This is a follow on my previous post – Installing Microsoft App-V 5.1 on Windows Server 2016 and Load Balance AppV 5.1 using Netscaler 11.x/12.x on how to secure the communication within App-V by using SSL instead of the default HTTP
NOTE: Before continuing , please ensure you have a valid certificate authority in the domain to send and authorise the certificate require. No Adjustement to the Load Balancer is required as it is configured with TCP rather than HTTP.
Configure App-V Web Services for SSL
Step 1: Load Internet Information Services (IIS) on the AppV Server, then Select Server certificates
Step 2: At the Action Panel, Select Create Domain certificate
Step 3: Enter the following information, then Click Next
- Common Name: LAB-APPV.WILKYIT.COM (the load balanced name of AppV)
- Organization: WILKYIT.COM
- Organizational Unit: WILKY
- City/Locality: BELFAST
- State/Province: UK
- Country/Region: GB
Step 4: At Online Certificate Authority, Click Select at Specify Online Certificate Authority
Step 5: Select the appropriate CA, in my case the below is selected.
Step 6: Enter a common friendly name for the certificate and click Finish
Step 7: Confirm the certificate now appears on the Server Certificate list.
Step 8: Select Microsoft App-V Management Service under sites, Under Action/Edit Site Click Bindings
Step 8: Select the http site, Click Edit
Step 9: Change the Port number to a unused port (in my case 50007). Click OK
Step 10: Confirm setting are applied, Click Add
Step 11: Select the following, then Click OK
- Type: HTTPS
- IP Address: All Unassigned
- Port: 50001 (this is the orginal port configred during installation)
- Host Name: leave Blank
- SSL Certificate: LAB-APPV
Step 12: Select the http site configured on Port 50007, Click Remove
Step 13: Click Yes to confirm binding is being removed.
Step 14: Confirm only binding left is the type: https Port: 50001
Step 15: Repeat the same for the Publishing Service/Reporting Service (Step 1-14)
Publishing Service
Use Unused port 50008 during re-configuration in Step 9
- Type: HTTPS
- IP Address: All Unassigned
- Port: 50002 (this is the orginal port configred during installation)
- Host Name: leave Blank
- SSL Certificate: LAB-APPV
Reporting Service
Use Unused port 50009 during re-configuration in Step 9
- Type: HTTPS
- IP Address: All Unassigned
- Port: 50003 (this is the orginal port configred during installation)
- Host Name: leave Blank
- SSL Certificate: LAB-APPV
Step 16: Repeat all of the above step on additional App-V Server, exporting the Certificate generated in Step 3-6 as a PFX and importing into the 2nd App-V Server
Confirm SSL communicaiton
Step 1: Access the App-V Management Service on https://lab-appv.wilkyit.com:50001
Step 2: Confirm no certificate warning’s or issues with certificate by click the Lock icon on URL bar
Step 3: Confirm with the Publishing/Reporting services as well.
Hi,
Thanks for writing this. I found your blog very useful.
When I implemented this I got event ID 102 (warning), and 103 (error) on my Publishing Server, and my clients didn’t get packages. The message was “Message: DownloadMetadataError (URL: http://localhost:50001/Publishing/Metadata/)” where you can see the URL is wrong as it should be https. Another blog suggested changing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\PublishingService\PUBLISHING_MGT_SERVER to the FQDN (https://servername.FQDN.com:50001), and that seems to work.
Craig
Thanks Craig, i update the blog to include this info.
Hi, thanks for this very useful blog.
After I enabled SSL I’m facing the problem that all powershell cmdlets are running into a timeout.
E.g.
=========================================================================
PS C:\Windows\system32> Get-AppvServerPackage
Get-AppvServerPackage : Timeout für Vorgang überschritten
In Zeile:1 Zeichen:1
+ Get-AppvServerPackage
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-AppvServerPackage], WebException
+ FullyQualifiedErrorId : ServiceError,Microsoft.AppV.Server.Cmdlets.GetAppvServerPackageCommand
=========================================================================
I couldnt found any further information in the eventlog or by using procmon.
Any hint?
Many thanks in advance.
Bent
Have you changes the GPO setting to https?
What GPO setting do you mean. I’m running the commands directly on the appV-server.
I only changed the settings in the GPO for the client configuration.
I am travelling at the minute, once i get to a desk i’ll review and reply back again.
That sounds great! Thanks in advance.
Bent
Found the solution:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\ManagementService
There were entries which still refered to http.
Best regards
Bent
Apologies only getting to desktop now review, but looks like you have resolved it yourself.
No problem. Yes solved it on my own.
But we are facing another problem. After activating SSL new Packages arent published to the clients.
Eventlog shows “publishing refresh started” and after 1 second “publishing refresh stopped”. when we change the appv-publishing server to a non HTTPS -Server everythin works right away.
I have no clue. The eventlogs don’t show any specific erros.
Again any hint?
Many thanks in advance.
i would need to review it , can you provide logs/screenshots etc to david@wilkyit.com and i can review it
Sorry for the confusion. the publishing works on the new AppV-Server (HTTPS) but it takes waaaay more time.
Database and Management Console show the new packageversion as enabled but the client doesnt get the package when we manually sync.
Hi,
I’m currently configuring SSL in my environment, is a virtual directory required to be created in IIS for this ?