Enabling HTTPS

By default, communication with the RESTful web server is not encrypted. By setting up an HTTPS server, the server can enforce secure connections between client and server on an SSL channel. Steps to configure IIS Express to host an HTTPS server are outlined in the sections below.

Requirements

  • To enable HTTPS, you must install a trusted certificate issued by a certificate authority OR a self-signed certificate used for development testing. The procedures detailed below cover how to install self-signed server certificate.

  • To install a CA (Certificate Authority) signed server certificate, go to Microsoft's TechNet Install a Server Certificate website. If you enable HTTPS and are using a self-signed certificate, you MUST install the self-signed certificate.

Overview

The following high-level steps are covered on this page.

  1. Obtain a certificate (we will use self-signed certificate in this documentation).

  2. Install the certificate.

  3. Configure IIS with HTTPs.

  4. Restart Metadefender REST service.

Generating a self-signed certificate

For Windows 8.1, Windows 2012 or newer

  1. open Powershell as administrator

  2. run New-SelfSignedCertificate -DnsName {DNS_NAME} -CertStoreLocation Cert:\LocalMachine\My\

    1. replace {DNS_NAME} with the DNS name of your server

For Windows 7 or Windows 2008

  1. Download Microsoft Windows SDK for Windows 7 and .NET Framework 4

    images/download/attachments/28653031/image2016-9-15_8_29_15.png

  2. You only need to install .NET Development → Tools

  3. From an administrator command line navigate to the SDK install dir and run makecert.exe

    1. cd "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\x64\makecert.exe"

      images/download/attachments/28653031/image2016-9-15_8_33_8.png
    2. makecert.exe -n "CN={DNS_NAME}" -a sha256 -sr LocalMachine -ss MY -r

    3. replace {DNS_NAME} with the DNS name of your server

      images/download/attachments/28653031/image2017-3-16_14-51-28.png

Installing the certificate

  1. Install Certificate from a command prompt run certutil -store MY

    images/download/attachments/28653031/image2016-9-14_16_53_28.png
  2. Copy the Cert Hash from the certificate that has Issuer: CN={DNS_NAME}. Edit the hash so that it does not have spaces (e.g., ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006).

  1. Create a new GUID at https://www.guidgenerator.com/online-guid-generator.aspx (e.g., {CDA52389-5954-44C2-8CF0-38062D1572F8}).

  2. Open a command prompt.

  3. Run the following command: (note 443 is the default port for https and needs to be changed if you want to run on a different port)

    netsh http add sslcert ipport=0.0.0.0:443 appid={<guid retrieved from previous step>} certhash=<certificate thumbprint retrieved from previous step>
  4. Confirm that the SSL Certificate is successfully added, as indicated by the example below.

images/download/attachments/28653031/image26.gif

Enabling HTTPS on IIS Express

The following procedure enables HTTPS on IIS Express.

  1. Open the <Metadefender Core installation directory>\REST\Config folder (e.g., C:\Program Files (x86)\OPSWAT\Metadefender Core X\REST\Config).

  2. Open the applicationhost.config file in a text editor.

  3. Go to the <sites> tag and change metascan_rest website binding to HTTPS as shown in the example below. This port cannot be in use by any other application.

    Original

    New

    <bindings>
    <!--<binding protocol="http" bindingInformation="*:80:localhost" />-->
    <binding protocol="http" bindingInformation=":8008:"/>
    </bindings>
    <bindings>
    <!--<binding protocol="http" bindingInformation="*:80:localhost" />-->
    <binding protocol="https" bindingInformation=":443:"/>
    </bindings>

    1. If you are also going to install Metadefender SFT on the same machine and will also be configuring this for HTTPS as well (Enable HTTPS), please make sure to include a domain in bindingInformation in Step 3 above. For example: bindingInformation=":443:localhost"

  4. Save and close the ‘applicationhost.config’ file.

  5. Restart the service 'Metascan REST'.

  6. Test that the site works by going to https://localhost. The following webpage should be displayed:

    images/download/attachments/28653031/image28.gif
  7. Click Continue to this website .

    images/download/attachments/28653031/image2015-9-28_16_19_40.png

Enabling HTTPS for Quarantine

Perform these steps only if Metadfender Core has been configured to exclusively use HTTPS (Step 4 in section 'Enabling HTTPS on IIS Express').

  1. Navigate to the Quarantine folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metascan Quarantine).

  2. Open Metadefender.Quarantine.Service.exe.config in a text editor and change the following section leaving the replace *DNS_or_IP* value with what is on the original.

