none
SBS2011/SP2010 on dynamic IP - setting up SSL

    Question

  • I am attempting to set up a low cost SharePoint demonstration site. My SBS2011 Standard server is behind a cable modem on a dynamic IP. I am using DNS2GO for redirection to my dynamic IP address. The redirection is working well after some port forwarding in my router to each of my two servers. The other server is hosting my hobby web site on Apache and I am able to access it remotely. I am able to access the SBS2011 IIS/root folder to see the default IIS Welcome screen. I am able to log into the SBS RWA from a remote (WAN) client.

    I obtained SSL from GoDaddy. It is bound in the IIS manager to the SharePoint (Foundation) site on port 987. But, I still have to click through the security warning (Not Recommended), which was the reason for installing the SSL.

    Using the SSL vendor's install tool and port 987, it claims the certificate is working normally.

    It seems I need a better binding for the SSL. Using the url:   www.mydomain.us/remote   (mydomain is for example only) I get the security warning. Clicking through the Not Recommended link, I get the SBS 2011 log on screen with a certificate error. Clicking on the error and then View Certificate, I see that certificate is a self issued one and not the SSL on port 987. After loggin in and getting the RWA screen, again the certificate error points to the self issued certificate. From the RWA screen and clicking on Internal Web Site link, I must log on yet again only to get the same certificate error. At this point I expected the certificate to be GoDaddy but it is still the self issued one.

    My goal is to not scare off potentials clients with security errors. So, which IIS Sites and Ports to I need SSL bindings?

    A generic high level walkthrough of remote access process would be helpful. What site/port is the first server log on screen? What site/port is the RWA screen? What site/port is the Internal Web Site? How is this different than a local (LAN side) access to Companyweb?

    I bought some MS/Press books on SBS and SP. They have been useless for troubleshooting. Where can I find better information that covers basic topics such as the default values for IIS bindings and server certificates? I can't believe such fundamental data is totally absent from such books.

    After I get SSL working I'm looking for good ideas to build into the SharePoint demonstration. I guess potential clients would like to see some business logic demos. A friend suggested an interface for a PTZ web cam. Got an idea?

    Thanks,

    Kurt


    Deep Creek Services

    Saturday, April 07, 2012 5:36 PM

Answers

  • Hi,

    From your description, you are using dynamic IP address for your SharePoint server. please use a static one.

    In addition, please check if you bind the certificate from GoDaddy to the IIS site on your SharePoint server. And ensure the issue to name on the certificate is same as the site name which you want to access.

    For more information about how to enable SSL on a SharePoint web application, please see

    http://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-ssl-on-a-sharepoint-web-application.aspx

    You can choose to either use the self-signed certificate for RWA generated by the Internet Address Management Wizard, or purchase a trusted 3<sup>rd</sup> party SSL certificate issued from a public authority. If you choose the self-signed certificate, you need to ensure the client machines have the root certificate installed. Refer to the following post, which also applies to SBS 2011 Standard, for further instructions:

    How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

    For more information about SBS 2011 RWA, check out the following

    http://blogs.technet.com/b/sbs/archive/2011/03/10/introduction-to-sbs-2011-remote-web-access-rwa.aspx

    Thanks,

    Rock Wang


    Rock Wang TechNet Community Support

    Monday, April 09, 2012 3:55 AM
  • OK, the issues are fixed. We had to reissue the GoDaddy SSL to include www. The new SSL common name is similar to www.sp.mydomain.us

    www is required by DNS2Go in order to enable port redirection. My ISP blocks port 80.

    The new SSL was bound to the Default web site in IIS, not the SharePoint site. After this update I still had the security warning, which referenced the new SSL certificate. So, I reached out again to DNS2Go. After some internal discussions they updated my custom records to redirect  www.sp.mydomain.us to https://www.sp.mydomain.us/remote

    Good bye SSL security issues. We are ready to rock-n-roll on some web apps.

    Rock, thanks for the link that provided the information we needed.

