4 Replies Latest reply on Jul 20, 2015 1:14 PM by mushoku

    Configuring Service Desk to require SSL

    mushoku Apprentice

      We were able to get SSL working for web access, but ran into a snag when upgrading due to SSL not being configured correctly for Configuration Center and other pieces on the back end.  Support advised that they do not have any documentation on configuring Service Desk to use SSL beyond these two documents, both of which refer to things we already had working correctly:

      HowTo enforce HTTPS connections within Service Desk

      Setting up SSL to be used with Console

       

      Does any one have any experience with configuring Service Desk to require SSL in such a way that they are able to perform an upgrade of their database without having to disable then re-enable requiring SSL?

       

      Note that we are required to use encryption for all authentication.  We had tried enabling Windows authentication for Configuration Center (disabling all other forms); that did not work to allow upgrading the framework.

       

      Thank you!

        • 1. Re: Configuring Service Desk to require SSL
          ITSMMVPGroup

          On the point about getting Configuration Center working with authenticated login - that is something I think you could legitimately ask support to help with as the documentation does refer to this being an option.

           

          With accessing it securely after the event, how about adding an IP filtering rule on the server that only allows people to access configuration center from the machine it is on via it's local IP address?

           

          One final thought - if you are using SSL, that does put an additional load on the server, so if you are considering using load balancing to put more power in, a lot of load balancers do SSL offloading.  The reason I'm mentioning this is that then the server only sees regular non-SSL traffic coming in from SSL client connections and so no SSL config is needed on the server.

          • 2. Re: Configuring Service Desk to require SSL
            mushoku Apprentice

            On the point about getting Configuration Center working with authenticated login - that is something I think you could legitimately ask support to help with as the documentation does refer to this being an option.

            This was explained as being an initial setup task, not break-fix, so it requires professional services and is beyond the scope of support.  Also, the support techs have no documentation or guidance - only the consultants and engineers have the knowledge to configure.

            With accessing it securely after the event, how about adding an IP filtering rule on the server that only allows people to access configuration center from the machine it is on via it's local IP address?

            An interesting idea.  The problem there is that, even if we do that, we would still have to turn off requiring SSL to perform an upgrade of the framework.  Our security requirements are very clear that this is not permissible.

            One final thought - if you are using SSL, that does put an additional load on the server, so if you are considering using load balancing to put more power in, a lot of load balancers do SSL offloading.  The reason I'm mentioning this is that then the server only sees regular non-SSL traffic coming in from SSL client connections and so no SSL config is needed on the server.

            We do not, at present, have any plans to implement load balancing.  We do, however, already have certificates for SSL.

            • 3. Re: Configuring Service Desk to require SSL
              ITSMMVPGroup

              My own take on setting up configuration center with authenticated login is that LD are being a tad unreasonable.  The docs say it can be done and yet do not give the steps needed and in order to get that done you need to pay someone to do it. Surely if those professional services know how to do it, they can document that and everyone wins?

               

              Ho hum - personally I'd hack around and do it myself, but then I am a notorious grump.

              • 4. Re: Configuring Service Desk to require SSL
                mushoku Apprentice

                Consultant says he only does the SSL cert in IIS, like what I did.  There's got to be something else.  I'll update if I find a solution to upgrade the framework while SSL is required.  Until then, please feel free to add any new information or ideas.  Thanks!