Configure User Workspace Manager Web Services to Use Secure Connections
You need to manually configure the User Workspace Manager (UWM) servers to use HTTPS, as by default they are configured to use HTTP. This page explains how to configure the UWM web sites to employ certificates so that the secure HTTPS protocol can be used for all web services communication with the Server Configuration Portal, Management Server, and Personalization Server.
To secure the servers you will need a certificate suitable for web hosting. It is recommended that you use a fully rooted, and trusted certificate, but it is possible to configure HTTPS to use a Self-Signed certificate with the use of an engineering key that will need to be installed on all endpoints that have the Ivanti UWM Virtualization Manager and UWM Client Communication Agent installed.
Using IIS Manager to configure HTTPS
You can configure the SCP web service to be secure immediately after running the MS, or PS installer. You will need to configure the MS, or PS server before you can switch them to use HTTPS.
Use Microsoft IIS Manager to do the configuration.
If you are using a fully rooted certificate, then that needs to be installed on the server before you proceed.
If you do not have a trusted certificate, then you can create a Self-Signed certificate by following these steps:
In IIS Manager, click on the main root server node in the left-hand pane.
Next, double-click on the Server Certificates icon in the main pane.
In Actions Pane > Server Certificates, click on Create Self-Signed Certificate...
In theCreate Self-Signed Certificates dialog, give the certificate a name and change the certificate store to Web Hosting and click OK.
The certificate should now be listed in the main pane.
Add a new binding
To enable HTTPS to a UWM web site you need to add a new binding. You do this by following these steps:
In IIS Manager, click on the web site name (Configuration, Management, or Personalization).
Next, click Bindings… in the Actions Pane.
In the Site Bindings dialog, click the Add… button.
In the Add Site Binding dialog, change the type to be https, and change the port to be an unassigned port number (443 is the default HTTPS port, but if you secure multiple websites you will need to use different ports for each we site).
Select the required certificate from the SSL certificate list, and click OK.
Test the binding
You should now be able to access the web site using the secure protocol and port. You can test the binding by one of these options:
If you have configured the SCP web site, then you can change the browser URL to access the website.
If you are using a self-signed certificate on the server, then you will get a warning about the connection not being secure, this is because the certificate isn’t trusted. You should be able to override this and get to the SCP.
If you have configured the Management Server, then you can Add a new connection in the Management Console to the secure protocol and port and connect to the server using this connection.
User Workspace Manager Agents
If you are using a fully rooted, and trusted certificate on the server then, once the URLs are changed for the UWM agents, the agents will communicate securely with the server.
However, if you are using a Self-Signed certificate then there is a further step that you need to take. This is because the agents will fail to connect to the server because the certificate being used isn’t trusted. For the agents to connect successfully, you need to override this error (this is analogous to overriding the warning in the browser when connecting to the SCP, described above.)
To override the error, you will need to create a registry key on the managed endpoints.
This is a REG_DWORD called IgnoreCertificateErrors set to the value 1 in HKEY_LOCAL_MACHINE\SOFTWARE\AppSense\Common.
If you do this for all your UWM web sites, then all access within UWM will be secure. As a final step, it is recommended that you delete the HTTP bindings using IIS Manager, which should no longer be in use.
Don’t forget to open the firewall for the ports you have assigned for HTTPS.