Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

happytang
New Contributor
‎01-07-2019 11:25:AM
‎01-07-2019 11:25:AM

Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

Hi!

 

For some reason I'm unable to get the PulseVTM appliances SSL Decryption to work with my Windows 2016 IIS Server when my site is configured to use Centralized SSL Certificate stores, and SSL Decryption is configured.

 

Turning on encryption to the backend servers makes no difference.

 

When I change it to be SSL Passthrough, with Centralized SSL Certs turned on, then the site works fine.

 

If I enable SSL Decryption, enable encryption to the backend servers, and then turn off centralized SSL support, and assign the certificate manually to the https binding, then the site works fine.

 

I get a simple Service Not Available error page.

0 Kudos
2 REPLIES 2
ggarcia
Occasional Contributor
‎01-08-2019 01:20:PM
‎01-08-2019 01:20:PM

Re: Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

This is not a supported configuration as the client side SSL cert either a self-signed or a CA has to reside on the vTM. When the SSL client-side decryption is initiated, the vTM has to have an access to the cert. This is the reason why when SSL pass through is configured, the session would work.  In your case, since the SSL cert is stored in the IIS server, the session will terminate. In most cases, certs are highly recommended to be stored in the vTM or an HMS system. 


Genard 

0 Kudos
happytang
New Contributor
‎01-08-2019 01:38:PM
‎01-08-2019 01:38:PM

Re: Virtual Traffic Manager and Microsoft IIS SSL Centralized Certificate Store

Hmmm,

 

The same cert is being used for both Decryption and in the SSL Cert Store. If I enable decryption, then enable encryption again to the backend servers (with the intention of having traffic encrypted all the way through), it works fine if I manually assign the cert to the HTTPS binding on IIS. However, if I assign the cert by using IIS Centralized Certificate Store, then the site breaks.

 

Traffic still seems to make it to the backend server, since I get a 500/503 Service Unavailable error, so it's not like traffic is not passing through the vTM to the backend server.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.