How to configure TLS/SSL (HTTPS)

This article covers two different ways to configure TLS/SSL (HTTPS):

How to configure TLS/SSL (HTTPS) during a new installation

When using the downloadable installer to install DS for Azure you will need to choose how you want to configure the SSL certificate.DS for Azure will only work using HTTPS.

At any point you can change your certificate options in IIS, see How to manually configure TLS/SSL (HTTPS).

You have three options:

If you are trialing SquaredUp DS, and are unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial.

If you are accessing SquaredUp DS via a public IP address it is best practice to purchase a trusted SSL certificate.

If you are accessing SquaredUp DS internally you can use an AD domain issued certificate.

Existing certificate

What this does:

This option will create an IIS binding on port 443 using the hostname and certificate you specify.

When to use this:

Use this option to choose an existing SSL certificate from the computer's personal store.

Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should chooseConfigure later.

You should choose this option if you have already acquired and imported a trusted certificate. For example, if you are deploying SquaredUp DS on a web server that has already previously had a trusted certificate configured. This could be for a different application or for a previous SquaredUp DS installation.

Create Self-Signed Certificate

What this does:

The installer will create a new self-signed certificate, set to expire after 12 months. This option will create a 443 binding using the hostname you specify.

If an appropriate self-signed certificate already exists, then this will be used (this may have less than 12 months remaining).

When to use this:

If you choose this option to use a self-signed SSL certificate then SquaredUp DS users will see a browser warning and will need to explicitly agree to proceed. In Chrome this is done by clicking Advanced.

If you are trialing SquaredUp DS, or unsure which option to choose, you may choose to use a self-signed certificate.

If you are using this on an internal domain joined machine you may choose to use a self-signed certificate and accept the security warning.

If you are accessing SquaredUp DS across the public internet it is best practice to use a trusted SSL certificate and not a self-signed certificate.

Only choose this option if port 443 is not already being used for another app. If port 443 is already in use, or you wish to specify an IP address or different port number, then you should chooseConfigure later.

If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see How to generate a self-signed certificate.

Configure later

What this does:

This will not configure any SSL bindings, you will need to configure an appropriate binding manually within IIS.

While you can choose to configure the SSL certificate later, please note that SquaredUp DS will not work until https has been configured with a SSL certificate.

When to use this:

You already have websites using port 443, or wish to use a different port number or IP address combination.

How to configure your own certificate

See below: How to manually configure TLS/SSL (HTTPS)

How to manually configure TLS/SSL (HTTPS)

To configure Transport Layer Security (TLS/SSL) the steps in summary are:

1. Get an appropriate SSL certificate and install it on your SquaredUp server.

  • If you are trialing SquaredUp DS, and unsure which option to choose, you may choose to use a self-signed certificate for the duration of the trial see How to generate a self-signed certificate.
  • If you are accessing SquaredUp DS via a public IP address it is best practice to purchase a trusted SSL certificate.
  • If you are accessing SquaredUp DS internally you can use an AD domain issued certificate.

2. Configure the site bindings, adding HTTPS 443 and selecting your certificate.

3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional).

1. Get an appropriate SSL certificate

  • If you use a load balancer the Subject Alternative Name of the TLS/SSL certificate you install will need to contain your load balancer's name.
  • If the SquaredUp server is not behind a load balancer then the Subject Alternative Name should contain the name of the SquaredUp server name.

Subject Alternative Name entries can be wildcard names, such as *.squaredup.com or specific names such as monitoring.squaredup.com, however the entry should match what users will type in their browser to access SquaredUp DS, otherwise the browser will display a message indicating that the certificate is not trusted.

How to import a new certificate

  1. Under Connections click on the SquaredUp server.
  2. Double-click Server Certificates in the central panel:
  3. From the right-hand menu click Import and follow the steps to import your certificate:

2. Configure the bindings for TLS/SSL (HTTPS) in IIS

  1. Under Connections expand Sites and click on the website that hosts the SquaredUp DS instance (on Azure this is usually SquaredUpv4 or SquaredUpv5).
  2. From the right-hand side menu click on Bindings.
  3. Click Add:
  4. Change the Type to https.
  5. Under SSL certificate select the TLS/SSL certificate you added:
  6. Click OK and then Close:
  7. From the right-hand menu click Restart:

If there is an existing HTTPS binding configured on the web site (for example, because it hosts other applications in addition to SquaredUp DS) and the certificate being used for the existing binding does not have a Subject Alternative Name entry that is appropriate for users to use to access SquaredUp, then a new binding may need to be created for a new certificate. Either a different port number or host name will then need to be set in each HTTPS binding entry if they are bound to the same IP address.

3. Set up an IIS rewrite to direct any HTTP traffic to the HTTPS URL (Optional)

Set up a redirect to switch traffic from HTTP to HTTPS using the IIS Rewrite module:

To redirect all HTTP requests to HTTPS use the following steps:

  1. Open IIS Manager and click on the website that hosts the SquaredUp DS instance (on Azure this is usually SquaredUpv4 or SquaredUpv5).
  2. In the main panel, double-click on URL Rewrite.
  3. Click Add Rule(s)... on the right-hand menu.
  4. With Blank rule selected click OK.
  5. Give the rule a name, such as 'Redirect to HTTPS'.
  6. Copy the following and paste into the Pattern box in the Match URL section:
    (.*)
  7. Click to expand the Conditions section.
  8. Click Add… to add a new condition to the configuration.
  9. Copy the following and paste into the Condition input box :
    {HTTPS}


  10. Copy the following and paste into the the Pattern box:
    ^OFF$


  11. Click OK.
  12. Scroll down and in the Action section
  13. In the Action section change the Action type from Rewrite to Redirect.
  14. Copy the following and paste into the Redirect URL box:
    https://{HTTP_HOST}/{R:1}
  15. Change the Redirect type from Permanent (301) to See Other (303).
  16. Click Apply on the right-hand menu under Actions.

  17. Click Back to Rules.
  18. If you have other redirects configured you should ensure that you move your Redirect to HTTPS redirect to be listed first as shown in the image below. You can do this using the Move Up and Move Down options on the right.

FAQs

What are the downsides to using a self-signed certificate?

If you choose the option to use a self-signed SSL certificate then SquaredUp DS users will typically see a browser security warning and will need to explicitly agree to proceed. For example, in Chrome this is done by clicking Advanced, in Edge by clicking Details.

It is best practice to only use self-signed certificates in internal (LAN) environments.

What if I don't want to use a self-signed certificate?

You need to acquire a trusted certificate either by purchasing one from a trusted Certificate Authority (CA), or one issued by your AD domain / internal certificate authority (CA).

Help my certificate is about to expire!

If after 12 months you wish to continue using a self-signed certificate you will need to generate a new 12 month self-signed certificate, see How to generate a self-signed certificate.

Was this article helpful?


Have more questions or facing an issue?