This post Continues from Part 2. The topology for this is;
Ok so this is a bit of a long bit. I want to use App-V for secure communication over my network. The reason for this is that I want to allow my infrastructure to have the potential for secure communication over an Internet Facing Scenario OR just to prevent the possibility of a man in the middle attack.
Now lets also think about App-V 4.5 is set up in a secure by default method. In other words YOU have to dumb the security down. Now I like this feature, I like the Idea of securing my network communication either by HTTPS or RTSPS.
So I am not a cert guru! :o) but wanted to give you a step-by-step to get this setup in the test lab.
1) Go into Server Manager and right Click on Roles> Add Role. In the Before you begin Section Click Next
2) In the Select Server Role Section Click “Active Directory Certificate Services” and then click Next. In the next screen click next again
3) Now I have added the Certificate Authority Web Enrolment , the reason why is so that i could add a web page for certificate requests if I so wanted. So select “Certificate Authority Web Enrolment” and click Add Required Server Role when the pop up comes up.
4) Once onto the “Setup Type” I have selected the Enterprise option and click Next, then select Root CA (This is because it is my first and ONLY CA in my test environment)
5) In the “Private Key” section select “create a new private key” and than click Next, now in the “Configure Cryptography for CA” i have just set up some basics which you can see in the below.
6) Now set up your common name for your CA (I will not be using this certificate for my App-V deployment and will create another a bit later) and click next, now for my test environment I have set a 5 year certificate.
7) In the “Certificate Database” I have just left the default and then click Next, In the “Introduction to IIS” click next (this is just configuring some additions to IIS for certificate requests) and than click next.
8) In the Role Services section click next, review the configuration changes and click Install
9) Again go grab a cuppa tea or coffee and let the installation take place, once complete click finish.
Now a little earlier I said that I would not use the original certificate that I created for my Root CA. What I want to do is issue a new certificate for my management server. You can do this from the IIS7 Management Console. To do this log into the IIS 7 management console via the administration tools.
1) In IIS7 select your server in the left hand pane, now in the right hand screen you should see a section that says “Server Certificates” . Now when you select this you will go into the Server Certificates pane. In this area we want to create a new certificate request, so click create certificate request on the right hand side or right click in the right pane and select create certificate request.
2) Now in the details of my certificate I am going to set the following;
Common Name: stream.appv.internal ( This is my DNS name which I will point my clients to)
Organisation Details: This will depend on your details :o)
Once this is set up click Next, In the Online Certificate Authority Browse and search for your CA (this is what we set up earlier in this blog!) and than click Finish!
3) Once that is set up you should be able to see your certificate. In the right hand pane!
Ok that's the initial set up for the certificates! However we are going to have to come back to this after the Installation of the management server to re-ACL the certificate that we have created for the management server.
One last piece!
We have created a certificate for stream.appv.internal you will also have to add a Alias or CNAME in your DNS forward lookup zone for stream.appv.internal for this to work correctly. So go into DNS and make this one small addition. If you use a CNAME for stream.appv.internal just point it back to your management server machine or Virtual IP address for your NLB Cluster.
The Complete Series are located;
Part 1: The initial Setup - Building your App-V RC test lab (using 4.5.1305)
Part 2 : Installing IIS 7 for App-V RC 126.96.36.1995/8
Part 3 : Configuring Windows Server 2008 with Certificates for RC App-V 188.8.131.525/8
Part 4 : Installing the First Management Server on RC App-V 184.108.40.2065/8
Part 5 : Configuring the Windows Server 2008 Firewall for RC App-V 220.127.116.115/8
Part 6 : Installing and Configuring the RC ADM Template
Part 7 : Installing the RC App-V 18.104.22.1685/8 on the client