Example of server configuration - Windows 2008 Server and IIS

This example sets out the various steps in configuring an IIS server on Windows 2008 Server, allowing identification in Digest mode through an SSL connection (server certificate generated through the firewall’s PKI).

Please note that in order to enable SSL in IIS, the server has to be a member of an Active Directory domain.

Using the Windows file explorer, create the folder meant for receiving automatic backups (example: c:\inetpub\wwwroot\autobackup).

Create a dedicated user for automatic backups in the Active Directory Users and Computers console.

In this example, the account used is named autobackup and belongs to the Autobackup Allowed Users group specifically created for this purpose. Writing privileges on the folder dedicated to backups can be defined in the settings of the WebDAV site.

  1. If it has not yet been installed, add the IIS role in the Server Manager console (menu Add roles > Server roles > Web Server (IIS)).

  1. During the installation of the IIS role, or when selecting the option Add Role service for the Web Server (IIS) role in the Server Manager console, select the following options:

Web Server

|----- Common HTTP Features
|              |----- WebDAV Publishing
|----- Security
|              |----- Basic Authentication
|              |----- Digest Authentication
|----- Management Tools
|              |----- Management Service

In this example, the site used for receiving and storing backups will not be the Default Web Site, but a dedicated site named autobackup, whose base folder will be located under the root of the Default Web Site (c:\inetpub\wwwroot).

  1. Launch the Internet Information Server (IIS) Manager console.
  2. Right-click on Default Web Site.
  3. Select the option Add Virtual Directory.

  1. In the field Alias, select the name given to your site (example: autobackup); the address of the site will take the form https://server_name.company.com/alias.
  2. In the field Physical path, select (or create) the physical folder corresponding to your virtual site (example: c:\inetpub\wwwroot\autobackup).
  3. Right-click on your site.
  4. Select the option Edit Permissions to grant writing privileges to the group of dedicated users on the physical folder meant for storing the backups.
  5. In the Security tab, click on Edit.
  6. Select the user group (example: Autobackup Allowed Users).
  7. Select the checkboxes Modify and Write.
  8. Validate.

  1. In the Internet Information Server (IIS) Manager console, select your site (autobackup in the example).
  2. Double-click on the Directory browsing icon.
  3. In the right panel (Actions), click on Enable.

Backup files are encrypted and have an “.enc” extension. Since this extension is unknown to the IIS server, it must be defined so that the server will know which action to perform when you click on the link corresponding to a backup (execute the file, suggest opening or downloading it, etc.).

  1. In the Internet Information Server (IIS) Manager console, select your site (autobackup in the example)
  2. Double-click on the MIME Types icon.
  3. In the right panel (Actions), click on Add.
  4. In the field File name extension, indicate .enc.
  5. In the field MIME Type, specify application/octet-stream.
  1. In the Internet Information Server (IIS) Manager console, select Default Web Site.
  2. Double-click on the WebDAV Authoring Rules icon:

  1. In the right panel (Actions), click on Enable WebDAV:

  1. In the IIS console, select your site (autobackup in the example).
  2. Double-click on the WebDAV Authoring Rules icon.
  3. In the right panel (Actions), click on Add Authoring Rule.
  4. For this rule, select the options All content, All users and permissions: Read, Source, and Write.

  1. In the Internet Information Services Manager console, click on your site.
  2. Double-click on the Authentication icon.

  1. Enable Basic Authentication and Digest Authentication.
  2. Disable Anonymous Authentication.

  1. Select Digest Authentication.
  2. Click on Edit in the right panel to specify the server’s Active Directory domain (documentation.mycompany.com in the example).

  1. Validate.

On the firewall hosting the CA used for automatic backups:

  1. Go to the Configuration > Objects > Certificates and PKI module.
  2. Create a server certificate relating to the server hosting the backups (menu Add > Add a server certificate).
  3. Select this certificate and export it in PKCS12 format (menu Download > Certificate as a P12 file).
  1. In the Internet Information Services Manager console, select the name of the server.
  2. Double click on the option Server Certificates.

  1. In the right panel (Actions), click on Import.
  2. Select the server certificate.
  3. Enter the associated password.
    The certificate will then appear in the IIS certificate store:

  1. In the Internet Information Services Manager console, click on the Default Web Site.
  2. Select the option Bindings in the right panel.
  3. Add a binding with the following values:
  • Type: https,
  • IP address: the IP address on which the server has to be contacted in HTTPS,
  • Port: 443,
  • SSL certificate: the imported server certificate.

  1. In the Internet Information Services Manager console, click on your site.
  2. Double-click on the icon SSL Settings.
  3. Select the checkbox Require SSL.
  4. Apply.