HowTo enforce HTTPS connections within Service Desk

Version 7

    Verified Product Versions

    Service Desk 7.7.xService Desk 7.8.xService Desk 2016.xAsset Manager 2016.x

    Review Date:

    03/03/2015         initial release

     

    By default Service Desk will add its WebDirectories in the Default WebSite of IIS. This default website allows HTTP and HTTPS connections.

    To enforce connections only via HTTPS you can use a custom error page.

    Custom error Page

    IIS allows to block all non HTTPS connections to a Site and/or Application. This will generate a HTTP Error 403.4 Forbidden. We can than assign a custom error page for this specific error to send the request to the HTTPS site.

    Step-by-Step:

    Prepare the WebServer

    Some WebServers might block static error pages. There we need to enable the redirection to a static error page globally within the IIS.

    There for search for “httpErrors” in your C:\Windows\System32\inetsrv\config\applicationHost.config and add allowAbsolutePathsWhenDelegated="true. The Setting might look like the following afterwards

    <httpErrors allowAbsolutePathsWhenDelegated="true” lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath"> 

    SSL-required

    1.       In IIS Manager select the Application for wish you wish to enforce HTTPS connections

    2.       Open the SSL Settings

    2015-03-02_17-31-34.png

    3.       Select  “Require SSL”

    4.       Apply the Settings

    2015-03-02_17-32-14.png

    If you now try to login into WebAccess via HTTP you should see the HTTP 403.4 Forbidden Error message.

    2015-03-02_17-34-27.png

    Custom Error page

    1.       Open an editor of your choice and create an html file with the following content (also attached to this article)

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>   <title>Redirecting...</title>   <script language="JavaScript" type="text/javascript"> //<![CDATA[   function redirectHttpToHttps()   {     var httpURL= window.location.hostname + window.location.pathname + window.location.search;     var httpsURL= "https://" + httpURL;     window.location = httpsURL;   }   redirectHttpToHttps();   //]]>   </script> </head> <body> </body> </html> 

    2.       Save the File as redirectToHttps.html into “C:\inetpub\custerr”

    3.       Go back to IIS Manager and select “Error Pages” from the IIS Feature list of you Application

    2015-03-02_17-42-27.png

    4.       Add a new Error Page,

    5.       for status code 403.4,

    6.       and point to your redirectToHttps.html file.

    7.       OK the setting

    2015-03-02_17-46-10.png

    Enable the Custom Error Pages

    1.       In the Error page Setting open “Edit Feature Settings ….”

    2.       Configure your Application to show “Custom error pages”

    2015-03-03_09-26-29.png

     

    Cookie Secure Flag

    Now that you only allow HTTPS connections to your application, you might also want only to send the Session Cookie when the connection is been secured via HTTPS.

    This can be done by the Secure Flag within the Cookie. See https://community.landesk.com/support/docs/DOC-34224 for more information how to set this up.