What are common issues that can occur when implementing Notification Server and IIS requiring SSL?
The following are common issues that can exist when implementing SSL with Notification Server and links to articles that address each issue.
- The name on the certificate needs to match the name of the Notification Server.Certificates can be set up to use a wildcard such as *.Altiris.com, in this case any server that is part of Altiris.com would work correctly.
To check this, open a console using the HTTPS address and then double-click on the lock icon.The value after "Issued to" is the common name of the certificate.This is what needs to be the exact same as the name of the Notification Server and the Web site that the agents are setup to communicate with. See the screenshot below.
It is possible to use a DNS alias but it is not recommended, see article HOWTO12474.
Note: Having the certificate setup to use the FQDN of the server and the clients set to use the server as the FQDN often helps.
- The Certificate needs to be trusted. If it is a private certificate (one created on a local Certificate Authority), it needs to be installed to the Trusted Root Certificates. Article DOC1240 and section Migrating from HTTP to HTTPS discusses how to do this. If it is a public certificate it should already be trusted and should not need to be installed to the Trusted Root Certificates. Public certificates have many benefits over private and should be looked at if possible.
Note: Opening a browser and installing the certificate does not install it to the Trusted Root Certificates it installs it as a user Certificate for Internet Explorer, this does not work for the Altiris Agent Communication.
- The dates on the Certificates need to be in the time frame specified in the certificate. This can be seen by looking at the General tab of the certificate. See screenshot below.
- Having communication going through port 80 for some clients and 443 for others does not work. The following is one example of problems caused by this.
If SSL is enabled the code bases are created as HTTPS code bases. If SSL is not enabled the code bases are created as HTTP code bases.Meaning the clients would need to have both ports open, the certificate installed on all machines, and be communicating with the same server name.If these three requirements exist and are met then SSL communication could be used.
The Notification Server Help Guide has detailed information about setting up Notification Server to SSL or migrating to it after the fact. Go to http://www.altiris.com/upload/notificationsp3.pdf.