Move ConfigMgr Site to HTTPS Communication – (Part II)

About

In Part I, we have created, issued and bind MP/SUP, DP and Client Certificates. Now in Part II we will switch ConfigMgr Site to HTTPS communication.

Article Covers:

  • Configure Management Point on HTTPS
  • Configure Distribution Point on HTTPS
  • Configure SUP/WSUS on HTTPS
  • Configure Site Server Settings
Configure Management Point on HTTPS
  • Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Servers and Site System Roles.
  • Select the Management Point and right click -> Properties.

  • Select HTTPS option and Click Ok to close.

Now it will start re-installing the management point component. You can monitor it in MPSetup.log

 Installing the SMSMP

Passed OS version check.

IIS Service is installed.

SMSMP already installed (Product Code: {0BE77F4A-9596-4FAB-8616-217F90A9D4C3}).  Upgrading/Reinstalling SMSMP

New SMSMP is the same product code.  This is a minor upgrade.

 Enabling MSI logging.  mp.msi will log to C:\Program Files\Microsoft Configuration Manager\logs\mpMSI.log

 Installing C:\Program Files\Microsoft Configuration Manager\bin\x64\mp.msi REINSTALL=ALL REINSTALLMODE=vmaus CCMINSTALLDIR=”C:\Program Files\SMS_CCM” CCMSERVERDATAROOT=”C:\Program Files\Microsoft Configuration Manager” USESMSPORTS=TRUE SMSPORTS=80 USESMSSSLPORTS=TRUE SMSSSLPORTS=443 USESMSSSL=TRUE SMSSSLSTATE=31 CCMENABLELOGGING=TRUE CCMLOGLEVEL=1 CCMLOGMAXSIZE=1000000 CCMLOGMAXHISTORY=1

mp.msi exited with return code: 0

 Installation was successful.

RoleSetup().

  • In MPcontrol.log you will see communication happening on Port 443

>>> Selected Certificate [Thumbprint 60a4761711716d38d07b23b38ad85c0579fe7163] issued to ‘Config-PRI.Ginu.com’ for HTTPS Client Authentication              SMS_MP_CONTROL_MANAGER 

Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK  SMS_MP_CONTROL_MANAGER 

Inbox source is local on CONFIG-PRI.GINU.COM             SMS_MP_CONTROL_MANAGER 

Sent summary record of SMS Management Point on [“Display=\\CONFIG-PRI.GINU.COM\”]MSWNET:[“SMS_SITE=PRI”]\\CONFIG-PRI.GINU.COM\ to \\Config-PRI.Ginu.com\SMS_PRI\inboxes\sitestat.box\wfjxxg15.SUM, Availability 0, 125468668 KB total disk space , 87344260 KB free disk space, installation state 0.           SMS_MP_CONTROL_MANAGER 

Http test request succeeded.               SMS_MP_CONTROL_MANAGER 

Successfully performed Management Point availability check against local computer.              SMS_MP_CONTROL_MANAGER 

Configure Distribution Point on HTTPS
  • Select the Distribution Point and right click -> Properties.
  • Under General Tab, select HTTPS communication.

Now select the “Import Certificate” option and browse the exported Distribution Point certificate. Enter the certificate password and click OK to close.

In Background, Distribution Manager Component will configure new Virtual Directories for HTTPS communication.

Distmgr.log

IIS Config change processing thread: Processing DP with ID 1. Thread 0x460. Used 1 threads out of 50.                SMS_DISTRIBUTION_MANAGER 

Handling IIS config change for distribution point [“Display=\\Config-PRI.Ginu.com\”]MSWNET:[“SMS_SITE=PRI”]\\Config-PRI.Ginu.com\ with ID – 1    SMS_DISTRIBUTION_MANAGER 

Found 2 web site(s).             SMS_DISTRIBUTION_MANAGER 

Found SSL binding ’58BC597983E2B6287BFCACA70D706524B60EE0D6′, ‘My’          SMS_DISTRIBUTION_MANAGER 

