Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Azure Pack
This chapter provides information about additional post-provisioning configuration, including configuring the SSL Certificate Store, configuring IP SSL, and configuring shared certificates. For information on configuring source control, see Configure source control for Windows Azure Pack: Web Sites. For information on security best practices for Web Sites, see Windows Azure Pack: Web Sites Security Enhancements.
Configure IP SSL
If you want to enable tenant web sites to use IP-based SSL certificates, you must configure the Front Ends, the Controller, and optionally, a hardware load balancer to do so.
Note
SNI (Server Name Indication) SSL is enabled by default. To make it available to tenants, include it in the plans that you author in the Management Portal for Administrators.
To configure IP SSL
- Bind the IP addresses that you want to use: - On each Front End server, open the network management interface. 
- Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties. 
- Click Advanced to open the Advanced properties. 
- Click Add to add the IP addresses. 
- Repeat these steps for Internet Protocol Version 4 (TCP/IPv4). - Tip - Each customer or web site that uses IP SSL needs to have an IP address on each front end server. Because this can become labor intensive, you may want to use a script to automate the binding of IP addresses. 
 
- Next, configure the Web Site cloud to use the IP addresses for IP SSL traffic. - In the management portal for administrators, click Web Site Clouds, and then double-click the cloud that you want to configure. 
- Click Roles, and then choose the front end server. 
- Click IP SSL. 
- Click Add to add the IP address range. 
- Enter the start address and end address, and the click the checkmark. - Note - The IP address range must be unique for each front end server. 
- Repeat these steps for both IPv4 and IPv6 addresses. 
 - Repeat these steps for each front end server in the web farm. 
- If you are using an upstream hardware load balancer to balance traffic to the front end servers, the final step is to edit the register and deregister callback scripts so the Web Site cloud can communicate with the load balancer to create the load balancer pools for a given IP address. - The callback scripts are located on the Web Site cloud controller in the web farm, in the path C:\Program Files\IIS\Microsoft Web Hosting Framework\Scripts\Provision\Win. - Edit the DNS-RegisterSSLBindings.ps1 script. This script is used any time a user creates or edits a web site that uses IP SSL. - Use the $bindings to create a load balancer pool. You can use the $hostname as a key for tracking it. 
- Return the Virtual IP address assigned to the load balancer pool (using $retval). 
 
- Edit the DNS-DeRegisterSSLBindings.ps1 script. This script is used any time a user removes IP SSL from their web site or deletes or de-provisions the web site. - Pass back an empty value (using $retval). 
 
Configure shared certificates
The Web Site service uses certificates to encrypt data between the Front End servers, the Publishers, and the Controller.
By default, Windows Azure Pack: Web Sites provides self-signed certificates so that your initial operations do not occur in clear text. Of course, self-signed certificates cause certificate warning messages and must not be used in a production environment.
In a production environment, three certificates are required for securing endpoints in the web sites farm:
- Front End - The Front End certificate is used for shared SSL and for source control operations and has a binding on 'all unassigned'. The Front End certificate must be a two-subject certificate. 
- Publisher - The Publishing certificate secures FTPS and Web Deploy traffic. 
You obtain these certificates from a Certification Authority (CA) and upload them through the Management Portal for Administrators. You provide the password for each certificate so that it can be deployed to the farm.
The default domain certificate
The default domain certificate is placed on the Front End role and is used by tenant web sites for wildcard or default domain requests to the web site farm. The default certificate is also used for source control operations.
This certificate needs to be in .pfx format and should be a two-subject wildcard certificate. This allows both the default domain and the scm endpoint for source control operations to be covered by one certificate:
- *.<DomainName>.com 
- *.scm. <DomainName>.com 
Tip
A two-subject certificate is sometimes called a Subject Alternative Name (SAN) certificate. One advantage of a two-subject certificate is that the purchaser only has to buy one certificate instead of two.
Specify the certificate for the default domain
- In the Management Portal for Administrators, click Web Site Clouds, and then choose the cloud that you want to configure. 
- Click Configure to open the Web Site cloud configuration page. 
- In the Websites Default Certificate field, click the folder icon. The Upload Default Website Certificate dialog appears. 
- Browse to and upload the certificate that you want to use. 
- Enter the password for the certificate, and then click the checkmark. The certificate will be propagated to all Front End servers in the web farm. 
The certificate for publishing
The certificate for the Publisher role secures the Web Deploy and FTPS traffic for web site owners when they upload content to their web sites.
In the Management Portal for Administrators, the Configure page for the web site cloud contains a Publishing Settings section where you view or configure the Web Deploy and FTP Deploy DNS entries.
The certificate for publishing needs to contain a subject that matches the Web Deploy DNS entry and a subject that matches the FTPS Deploy DNS entry.
Note
If you used wildcards in the default certificate, you can also use the default certificate for the publisher. However, providing a separate certificate is more secure.
Specify the certificate for publishing
- In the Management Portal for Administrators, click Web Site Clouds, and then choose the cloud that you want to configure. 
- Click Configure to open the Web Site cloud configuration page. 
- In the Publisher Certificate field, click the folder icon. The Upload Publisher Certificate dialog appears. 
- Browse to and upload the certificate that you want to use. 
- Enter the password for the certificate, and then click the checkmark. The certificate will be propagated to all Publishing servers in the web farm. 
Change Web Deploy Publishing to HTTPS
During installation, the Web Deploy DNS publishing setting defaults to HTTP (port 80). As a best practice, you should change this to HTTPS (port 443). To do so, perform the following steps:
- In the Management Portal for Administrators, click Web Site Clouds, and then choose the cloud that you want to configure. 
- Click Configure to open the Web Site cloud configuration page. 
- In the Publishing Settings section, add :443 to the Web Deploy DNS entry (for example, publish.domainname:443). 
- In the command bar at the bottom of the portal page, click Save. 
Best practices for certificates
- Be sure that certificate subject matching is correct. Windows Azure Pack: Web Sites does not allow certificates to be uploaded if there are mismatches. 
- The most secure setup is to have separate certificates and separate domains. This helps defend against phishing scenarios and social engineering attacks. 
- Watch for certificate expiration. Refresh certificates on a somewhat regular basis. 
- For information about replacing untrusted Self-Signed Certificates with trusted certificates in Windows Azure Pack itself, see Post-installation best practices in the Deploy Windows Azure Pack for Windows Server guide. 
Enable PowerShell command support
The Windows Azure Pack Web Sites system comes with a rich set of PowerShell commands for managing the system. These commands enable the system administrator to perform all of the actions available in the portal as well as some others that are not.
In order to access the PowerShell commands for Windows Azure Pack Web Sites, use the PowerShell command
import-module websitesdev
There is help information for each command. To get a list of commands, use the command
get-commands –module websitesdev
For information on a specific command, use the command
get-help <command name>
Enable ISAPI/Classic mode
You can enable ISAPI/Classic mode on Windows Azure Pack: Web Sites by using PowerShell commands.
To set classic mode for a web site, run the following commands. Replace <sitename> with the name of your web site.
Add-pssnapin webhostingsnapin
Set-Site -ClassicPipelineMode 1 -SiteName <sitename>
To verify that Classic mode has been set, you can run the following command which produces a dump of your web site configuration. Replace <sitename> with the name of your web site.
Get-websitessite –rawview –name <sitename>