cancel
Showing results for 
Search instead for 
Did you mean: 

Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

Highlighted
New Contributor

Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

Hi!

 

For some reason I'm unable to get the PulseVTM appliances SSL Decryption to work with my Windows 2016 IIS Server when my site is configured to use Centralized SSL Certificate stores, and SSL Decryption is configured.

 

Turning on encryption to the backend servers makes no difference.

 

When I change it to be SSL Passthrough, with Centralized SSL Certs turned on, then the site works fine.

 

If I enable SSL Decryption, enable encryption to the backend servers, and then turn off centralized SSL support, and assign the certificate manually to the https binding, then the site works fine.

 

I get a simple Service Not Available error page.

2 REPLIES
Occasional Contributor

Re: Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

This is not a supported configuration as the client side SSL cert either a self-signed or a CA has to reside on the vTM. When the SSL client-side decryption is initiated, the vTM has to have an access to the cert. This is the reason why when SSL pass through is configured, the session would work.  In your case, since the SSL cert is stored in the IIS server, the session will terminate. In most cases, certs are highly recommended to be stored in the vTM or an HMS system. 


Genard 

New Contributor

Re: Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

Hmmm,

 

The same cert is being used for both Decryption and in the SSL Cert Store. If I enable decryption, then enable encryption again to the backend servers (with the intention of having traffic encrypted all the way through), it works fine if I manually assign the cert to the HTTPS binding on IIS. However, if I assign the cert by using IIS Centralized Certificate Store, then the site breaks.

 

Traffic still seems to make it to the backend server, since I get a 500/503 Service Unavailable error, so it's not like traffic is not passing through the vTM to the backend server.