I heard about CVE-2020-29491 and CVE-2020-29492 last week and so I try to secure my environment and configure https for my clients instead of FTP.
I installed IIS on my fileserver and when I set up the 443 binding, I have to use a certificate. I´m not that good with all the IIS stuff – so here is my question:
To access my fileserver, all my thin clients need to have this cert installed – is that right? If yes, how can I do that? With the FTP solution it was possible to place it in the cacerts folder but how can I do this using https?
And do I need to change something in my Xen.ini / Wnos.ini?
If you want to switch to https you will need a certificate, correct.
The best way is to set up your own Certificate Authority and then use self-signed certificates. Another way would be to buy official certificates.
In all ways, you would have to make sure that the root certificate (self-signed or official) is loaded on the client.
You can do that via ftp (which you want to get rid of) or use a USB memory stick.
thanks – I got https working now.
Some thoughts on the certificate thing now:
– First I thought, I can use the certs that are already on my thin clients (domain and storefront cert) but as I saw, there is no possibility to bind them to IIS because they don´t have a private key. Is that true (only new self signed cert or a .pfx cert valid for IIS)?
– When using a .pfx, is there a way I write the private key in my .ini files (secure, for sure)
– I manage around 500 thin clients so the deployment method by usb stick is not a possibility. Using FTP is also not possible because DHCP Option Tag 161 is not “https://fqdn”. Any other possibilities?