SSL certificate for internal machine

[cnschulz]

Gday, 

 

We are running FM server 16 with FM pro 16 and FM Go 16 clients. We have do not use SSL certs as yet. When opening databases on the go client, the user is presented with a dialog stating that the connection is not secure and would they like to proceed. Secondly, programmatic access to the server is failing due to this new error being returned from the first "ping" of the server. I understand this is normal behaviour but obviously we want to get rid of this.

We need to sign our server. The problem is that it is used on the intranet only and CA's will not sign machines that are not public facing. We will not be making our server public facing.

What are the best practices surrounding getting this machine certified?

Any help appreciated.

[Menno van Beek]

Maybe you can check out: https://www.globalsign.com/en/blog/certificates-for-internal-servers/ and https://www.globalsign.com/en/ssl/intranetssl/ to obtain a GlobalSign IntranetSSL certificate. I have not used it myself, I use Lets Encrypt, but my domains are public so I personally don't have your problem.

 

Hope this helps you :-)

[cnschulz]

Thanks! I have checked that out and a few other places. IntranetSSL *seems* possible but I have read a few posts here about having to import multiple levels of key etc. Im also wondering if there is any impact on the array of clients such as FM Go and Desktop. Do they need to have anything configured at all?

[Menno van Beek]

I honestly don't know. As I wrote, my domains are public and I use Lets Encrypt.

 

My setup is like this:

I have one Linux webserver where I host several websites, including the domain-names I used on my 3 filemaker-servers (2 x Windows 2012 and 1 Windows 2016). The certificates are renewed automatically once every three months and once every 3 months I import the renewed certificates in my FmServers.

My router runs also an internal DNS-service and only 1 FmServer is actually reachable from the external internet. The internal DNS-server routes all internal call to any of the FmServers directly to the appropriate server.

Internally in my network I can run Advanced/Pro/Go and WebDirect with Green locks.

Externally I can connect using Advanced/Pro and Go only to my first FmServer, the other domains cannot be reached with an FM-client. CWP and Webdirect can be used for all 3 domains, but that is achieved by the reverse-proxy I have running on my Linux-webserver.

 

As you can understand I don't have a typical setup, but it works fine for me, mainly because I have the webserver that requests the certificates for me and auto-renews them. The only thing I do is to import the new certificates every now and then.

 

I think if you'd like to try a setup similar like the one I have, that you may consider running a dedicated webserver somewhere (doesn't have to be on premise) and copy the certificates you have been issued for that webserver to your FmServer. Make sure that the FQDN is used on that FmServer is the same as you "specially dedicated" webserver and configure your internal DNS to route all internal calls to FQDN directly to the FmServer in stead of the webserver. In essence that is what I did in my setup.

 

kind regards, Menno

[cnschulz]

Thanks Menno, 

While this setup matches my home setup closely, its not "best practices" as you have stated. We do not have any externally accessible FM servers. 

If anyone has successfully created and used an IntranetSSL cert with filemaker I'd love to hear from them! 

[Guest noya]

One of techniques you can use, is to hire a programmer to create a middle appliation in between you server and Website server.

The program is running locally and listen to the website requests, and fullfills the requests.

طراحی سایت

[Claus Lavendt]

You don't need to have your server exposed to the internet in order to install and use SSL.

However, you do need to have DNS setup.

That means that you will need an internal DNS server, that can resolve your domain to your server and you do need to purchase a domain name.
There are several supported SSL certificates that are domain validated. It differs a bit, how they do this, but most will require you to have an email account for [email protected] and they will email to this address to do the validation.

I just gave a presentation at DevCon on this, so you can watch the video on FileMaker community site, when they are available. You can also find a video I did with Richard Carlton here: http://thebrainbasket.com/?p=471 (it's with FMS15, but it is the same process for FMS16)