cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Considerations when upgrading from HTTP to HTTPS

mcavanagh
By Level 6 Flexeran
Level 6 Flexeran

Hi,

I am wondering if there are any real life experience with upgrading from HTTP to HTTPS, and what kind of considerations you took when doing the upgrade. Also if there were any errors encountered when doing so? 

If you find my answer useful please give kudos, if my answer solves your issue, please make sure to mark as solution
(1) Solution

Following up on our issue with configuring the proxy settings for the FlexNet Beacon.  Since the FlexNet Beacon Service runs by default as SYSTEM, it does not make use of the IE proxy settings.  You can either have the service run as a specific User or, you have to configure the winhttp proxy settings using "netsh winhttp set proxy <<proxyURL>>".  Once this was set, the packages were successfully downloaded and the "...revocation server is offline." messages are no longer present in the logs.

View solution in original post

(7) Replies

Hi,

May be you can give us some more information, where do you want to do this upgrade? When you access the webui like instead of http://mycompany.com/suite to https://mycompany.com/suite? In this case you need order an SSL certificate, according to you your company policy. Configure IIS to use this certificate for SSL connection and that's it.

Or you want your flexera agent to use the https connection when they upload the inventory, in this case, again you need to order a SSL certifacte for the beacon server/servers, and configure the IIS accordingly. However using SSL you need to be sure that your agents can check the root ca and the CRL list, other wise communication will failed. 

EDIT: Just read again you question, the improvement is related to security, as all communication via https is encrypted and secured.

mfranz
By Level 17 Champion
Level 17 Champion

Hi,

When changing agent communication from HTTP to HTTPS, you may also want to plan a transition time or deploy alternate beacon details beforehand, so that all your agents can still communicate when HTTP ist no longer available.

Best regards,

Markward

We are currently operating in a mixed configuration. We still have v9.2 agents on roughly 30K servers and they are reporting into a 9.2 Inventory Manager server. We have migrated to 2017 R1 and the 9.2 IM is feeding that system (per the migration guide). While following the "How to setup https (SSL/TLS) to secure and encrypt internal FNMS communication between Agents, Beacons and the Application Server", I have had success configuring the 2017 R1 Web Server to only use HTTPS. It also appears like Adding HTTPS to the Batch/Inventory server and Beacon servers worked as well. I do not intend to require the agents to communicate over HTTPS to the Beacons at this time (we may need to in the future) so I am leaving the binding for HTTP in place along with HTTPS on our Beacons. My current issue is that the Beacon logs indicate some errors downloading packages. One of the issues is that they are having trouble reaching the CRL. In order to fix that, we have to configure the Beacon's to use a proxy server. The configuration of the proxy server is where I'm having issues. I've been trying to follow the proxy configuration documentation in the FNMS Help system but I'm not seeing expected results. I'm wondering if the FlexNet Beacon service running as SYSTEM is a possible issue. The UI shows the following: Possible issues for this beacon 1 1. Last download of packages for managed devices failed. Check the log file on the beacon server. The Packageretriever.log shows the following: [5/18/2019 3:09:23 PM (N, 0)] {2848} Downloading “https://perf-fnmsinventory.lmig.com/ManageSoftDL/Packages/Flexera/Adoption/12.2.0/Rev1.0/Managed%20Device%20Adoption/Managed%20Device%20Adoption_metapkg.ndc.gz” to “C:\ProgramData\Flexera Software\Staging\Common\Packages\Flexera\Adoption\12.2.0\Rev1.0\Managed Device Adoption\Managed Device Adoption_metapkg.ndc” [5/18/2019 3:09:23 PM (G, 0)] {2848} Download failure: The revocation function was unable to check revocation because the revocation server was offline. [5/18/2019 3:09:23 PM (U, 0)] {2848} ERROR: Error (s107m858) I can disable the cert revocation check but that's not what I'd want to do in Production so I'm working to resolve this in non-prod first. If I can get through this step I'll provide a follow up on this thread.
Inregards to that error, i have updated your ticket with as well. Just checked the KB and found https://community.flexera.com/t5/FlexNet-Manager-knowledge-base/The-revocation-function-was-unable-to-check-revocation-because/ta-p/2242?collapse_discussion=true&q=The%20revocation%20function%20was%20unable%20to%20check%20revocation&search_type=thread For FNMS Cloud, these URLs that are required including the CRL URLs, are available via the online help under the following section: Inventory Beacons -> Inventory Beacon Reference -> Ports and URLs for Inventory Beacons For FNMS On-Premise, consult your certificate provider for the list of URLs that are required to validate the certificates installed in the environment.
If you find my answer useful please give kudos, if my answer solves your issue, please make sure to mark as solution

I don't know how is your network layout, in my case, the SSL certificates are issued by a internal CA server and the CRL is listed on a internal ip, I spoke with networking team and opened a network flow to that IP, and this solved the issue. To solve the CRL issue, I can think to do on of the following: 1. Find out the CRL address and open proxy/firewall to that one 2. Disable the CRL checking from registry not advised and not recommended from security point of view.

Thanks for the input Adrian_ritz. In our case we will be using an external CA in Production so I'm working to ensure that same CA works in at least one of our Non-Prod environments. The path to the external CA has been opened through our proxy and I've configured IE to forward requests to the proxy. I checked the box in the IE settings to "Bypass the proxy for local addresses" and I've also added our FNMS "friendly" URL's to the proxy exceptions list as we don't want that traffic to go through the proxy. Those URL's are not accessible through the proxy at this time. I believe one of the issues I am having is that some portions of the Beacon appear to use the IE "exceptions list" while others do not. More to come...

Following up on our issue with configuring the proxy settings for the FlexNet Beacon.  Since the FlexNet Beacon Service runs by default as SYSTEM, it does not make use of the IE proxy settings.  You can either have the service run as a specific User or, you have to configure the winhttp proxy settings using "netsh winhttp set proxy <<proxyURL>>".  Once this was set, the packages were successfully downloaded and the "...revocation server is offline." messages are no longer present in the logs.