This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to define Custom Certificate for LS Push when using IIS Setup

joergbartz
Engaged Sweeper

‎09-19-2018 07:42 AM

We are running the LanSweeper in the IIS setup (not IISexpress), due to prerequisites from our ISO.

The IIS is successfully configured to use a custom certificate, however the LS Push Service at TCP/9524 always comes up with the selfsigned lansweeper certificate, which is currently identified as a possible vulnerability and needs to be resolved. I have double checked this with openssl s_client.

I have followed the relevant KB articles to setup a custom cert.

  • The custom cert is in the local computer cert store, incl. the private key and it is exportable.
  • I have altered the IISExpressSvc.exe.config, like following
    <add key="UseCustomSSLCertificate" value="1"/>
    <add key="CertificateThumbPrint" value="‎d843[foo]ca5c"/> (Thumbprint from custom certificate)

Upon start/restart of the LanSweeper service, I can see in the Logfile from the thumbprint that the LS Push Service still uses the selfsigned LS certificate:

2018-09-18 15:44:43,340 [4] INFO Starting service
2018-09-18 15:44:51,512 [4] INFO Started [bar] v7.0.30.66 by NT AUTHORITY\SYSTEM, port 9524, 10 Threads, 10 IP Threads, 1 Scanning Servers
2018-09-18 15:44:51,559 [4] INFO Operating System: Microsoft Windows Server 2012 R2 Standard (OS language: English (United States), OS version: 6.3.9600), Service Pack version: 0
2018-09-18 15:44:51,575 [4] INFO .NET Framework version: 4.7.3163.0
2018-09-18 15:44:51,575 [4] INFO Database: SQL Server 2016 (version: 13.0.5081.1) Express Edition (64-bit): localhost\SQLEXPRESS, 550.51 MB used
2018-09-18 15:44:51,575 [4] INFO License: Professional version, [foo], [bar] licensed assets
2018-09-18 15:44:51,637 [Listen] INFO Using existing SSL certificate. ThumbPrint: CD3CA9AF10778698C61520C081DC889B8E559882

How do I tell the service to use the custom certificate when I am not using IISExpress as webserver?

Best regards

Jörg

Labels:
0 Kudos
3 REPLIES 3
AZHockeyNut
Champion Sweeper III

‎09-19-2018 06:57 PM

joergbartz wrote:
We are running the LanSweeper in the IIS setup (not IISexpress), due to prerequisites from our ISO.

The IIS is successfully configured to use a custom certificate, however the LS Push Service at TCP/9524 always comes up with the selfsigned lansweeper certificate, which is currently identified as a possible vulnerability and needs to be resolved. I have double checked this with openssl s_client.

I have followed the relevant KB articles to setup a custom cert.

  • The custom cert is in the local computer cert store, incl. the private key and it is exportable.
  • I have altered the IISExpressSvc.exe.config, like following
    <add key="UseCustomSSLCertificate" value="1"/>
    <add key="CertificateThumbPrint" value="‎d843[foo]ca5c"/> (Thumbprint from custom certificate)

Upon start/restart of the LanSweeper service, I can see in the Logfile from the thumbprint that the LS Push Service still uses the selfsigned LS certificate:

2018-09-18 15:44:43,340 [4] INFO Starting service
2018-09-18 15:44:51,512 [4] INFO Started [bar] v7.0.30.66 by NT AUTHORITY\SYSTEM, port 9524, 10 Threads, 10 IP Threads, 1 Scanning Servers
2018-09-18 15:44:51,559 [4] INFO Operating System: Microsoft Windows Server 2012 R2 Standard (OS language: English (United States), OS version: 6.3.9600), Service Pack version: 0
2018-09-18 15:44:51,575 [4] INFO .NET Framework version: 4.7.3163.0
2018-09-18 15:44:51,575 [4] INFO Database: SQL Server 2016 (version: 13.0.5081.1) Express Edition (64-bit): localhost\SQLEXPRESS, 550.51 MB used
2018-09-18 15:44:51,575 [4] INFO License: Professional version, [foo], [bar] licensed assets
2018-09-18 15:44:51,637 [Listen] INFO Using existing SSL certificate. ThumbPrint: CD3CA9AF10778698C61520C081DC889B8E559882

How do I tell the service to use the custom certificate when I am not using IISExpress as webserver?

Best regards

Jörg



as an option (off the top of my head and not tested) could you create a redirect from iis like create a vdir at/LSpushService for your clients to connect to, then have that redirect to the localhost service port? not sure that would work but it might help your iis team come up with a solution.
0 Kudos
joergbartz
Engaged Sweeper
In response to AZHockeyNut

‎09-20-2018 07:12 AM

AZHockeyNut wrote:
joergbartz wrote:
We are running the LanSweeper in the IIS setup (not IISexpress), due to prerequisites from our ISO.

The IIS is successfully configured to use a custom certificate, however the LS Push Service at TCP/9524 always comes up with the selfsigned lansweeper certificate, which is currently identified as a possible vulnerability and needs to be resolved. I have double checked this with openssl s_client.

I have followed the relevant KB articles to setup a custom cert.

  • The custom cert is in the local computer cert store, incl. the private key and it is exportable.
  • I have altered the IISExpressSvc.exe.config, like following
    <add key="UseCustomSSLCertificate" value="1"/>
    <add key="CertificateThumbPrint" value="‎d843[foo]ca5c"/> (Thumbprint from custom certificate)

Upon start/restart of the LanSweeper service, I can see in the Logfile from the thumbprint that the LS Push Service still uses the selfsigned LS certificate:

2018-09-18 15:44:43,340 [4] INFO Starting service
2018-09-18 15:44:51,512 [4] INFO Started [bar] v7.0.30.66 by NT AUTHORITY\SYSTEM, port 9524, 10 Threads, 10 IP Threads, 1 Scanning Servers
2018-09-18 15:44:51,559 [4] INFO Operating System: Microsoft Windows Server 2012 R2 Standard (OS language: English (United States), OS version: 6.3.9600), Service Pack version: 0
2018-09-18 15:44:51,575 [4] INFO .NET Framework version: 4.7.3163.0
2018-09-18 15:44:51,575 [4] INFO Database: SQL Server 2016 (version: 13.0.5081.1) Express Edition (64-bit): localhost\SQLEXPRESS, 550.51 MB used
2018-09-18 15:44:51,575 [4] INFO License: Professional version, [foo], [bar] licensed assets
2018-09-18 15:44:51,637 [Listen] INFO Using existing SSL certificate. ThumbPrint: CD3CA9AF10778698C61520C081DC889B8E559882

How do I tell the service to use the custom certificate when I am not using IISExpress as webserver?

Best regards

Jörg



as an option (off the top of my head and not tested) could you create a redirect from iis like create a vdir at/LSpushService for your clients to connect to, then have that redirect to the localhost service port? not sure that would work but it might help your iis team come up with a solution.


Hi,

thanks for your input!

Actually this port (default TCP/9524) is opened by the LanSweeperServer.exe, it is not part of the web frontend. The solution proposed by the LS team is inofficial, but it works well for me and does exactly what it should.

Thanks anyway!

Best wishes,

Jörg



0 Kudos
Bruce_B
Lansweeper Alumni

‎09-19-2018 12:10 PM

We've replied in more detail via email, but just to clarify. We currently do not officially support the usage of a custom certificate for the scanning service listen port. Modifications to IISExpressSvc.exe.config will only change the certificate used by the web console.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now