    Original

    New

    <setting name="RestBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8008/metascan_rest/</value>
    </setting>
    <setting name="WebBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8008/management/#</value>
    </setting>
    <setting name="RestBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>https://*DNS_or_IP*/metascan_rest/</value>
    </setting>
    <setting name="WebBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*/management/#</value>
    </setting>
  3. Restart the service 'Metadefender Quarantine'.

Enabling HTTPS for Mail Agents

Perform these steps only if:

  • Metadfender Core has been configured to exclusively use HTTPS (Step 4 in section 'Enabling HTTPS on IIS Express').

  • Mail Agent has been installed before switching to HTTPS. Any Mail Agent package downloaded from Metadefender Core after applying HTTPS will automatically have the correct configuration settings.

If you use a self-signed certificate and have deployed Mail Agent on other servers than the MD Core server, you must also complete steps 1-27 in the section 'Trusting local or remote self signed security certificate' on each Mail Agent server.

  1. Navigate to the Metadefender Mail agent folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent).

  2. Open Metadefender.Email.Engine.Service.exe.config in a text editor and change the following section, replacing *DNS_or_IP_of_Mail_Agent* with your Mail Agent server's real DNS hostname or IP address and *DNS_or_IP_of_MD_Core* with your Metadefender Core server's real DNS hostname or IP address.

    Original

    New

    <setting name="RestBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP_of_Mail_Agent*:8000</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP_of_MD_Core*:8000</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>http://*DNS_or_IP_of_MD_Core*:8008/metascan_rest</value>
    </setting>
    <setting name="RestBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP_of_Mail_Agent*</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP_of_MD_Core*</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>https://*DNS_or_IP_of_MD_Core*/metascan_rest</value>
    </setting>
  3. Restart the service 'Metadefender Generic Mail Agent'.

  4. If the Mail Agent is installed on an Exchange Server, complete the following steps:

    1. Open Metadefender.Email.Engine.Exchange[version].dll.config in a text editor and change the 'RestBaseUrl' setting to the same as above (https://*DNS_or_IP_of_Mail_Agent*).
      Note: Modify the configuration file that corresponds to your Exchange Server version. For Exchange Server 2016, the 2013 file is used.

    2. Restart the service 'Microsoft Exchange Transport'.

Trusting local or remote self signed security certificate

If you use a self-signed certificate you must follow these steps for Metadfender to work as expected.

if you are using this guide on the local computer you should access and install the certificate from the DNS address (e.g. https://frosty7c/)

  1. Open Internet Explorer and access the Metadefender Core dashboard (e.g. https://frosty7c/)

  2. Click Continue to this website

    images/download/attachments/28653031/image2016-9-15_8_59_47.png
  3. Click certificate error

    images/download/attachments/28653031/image2016-9-15_9_0_47.png
  4. Click view certificates

    images/download/attachments/28653031/image2016-9-15_9_1_27.png
  5. Click Install Certificate...

    images/download/attachments/28653031/image2016-9-15_9_2_1.png
  6. Select either Current User or Local Machine and click next

    images/download/attachments/28653031/image2016-9-15_9_2_54.png
  7. Select "Place all certificates in the following store" and click browse

    images/download/attachments/28653031/image2016-9-15_9_3_42.png
  8. Select "Trusted Root Certification Authorities" and Click OK

    images/download/attachments/28653031/image2016-9-15_9_4_8.png
  9. Select Next then select Finish

  10. Restart your Internet Explorer and navigate to the same page again

  11. You should now see a locked lock instead of certificate error

    images/download/attachments/28653031/image2016-9-15_9_6_14.png
  12. Run certmgr.msc

  13. Select Trusted Root Certification Authority → Certificates

    images/download/attachments/28653031/image2016-9-15_14_47_8.png
  14. Right click the DNS name → All Tasks → export

    images/download/attachments/28653031/image2016-9-15_14_49_14.png
  15. Click Next → Next →Browse

  16. Choose anywhere to save the certificate and hit save

  17. Click Next→finish

  18. Run mmc

  19. File → add/remove Snap-in

  20. Select Certificates and click add

    images/download/attachments/28653031/image2016-9-15_14_52_27.png
  21. Select Computer account and hit next

    images/download/attachments/28653031/image2016-9-15_14_52_58.png
  22. Click finish then click ok

  23. Select Trusted Root Certification Authority → Certificates

    images/download/attachments/28653031/image2016-9-15_14_53_57.png
  24. Right click certificates → all tasks → Import

    images/download/attachments/28653031/image2016-9-15_14_54_45.png
  25. Click next

  26. Select the file you created previously

  27. Click next->next→finish