Configure HTTPS

Hypertext Transfer Protocol Secure (HTTPS) provides more secure internet connections. HTTPS establishes an encrypted link between a web server and a browser, ensuring that the data passed is private and protected.

Why use HTTPS?

HTTPS should be used when:

Confidential or personal content on the server must be protected.
Users must be able to confirm the identity of the server before they transmit personal information.
You want to use client certificates to authenticate clients that access the server.

Configure HTTPS for Transtream

Obtain a SSL (Secure Sockets Layer) certificate. Commonly when installing on premise this will come from a private certificate authority. The certificate needs to contain both a private and public key and it will have a PFX file extension.
Import the SSL certificate into your local computer's Personal Certificate store of the IIS (Internet Information Services) server.
Access Transtream Installer, where you will input the required data.
If required, set Require Server Name Indication to True. This allows for multiple HTTPS Certificates to be configured under one IP address.
The value for the Issued By field in the installer comes from the Detail property of the certificate labeled Issuer. The Issuer value takes on the form of either a data pair, or pairs in the format of identity = value. Depending on who issued the certificate there can be more than one pair of data.
- If there is more than one pair, each pair must be separated by a comma, followed by a space, and be represented on a single line. The spaces on either side of the equals sign need to be removed.
  Example
  In the case where the Issuer contains the following;
  - CN = USERTrust RSA Certification Authority
  - O = The USERTRUST Network
  - L = Jersey City
  - S = New Jersey
  - C = US
  The Issued By field in the installer would be reformatted to:
  CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Ensure that the Serial Number field is a hex value space separated for every two bytes taken from the certificate detail of the same name.
Ensure that the Storage field is set to My. This indicates your local computer storage.

If working with an already installed instance, you may have to run the install again to update the settings, by selecting Install and Run Now, or create a new instance with the desired HTTPS setup. For detail on the binding setting group, and which settings will update upon reinstallation, see Transtream Setup Reference.

Updating an instance from HTTP binding to HTTPS

Follow the below steps when updating an instance from HTTP binding to HTTPS:

Install your HTTPS Certificate
Open Transtream Setup
Select the instance that has HTTP binding
Change the binding to HTTPS (The 'Is SSL Certificate Offloaded? flag will be set to 'False')
Set the 'Require Server Name Identification' flag
Add the certificate issuer
Add the certificate serial number
Add the storage
Click 'Apply'
Click 'Install/Run Now'

Single Server Install

For on-premise single server install, the Is SSL Certificate Offloaded? parameter needs to be set to False and the instance must be installed with HTTPS binding protocol.

Load-balanced Install

For Load-balanced installs, the Is SSL Certificate Offloaded? parameter needs to be set to True when the certificate is offloaded by the Load-balancer. The instance can be installed with HTTP binding protocol.

Load-balancer Configuration Key Points

Public DNS - Route traffic to Load-balancer. Internet traffic is redirected to web server from Load-balancer using Private IP.
Load-balancer is configured to off-load certificate encryption (Traffic from Load-balancer to Web server is HTTP:80). Note SSL Certificates are NOT installed on the local Web server.
On each local server, an entry is added to the hosts file as follows: Server Private IP -> Customer Public URL.

Article last edited 6 January 2021