Post Installation Best Practices
The following best practices should be followed upon successful installation of Windows Azure Services for Windows Server.
Replace Untrusted Self-Signed Certificates with Trusted Certificates
Each Service Management component is installed on an IIS web site which by default is configured with a self-signed certificate. Because these self-signed certificates are not issued by any of the Trusted Root Certification Authorities that your browser loads upon startup, your browser will display a security warning when you attempt to connect to any of the sites. It is recommended that the self-signed certificates used by the MgmtSvc-TenantSite and MgmtSvc-TenantPublicAPI (publicly facing services) be replaced with certificates issued by a Trusted Root Certification Authority to avoid this experience. The MgmtSvc-AdminSite may also benefit from a replacement of the self-signed certificate.
Services which aren’t accessed by users, such as the Service Management APIs and Resource Providers, ignore certificate validation errors by default. This is done via the ServicePointManager.ServerCertificateValidationCallback Property. If this presents a security concern, it is recommended that the untrusted self-signed certificates be replaced with valid certificates issued by a recognized Certificate Authority and that the validation override be turned off, or set to false.
The configuration settings that govern this validation override are in each Web site’s web.config file as follows:
For the Service Management Admin and Tenant Web sites (MgmtSvc-AdminSite and MgmtSvc-TenantSite):
<add key="Microsoft.Azure.Portal.Configuration.AppManagementConfiguration.Rdfe2DisableCertificateValidation" value="false" />
For the Service Management API Web site(s) (MgmtSvc-AdminAPI, MgmtSvc-TenantAPI and MgmtSvc-TenantPublicAPI):
<add key="DisableSslCertValidation" value="false" />
For each of these keys the default value is true (permit the use of untrusted certificates) so when set to false the use of untrusted certificates is disallowed.
</appSettings> section of the web.config files are encrypted by default. To modify the
</appSettings> section of the web.config files it is necessary to decrypt the file, apply changes and then re-encrypt the files. To decrypt and re-encrypt the web.config files run the following PowerShell commands on the machine where the web.config file is located:
- To decrypt:
Unprotect-MgmtSvcConfiguration –Namespace <namespace>
- To re-encrypt:
Protect-MgmtSvcConfiguration –Namespace <namespace>
<namespace>is one of the following:
Enable HTTP Endpoints on Admin and/or Tenant Portals for HTTP-HTTPS Redirection
By default, the Service Management Admin and Tenant portals are configured to use only HTTPS. The web.config file for each portal web site contains a redirect rule to route all HTTP traffic to HTTPS but this is only of use if the respective portals are bound to a valid HTTP endpoint. In order to accept traffic over HTTP port 80 the portal web sites must be manually configured with additional bindings. Complete the following steps to enable the portal web sites to accept traffic on HTTP port 80 and enable redirection of this traffic using the redirect rule in the web.config file:
Replace the self-signed SSL certificate used by the Portal(s) web site(s) with a certificate issued by a recognized Trusted Root Certification Authority.
Add an HTTP site binding on port 80 for the Portal(s) web site(s)
Modify the existing HTTPS site binding(s) on port(s) 30091 and/or 30081 with HTTPS site bindings on the default port of 443
Configure Tenant Portal Certificate(s) to Ensure WebMatrix “One-click” Installation Functionality
End users will be unable to install WebMatrix from the Tenant portal but will instead receive an error if the Tenant portal is configured to use an untrusted certificate. Replace the default self-signed SSL certificate used by the Tenant Portal web site(s) with a certificate issued by a Trusted Root Certification Authority to address this issue and ensure that end users can complete a “One-click” installation of WebMatrix.
Verify TCPIP Configuration of Admin and Tenant Portal Web Sites
By default, the Service Management Admin and Tenant portals are configured to use only HTTPS bound to port 30091 and 30091 respectively. Ensure that the portal web sites are bound to a TCPIP port that end users and/or system administrators are expecting, such as port 443 for HTTPS and port 80 for HTTP.
Verify Correct Public DNS Settings for all Internet Facing Web Sites
During Web Site Cloud setup, when configuring the Web Site Cloud Service Management Portal, you are prompted for the domain name to be used for end user websites. Verify that all Internet facing web sites are configured with the appropriate IP address assignments as described in Public DNS Mappings.