SSL binding on port 443 isn’t with CCM genreated cert. SMS_DISTRIBUTION_MANAGER 

SQL MESSAGE: spProcessCcmCertBindingState – Uptdating CM_RoleSSLCertificates for Config-PRI.Ginu.com state=3                SMS_DISTRIBUTION_MANAGER  

Virtual Directory SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib already exists. SMS_DISTRIBUTION_MANAGER  

Virtual Directory IIsWebVirtualDir.Name=”W3svc/1/ROOT/NOCERT_SMS_DP_SMSPKG$” does not exists. It will be created now. SMS_DISTRIBUTION_MANAGER

As this is an upgrade Virtual Directory SMS_DP_SMSPKG$ will be updated with new properties.                SMS_DISTRIBUTION_MANAGER     

Creating virtual directory that does not require certificates: NOCERT_SMS_DP_SMSPKG$                SMS_DISTRIBUTION_MANAGER       

Successfully created the virtual directory NOCERT_SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib.                SMS_DISTRIBUTION_MANAGER   

Creating token auth virtual directory: CCMTOKENAUTH_SMS_DP_SMSPKG$    SMS_DISTRIBUTION_MANAGER     

Successfully created the virtual directory CCMTOKENAUTH_SMS_DP_SMSPKG$ for the physical path C:\SCCMContentLib.                SMS_DISTRIBUTION_MANAGER     

Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll.       SMS_DISTRIBUTION_MANAGER           

Virtual Directory SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$ already exists. SMS_DISTRIBUTION_MANAGER           

Virtual Directory IIsWebVirtualDir.Name=”W3svc/1/ROOT/NOCERT_SMS_DP_SMSSIG$” does not exists. It will be created now. SMS_DISTRIBUTION_MANAGER

As this is an upgrade Virtual Directory SMS_DP_SMSSIG$ will be updated with new properties.                SMS_DISTRIBUTION_MANAGER 

Successfully created the virtual directory SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$.                SMS_DISTRIBUTION_MANAGER 

Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll.       SMS_DISTRIBUTION_MANAGER

Creating virtual directory that does not require certificates: NOCERT_SMS_DP_SMSSIG$                SMS_DISTRIBUTION_MANAGER 

Successfully created the virtual directory NOCERT_SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$.                SMS_DISTRIBUTION_MANAGER 

Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll.       SMS_DISTRIBUTION_MANAGER 

Creating token auth virtual directory: CCMTOKENAUTH_SMS_DP_SMSSIG$      SMS_DISTRIBUTION_MANAGER   

Successfully created the virtual directory CCMTOKENAUTH_SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$.                SMS_DISTRIBUTION_MANAGER   

Successfully added file extension C:\Windows\system32\inetsrv\smsfileisapi.dll.       SMS_DISTRIBUTION_MANAGER         

You can verify the Virtual Directories under Default Website in IIS.

Configure Software Update Point/WSUS on HTTPS
  • Open command prompt as Admin on WSUS Server and navigate to WSUS installation path “Program Files\Update Services\Tools” and execute the command line.

            WSUSUtil.exe ConfigureSSL

  • Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Servers and Site System Roles. Select the Software Update Point and right click -> Properties.
  • Under General Tab, select “Require SSL communication to the WSUS server”. Click Ok to close.

  • It will also re-install SUP with HTTPS communication capability.
  • You can open the WSUS console and see WSUS Port switched to 8531 for SSL communication.

Configure Site Server Settings
  • Open ConfigMgr console and navigate to Administration -> Overview -> Site Configuration -> Sites. Select Primary Site and right click -> Properties.
  • Go to Client Computer Communication Tab and Check the box “Use PKI Client certificate (client authentication capability) when available”. Click Ok to close.

That’s all !! Now your site is ready for HTTPS communication.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *