AppV 5.1 – Configuring SSL for AppV Management/Publishing and Reporting Services

This is a follow on my previous post – Installing Microsoft App-V 5.1 on Windows Server 2016 and Load Balance AppV 5.1 using Netscaler 11.x/12.x on how to secure the communication within App-V by using SSL instead of the default HTTP

NOTE: Before continuing , please ensure you have a valid certificate authority in the domain to send and authorise the certificate require. No Adjustement to the Load Balancer is required as it is configured with TCP rather than  HTTP.

Configure App-V Web Services for SSL

Step 1: Load Internet Information Services (IIS) on the AppV Server, then Select Server certificates

APPV-SSL1

Step 2: At the Action Panel, Select Create Domain certificate

APPV-SSL2

Step 3: Enter the following information, then Click Next

  • Common Name: LAB-APPV.WILKYIT.COM (the load balanced name of AppV)
  • Organization: WILKYIT.COM
  • Organizational Unit: WILKY
  • City/Locality: BELFAST
  • State/Province: UK
  • Country/Region: GB

APPV-SSL3

Step 4: At Online Certificate Authority, Click Select at Specify Online Certificate Authority

APPV-SSL4

Step 5: Select the appropriate CA, in my case the below is selected.

APPV-SSL5

Step 6: Enter a common friendly name for the certificate and click Finish

APPV-SSL6

Step 7: Confirm the certificate now appears on the Server Certificate list.APPV-SSL7

Step 8: Select Microsoft App-V Management Service under sites, Under Action/Edit Site Click Bindings

APPV-SSL8

Step 8: Select the http site, Click EditAPPV-SSL9

Step 9: Change the Port number to a unused port (in my case 50007). Click OK

APPV-SSL10

Step 10: Confirm setting are applied, Click Add

APPV-SSL11

Step 11: Select the following, then Click OK

  • Type: HTTPS
  • IP Address: All Unassigned
  • Port: 50001 (this is the orginal port configred during installation)
  • Host Name: leave Blank
  • SSL Certificate: LAB-APPV

APPV-SSL12

Step 12: Select the http site configured on Port 50007, Click RemoveAPPV-SSL13

Step 13: Click Yes to confirm binding is being removed.

APPV-SSL14

Step 14: Confirm only binding left is the type: https Port: 50001

APPV-SSL15

Step 15: Repeat the same for the Publishing Service/Reporting Service (Step 1-14)

Publishing Service

Use Unused port 50008 during re-configuration in Step 9

  • Type: HTTPS
  • IP Address: All Unassigned
  • Port: 50002 (this is the orginal port configred during installation)
  • Host Name: leave Blank
  • SSL Certificate: LAB-APPV

Reporting Service

Use Unused port 50009 during re-configuration in Step 9

  • Type: HTTPS
  • IP Address: All Unassigned
  • Port: 50003 (this is the orginal port configred during installation)
  • Host Name: leave Blank
  • SSL Certificate: LAB-APPV

Step 16: Repeat all of the above step on additional App-V Server, exporting the Certificate generated in Step 3-6 as a PFX and importing into the 2nd App-V Server

Confirm SSL communicaiton

Step 1: Access the App-V Management Service on https://lab-appv.wilkyit.com:50001

APPV-SSL16

Step 2: Confirm no certificate warning’s or issues with certificate by click the Lock icon on URL bar

APPV-SSL17

Step 3: Confirm with the Publishing/Reporting services as well.

APPV-SSL18APPV-SSL19

11 comments

  1. Hi,

    Thanks for writing this. I found your blog very useful.

    When I implemented this I got event ID 102 (warning), and 103 (error) on my Publishing Server, and my clients didn’t get packages. The message was “Message: DownloadMetadataError (URL: http://localhost:50001/Publishing/Metadata/)” where you can see the URL is wrong as it should be https. Another blog suggested changing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\PublishingService\PUBLISHING_MGT_SERVER to the FQDN (https://servername.FQDN.com:50001), and that seems to work.

    Craig

    Like

  2. Hi, thanks for this very useful blog.

    After I enabled SSL I’m facing the problem that all powershell cmdlets are running into a timeout.
    E.g.
    =========================================================================
    PS C:\Windows\system32> Get-AppvServerPackage
    Get-AppvServerPackage : Timeout für Vorgang überschritten
    In Zeile:1 Zeichen:1
    + Get-AppvServerPackage
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-AppvServerPackage], WebException
    + FullyQualifiedErrorId : ServiceError,Microsoft.AppV.Server.Cmdlets.GetAppvServerPackageCommand
    =========================================================================

    I couldnt found any further information in the eventlog or by using procmon.

    Any hint?

    Many thanks in advance.
    Bent

    Like

  3. Found the solution:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\ManagementService

    There were entries which still refered to http.

    Best regards
    Bent

    Like

      • No problem. Yes solved it on my own.

        But we are facing another problem. After activating SSL new Packages arent published to the clients.
        Eventlog shows “publishing refresh started” and after 1 second “publishing refresh stopped”. when we change the appv-publishing server to a non HTTPS -Server everythin works right away.

        I have no clue. The eventlogs don’t show any specific erros.

        Again any hint?

        Many thanks in advance.

        Like

  4. Sorry for the confusion. the publishing works on the new AppV-Server (HTTPS) but it takes waaaay more time.
    Database and Management Console show the new packageversion as enabled but the client doesnt get the package when we manually sync.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s