SSL IIS Application Request Routing Setup

Microsoft’s response to open source Reverse Proxy setup is IIS (7.x) and Application Request Routing. The following document outlines steps to setup IIS ARR.

1.   Requirements:

a.    You need Microsoft Windows 2008 server

b.    You need IIS 7.0 and up (7.x)

c.    You need to download IIS ARR from this location:

X86 version: http://go.microsoft.com/?linkid=9694855

X64 version: http://go.microsoft.com/?linkid=9694856

2.   Install OS and IIS. Leave all values default

3.   Make sure latest security patches are installed

4.   Start Command Prompt as Administrator

a.    Start, Programs, Accessories, right-click Command Prompt, select Run as Administrator

5.   Depending on OS version (32 vs. 64 bit) you need to execute correct ARR application

6.   Go to the folder where you downloaded ARR

7.   Enter the application name and execute it (ARRv2_setup_x86_en-us.EXE or ARRv2_setup_x64_en-us.EXE)

8.   Follow the wizard, leave defaults

9.   Check the log file at the end of the installation. Usually saved at:

C:\Users\<user name>\AppData\Local\Temp

10. Reboot the server

11.  Once logged in, start IIS Manager

12.  Right-click the server name (TVMIISARR in my case) and expand it to see all items:

IIS Server Farm

13.  Right-click Server Farms and select Create Server Farm

14.   I called it Test_Server_Farm

Specify Server Farm Name

      15. Enter Servers’ addresses (ie. 192.168.1.10 and 192.168.10.11)

Add Servers to the Server Farm

 

16.   Click Finish to complete server farm setup

17.   Now we need to add SSL key to this server. To do so you need to have access to any CA, or you can create one on your network. I am not going to detail how to do so in this document.

18.   Click server (TVMIISARR) in IIS Manager

19.   On the right-hand side pane you should see Server Certificates icon

20.   Double-click to open, select Create Certificate Request

 

Request Certificate

21.   Click Next and leave default value

22.   Click Next again and enter the path to the location where you want to save the file at

File Name

23.   Finish to complete the request for SSL key

24.   Go to folder where you saved your request file

25.   Edit file

26.   Select the content of the certificate request file, copy it into clipboard

27.   Go to your CA web site (ie. http://yourSSLservername.yourdomain.com/certsrv)

Welcome Page 

28.  Click on Request a certificate

29.  Select “advanced certificate request

30.  Select “Submit a certificate request by using a base-64-encoded... ” link

Submit a Certificate Request or Renewal Request

31.  Paste clipboard into “Base-64-encoded certificate request…” field

32.  Click on Submit button

33.  Once certificate is submitted you (or your sysadmin) need to approve the request. Again, I won’t provide details about how to do so in this document

34.   Assuming your request is approved, go to your CA server web site (if you didn’t close the browser with your CA’s web site – you could click on Home in the upper right-hand corner and you will be taken to the location where you can download approved SSL key. The other way around is to click on “View the status of a pending certificate request” link.

35.   Download approved certificate to your server (ie. Downloads folder )

36.   Import the SSL key via IIS Manager

a.    Expand IIS server (TVMIISARR),

b.    Select Server Certificates icon,

c.    Then click on Complete Certificate Request

d.   Browse to location where you saved downloaded certificate key

e.    Enter Friendly name (ie. Servername.yourdomain.com)

f.     OK to complete the import

37.  Now, in IIS Manager, click on Sites, and select Default Web Site.

38.  On the right-hand side pane click on Bindings

39.  Click on Add button

40.  Select https, and below select SSL key you just imported

41.  If you click on View you will see a warning as the CA is not trusted. This is because CA you are using is created locally on your LAN

42.  You need to import root key into your Trusted Root Certificate Authorities

a.    Go to you CA server (yourCAServer.yourdomain.com)

b.    Select Download a CA certificate, certificate chain, or CRL link

c.    Click on Download CA certificate

d.   When prompted select Open button

e.    Select Install certificate

f.     Click Next

g.   Select “Place all certificates in the following store…”

h.   Click on Browse

i.     Select “Trusted Root Certification Authorities”, OK

j.     Next

k.    Finish and you should see the window with more details of this import

43.  Next stop is to test the connection so start your browser and enter your URL in it

44.  Depending on which browser you are using to access your web site for the first time, you may get prompted with the warning that the SSL key cannot be authenticated. Import the key and you are good to go

Please feel free to email me if you have any questions… voja@comteg.ca

Cheers,

Voja (Voya) Ilic