    Kurt


    Deep Creek Services

    Tuesday, April 10, 2012 6:36 PM

All replies

  • Hi,

    From your description, you are using dynamic IP address for your SharePoint server. please use a static one.

    In addition, please check if you bind the certificate from GoDaddy to the IIS site on your SharePoint server. And ensure the issue to name on the certificate is same as the site name which you want to access.

    For more information about how to enable SSL on a SharePoint web application, please see

    http://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-ssl-on-a-sharepoint-web-application.aspx

    You can choose to either use the self-signed certificate for RWA generated by the Internet Address Management Wizard, or purchase a trusted 3<sup>rd</sup> party SSL certificate issued from a public authority. If you choose the self-signed certificate, you need to ensure the client machines have the root certificate installed. Refer to the following post, which also applies to SBS 2011 Standard, for further instructions:

    How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?

    For more information about SBS 2011 RWA, check out the following

    http://blogs.technet.com/b/sbs/archive/2011/03/10/introduction-to-sbs-2011-remote-web-access-rwa.aspx

    Thanks,

    Rock Wang


    Rock Wang TechNet Community Support

    Monday, April 09, 2012 3:55 AM
  • Rock, Thanks for the input.

    I must use DDNS as I can not afford a static IP. But, you may be on to the root cause, after some changes were made.

    The SBS 2011 RWA link indicates that the SSL must be bound to the Default website and requires:

    For full access to the RWA feature set from the internet, you must ensure the following:

    • TCP 443 and TCP 987 are open on your internet firewall
    • Clients are running Internet Explorer 6.0 SP2 or higher
    • The RDP 6.1 or higher is installed on the client machine
    • The client must trust the SSL certificate that is installed on the Default Web Site
    • The client must connect using the URL that matches the common name on the certificate

     Mine was bound to the SharePoint web site, only.
    I added my GoDaddy SSL to the IIS bindings of the Default website on port 443 for all unassigned IPs and the 127.0.0.1 address.
    I still have the security warning when I attempt to connect. But, now the certificate error points to the GoDaddy certificate rather than the self issued one.
    Clicking thorugh the warning I am able to connect to RWA.

    Perhaps your static IP suggestion is correct OR my implementation of DDNS via DNS2Go needs some fixes.
    To access my site I am using the DNS2Go required www. prefix such as www.sp.mydomain.us/remote
    After looking at the redirected URL as displayed in my IE9, the original URL text has been redirected to:
    https://24.51.165.51/Remote/logon?ReturnUrl=%2fREMOTE
    NOTE: the IP address above is subject to change and my no longer be valid.
    As stated in the requirements, the client URL must match the common name assigned to the SSL. i.e. sp.mydomain.us is not the same as 24.51.165.51.
    Now that the RWA is at least utilizing the correct certificate, I'll check in with DNS2Go and see if anyone has attempted this configuration.

    It is interesting that the GoDaddy tools for SSL validations has no issues with dynamic IPs. It is bound to my server with a private key and not any IP address.

    Thanks again. I hope more ideas are coming so that access to this server will no longer have security concerns.

    Kurt


    Deep Creek Services

    Monday, April 09, 2012 5:53 PM
  • OK, the issues are fixed. We had to reissue the GoDaddy SSL to include www. The new SSL common name is similar to www.sp.mydomain.us

    www is required by DNS2Go in order to enable port redirection. My ISP blocks port 80.

    The new SSL was bound to the Default web site in IIS, not the SharePoint site. After this update I still had the security warning, which referenced the new SSL certificate. So, I reached out again to DNS2Go. After some internal discussions they updated my custom records to redirect  www.sp.mydomain.us to https://www.sp.mydomain.us/remote

    Good bye SSL security issues. We are ready to rock-n-roll on some web apps.

    Rock, thanks for the link that provided the information we needed.

    Kurt


    Deep Creek Services

    Tuesday, April 10, 2012 6:36 PM