Can a network-based Shared Insight Cache (SIC) Server utilize Hypertext Transfer Protocol Secure (HTTPS) instead of the default Hypertext Transfer Protocol (HTTP) for client-SIC communications?

Clients communicate with network-based SIC servers over an unencrypted HTTP connection by default. SIC servers can be configured to communicate over (HTTPS) using Secure Sockets Layer (SSL) in environments which require secured HTTP connections for all servers.

While Symantec supports SSL communications between a network-based SIC Server and its Symantec Endpoint Protection clients, Symantec does not provide support on creating, implementing, or maintaining an SSL Public Key Infrastructure (PKI). The following document was written with this in mind.

Importing the SSL certificate

The following steps will import an existing SSL certificate into the Personal Certificate Store for SYSTEM account on the SIC Server.

1. Start a new instance of the Microsoft Management Console (MMC) by executing mmc.exe as Administrator
2. Add the Certificates Snap-in:
   1. Click File>Add/Remove Snap-in
   2. Choose Certificates from the list of available Snap-ins
   3. Click the Add> button
   4. Click the OK button
3. Expand the Certificates tree in the left-hand panel
4. Right-click on the Personal folder in the Certificates tree and choose All Tasks>Import
5. In the Certificate Import Wizard window:
   1. Click the Next button
   2. Click the Browse... button
   3. Ensure the correct certificate type is selected, browse to, and then select the certificate signed against the SIC servers' Fully Qualified Domain Name (FQDN), Netbios Name, or Internet Protocol (IP) address
   4. Click the Open button
   5. Click the Next button
   6. Provide the password for the private key if prompted
   7. Click the Next button
   8. Click the Finish button
   9. Click the OK button to close the Certificate Import Wizard

Binding the SSL certificate to the SIC port

For instructions on configuring HTTPS See Microsoft's How to: Configure a Port with an SSL Certificate

• Note: When configuring the port using Netsh an appid must be entered. The SIC does not have a true appid so any collection of numbers and letters can be used. For example "appid={00112233-4455-6677-8899-AABBCCDDEEFF} "
   

Configuring the SIC

1. Stop the Shared Insight Cache Service
2. Create a backup copy of the SharedInsightCacheService.exe.config stored in the %SIC% folder
3. Edit the SharedInsightCacheService.exe.config file to utilize SSL:
4. Modify the endpoint address value for the CacheServer.CacheServer service to https instead of http
   • example:
<service name="CacheServer.CacheServer" behaviorConfiguration="cacheServerServiceBehavior">
        <!-- Cache Server Endpoint -->
        <endpoint address="https://localhost:9005/1" binding="webHttpBinding" bindingConfiguration="CacheServerBinding" contract="CacheServer.ICacheServer"/></service>
5. Modify webHttpBinding settings:
   1. Modify the security mode value to "Transport" form the default of "None"
   2. Modify the transport clientCredentialType value to "None" from "Basic"
      • example:
<webHttpBinding>
        <binding name="CacheServerBinding">
                <!-- 
                Switch mode attribute to Transport

                Switch mode attribute to TransportCredentialOnly to do auth without ssl
                -->
                <security mode="Transport">
                        <transport clientCredentialType="None"/>
                </security>
        </binding>
  </webHttpBinding>
6. Save the changes to SharedInsightCacheService.exe.config
7. Restart the Shared Insight Cache Service