configure an appropriate binding manually within IIS.
While you can choose to configure the SSL certificate later, please note that Dashboard Server will not work until https has been configured with a SSL certificate.
When to use this:
You already have websites using port 443, or wish to use a different port number or IP address combination.
How to configure your own certificate
See below: How to manually configure TLS/SSL (HTTPS)
How to manually configure TLS/SSL (HTTPS)
To configure Transport Layer Security (TLS/SSL) the steps in summary are:
1. Get an appropriate SSL certificate and install it on your SquaredUp server.
If you are trialing Dashboard Server, and unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial see How to generate a self-signed certificate.
If you are accessing Dashboard Server via a public IP address it is best practice to purchase a trusted SSL certificate.
If you are accessing Dashboard Server internally you can use an AD domain issued certificate.
2. Configure the site bindings, adding HTTPS 443 and selecting your certificate.
3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional).
1. Get an appropriate SSL certificate
- If you use a load balancer the Subject Alternative Name of the TLS/SSL certificate you install will need to contain your load balancer's name.
- If the SquaredUp server is not behind a load balancer then the Subject Alternative Name should contain the name of the SquaredUp server name.
Subject Alternative Name entries can be wildcard names, such as *.squaredup.com or specific names such as monitoring.squaredup.com, however the entry should match what users will type in their browser to access Dashboard Server, otherwise the browser will display a message indicating that the certificate is not trusted.
You will need to connect to your SquaredUp server. See How to connect to your SquaredUp server.
Open IIS Manager on your SquaredUp server.
Under Connections click on your SquaredUp server.
Double-click Server Certificates in the central panel:
Double-click on a certificate in the central panel.
Click the Details tab in the certificate properties and then find Subject Alternative Names in the list:
The entries for this property will be displayed in the lower pane.
How to import a new certificate
Under Connections click on the SquaredUp server.
Double-click Server Certificates in the central panel:
From the right-hand menu click Import and follow the steps to import your certificate:
2. Configure the bindings for TLS/SSL (HTTPS) in IIS
Under Connections expand Sites and click on the website that hosts the Dashboard Server instance (
on Azure this is usually SquaredUpv4 or SquaredUpv5 ).From the right-hand side menu click on Bindings.
Click Add:
Change the Type to https.
Under SSL certificate select the TLS/SSL certificate you added:
Click OK and then Close:
From the right-hand menu click Restart:
If there is an existing HTTPS binding configured on the web site (for example, because it hosts other applications in addition to Dashboard Server) and the certificate being used for the existing binding does not have a Subject Alternative Name entry that is appropriate for users to use to access SquaredUp, then a new binding may need to be created for a new certificate. Either a different port number or host name will then need to be set in each HTTPS binding entry if they are bound to the same IP address.
3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional)
Set up a redirect to switch traffic from HTTP to HTTPS using the IIS Rewrite module:
To redirect all HTTP requests to HTTPS use the following steps:
Open IIS Manager and click on the website that hosts the Dashboard Server instance (
on Azure this is usually SquaredUpv4 or SquaredUpv5 ).In the main panel, double-click on URL Rewrite.
Click Add Rule(s)... on the right-hand menu.
With Blank rule selected click OK.
Give the rule a name, such as 'Redirect to HTTPS'.
Copy the following and paste into the Pattern box in the Match URL section:
Copy(.*)
Click to expand the Conditions section.
Click Add… to add a new condition to the configuration.
Copy the following and paste into the Condition input box :
Copy{HTTPS}
Copy the following and paste into the the Pattern box:
Copy^OFF$
Click OK.
Scroll down and in the Action section
In the Action section change the Action type from Rewrite to Redirect.
Copy the following and paste into the Redirect URL box:
Copyhttps://{HTTP_HOST}/{R:1}
Change the Redirect type from Permanent (301) to See Other (303).
Click Apply on the right-hand menu under Actions.
Click Back to Rules.
If you have other redirects configured you should ensure that you move your Redirect to HTTPS redirect to be listed first as shown in the image below. You can do this using the Move Up and Move Down options on the right.
FAQs
What are the downsides to using a self-signed certificate?
If you choose the option to use a self-signed SSL certificate then Dashboard Server users will typically see a browser security warning and will need to explicitly agree to proceed. For example, in Chrome this is done by clicking Advanced, in Edge by clicking Details.
It is best practice to only use self-signed certificates in internal (LAN) environments.
What if I don't want to use a self-signed certificate?
You need to acquire a trusted certificate either by purchasing one from a trusted Certificate Authority (CA), or one issued by your AD domain / internal certificate authority (CA).
Help my certificate is about to expire!
If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see
What is a Let's Encrypt certificate?
When installing via the Marketplace you can either use a self-signed certificate, which may cause a browser warning that the website is insecure and users will need to explicitly agree to proceed, or you can use a Let's Encrypt certificate.
The Let's Encrypt certificate is trusted by browsers and valid for 90 days. It will renew automatically every 55 days, as long as the site is accessible through port 80, as that is how the http challenge is conducted. Using a Let's Encrypt certificate stops a browser warning appearing to users.
To install the Let's Encrypt certificate a self-signed certificate is temporarily installed, so a browser warning may appear in the first 2 minutes before the Let's Encrypt certificate is applied.
Let's Encrypt is a trademark of the Internet Security Research Group. All rights reserved.