Move ConfigMgr Site to HTTPS Communication – (Part II)
by Ginu
About
In Part I, we have created, issued and bind MP/SUP, DP and Client Certificates. Now in Part II we will switch ConfigMgr Site to HTTPS communication.
Article Covers:
- Configure Management Point on HTTPS
- Configure Distribution Point on HTTPS
- Configure SUP/WSUS on HTTPS
- Configure Site Server Settings
Configure Management Point on HTTPS
- Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Servers and Site System Roles.
- Select the Management Point and right click -> Properties.
- Select HTTPS option and Click Ok to close.
Now it will start re-installing the management point component. You can monitor it in MPSetup.log
Installing the SMSMP
Passed OS version check.
IIS Service is installed.
SMSMP already installed (Product Code: {0BE77F4A-9596-4FAB-8616-217F90A9D4C3}). Upgrading/Reinstalling SMSMP
New SMSMP is the same product code. This is a minor upgrade.
Enabling MSI logging. mp.msi will log to C:\Program Files\Microsoft Configuration Manager\logs\mpMSI.log
Installing C:\Program Files\Microsoft Configuration Manager\bin\x64\mp.msi REINSTALL=ALL REINSTALLMODE=vmaus CCMINSTALLDIR=”C:\Program Files\SMS_CCM” CCMSERVERDATAROOT=”C:\Program Files\Microsoft Configuration Manager” USESMSPORTS=TRUE SMSPORTS=80 USESMSSSLPORTS=TRUE SMSSSLPORTS=443 USESMSSSL=TRUE SMSSSLSTATE=31 CCMENABLELOGGING=TRUE CCMLOGLEVEL=1 CCMLOGMAXSIZE=1000000 CCMLOGMAXHISTORY=1
mp.msi exited with return code: 0
Installation was successful.
RoleSetup().
- In MPcontrol.log you will see communication happening on Port 443
>>> Selected Certificate [Thumbprint 60a4761711716d38d07b23b38ad85c0579fe7163] issued to ‘Config-PRI.Ginu.com’ for HTTPS Client Authentication SMS_MP_CONTROL_MANAGER
Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK SMS_MP_CONTROL_MANAGER
Inbox source is local on CONFIG-PRI.GINU.COM SMS_MP_CONTROL_MANAGER
Sent summary record of SMS Management Point on [“Display=\\CONFIG-PRI.GINU.COM\”]MSWNET:[“SMS_SITE=PRI”]\\CONFIG-PRI.GINU.COM\ to \\Config-PRI.Ginu.com\SMS_PRI\inboxes\sitestat.box\wfjxxg15.SUM, Availability 0, 125468668 KB total disk space , 87344260 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER
Http test request succeeded. SMS_MP_CONTROL_MANAGER
Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER
Configure Distribution Point on HTTPS
- Select the Distribution Point and right click -> Properties.
- Under General Tab, select HTTPS communication.
Now select the “Import Certificate” option and browse the exported Distribution Point certificate. Enter the certificate password and click OK to close.
In Background, Distribution Manager Component will configure new Virtual Directories for HTTPS communication.
Distmgr.log
IIS Config change processing thread: Processing DP with ID 1. Thread 0x460. Used 1 threads out of 50. SMS_DISTRIBUTION_MANAGER
Handling IIS config change for distribution point [“Display=\\Config-PRI.Ginu.com\”]MSWNET:[“SMS_SITE=PRI”]\\Config-PRI.Ginu.com\ with ID – 1 SMS_DISTRIBUTION_MANAGER
Found 2 web site(s). SMS_DISTRIBUTION_MANAGER
Found SSL binding ’58BC597983E2B6287BFCACA70D706524B60EE0D6′, ‘My’ SMS_DISTRIBUTION_MANAGER
SSL binding on port 443 isn’t with CCM genreated cert. SMS_DISTRIBUTION_MANAGER
SQL MESSAGE: spProcessCcmCertBindingState – Uptdating CM_RoleSSLCertificates for Config-PRI.Ginu.com state=3 SMS_DISTRIBUTION_MANAGER
Virtual Directory SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib already exists. SMS_DISTRIBUTION_MANAGER
Virtual Directory IIsWebVirtualDir.Name=”W3svc/1/ROOT/NOCERT_SMS_DP_SMSPKG$” does not exists. It will be created now. SMS_DISTRIBUTION_MANAGER
As this is an upgrade Virtual Directory SMS_DP_SMSPKG$ will be updated with new properties. SMS_DISTRIBUTION_MANAGER
Creating virtual directory that does not require certificates: NOCERT_SMS_DP_SMSPKG$ SMS_DISTRIBUTION_MANAGER
Successfully created the virtual directory NOCERT_SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib. SMS_DISTRIBUTION_MANAGER
Creating token auth virtual directory: CCMTOKENAUTH_SMS_DP_SMSPKG$ SMS_DISTRIBUTION_MANAGER
Successfully created the virtual directory CCMTOKENAUTH_SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib. SMS_DISTRIBUTION_MANAGER
Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll. SMS_DISTRIBUTION_MANAGER
Virtual Directory SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$ already exists. SMS_DISTRIBUTION_MANAGER
Virtual Directory IIsWebVirtualDir.Name=”W3svc/1/ROOT/NOCERT_SMS_DP_SMSSIG$” does not exists. It will be created now. SMS_DISTRIBUTION_MANAGER
As this is an upgrade Virtual Directory SMS_DP_SMSSIG$ will be updated with new properties. SMS_DISTRIBUTION_MANAGER
Successfully created the virtual directory SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$. SMS_DISTRIBUTION_MANAGER
Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll. SMS_DISTRIBUTION_MANAGER
Creating virtual directory that does not require certificates: NOCERT_SMS_DP_SMSSIG$ SMS_DISTRIBUTION_MANAGER
Successfully created the virtual directory NOCERT_SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$. SMS_DISTRIBUTION_MANAGER
Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll. SMS_DISTRIBUTION_MANAGER
Creating token auth virtual directory: CCMTOKENAUTH_SMS_DP_SMSSIG$ SMS_DISTRIBUTION_MANAGER
Successfully created the virtual directory CCMTOKENAUTH_SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$. SMS_DISTRIBUTION_MANAGER
Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll. SMS_DISTRIBUTION_MANAGER
You can verify the Virtual Directories under Default Website in IIS.
Configure Software Update Point/WSUS on HTTPS
- Open command prompt as Admin on WSUS Server and navigate to WSUS installation path “Program Files\Update Services\Tools” and execute the command line.
WSUSUtil.exe ConfigureSSL
- Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Servers and Site System Roles. Select the Software Update Point and right click -> Properties.
- Under General Tab, select “Require SSL communication to the WSUS server”. Click Ok to close.
- It will also re-install SUP with HTTPS communication capability.
- You can open the WSUS console and see WSUS Port switched to 8531 for SSL communication.
Configure Site Server Settings
- Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Sites. Select Primary Site and right click -> Properties.
- Go to Client Computer Communication Tab and Check the box “Use PKI Client certificate (client authentication capability) when available”. Click Ok to close.
That’s all !! Now your site is ready for HTTPS communication.