In today’s post of my four part Work Folders series, I’ll discuss setting up SSL for the IIS Hostable Web Core.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

One of the biggest selling points of Work Folders is that it allows your end users to synchronize corporate data to their personally owned devices with little or no intervention from IT. Since these personally owned devices aren’t going to be managed by IT, we’ll have to take a few extra steps to make sure that end users don’t receive errors when trying to connect to the Work Folders server.

Do you have to use a certificate from a public CA? Technically, no. If you’re only going to expose Work Folders to corporately-managed devices, you can use a certificate from an internal CA and you should be fine.

If you are going to expose Work Folders to non-corporate devices, I usually prefer to go with the solution that is going to generate the fewest support requests. If you have to publish complicated instructions, end users are either going to generate support requests or use an unauthorized solution. If IT takes the time to do the extra setup of using a cert from a public CA, it will eliminate a lot of support headache down the road.

Syncing of data between clients and the Work Folders server is handled by the IIS Hostable Web Core which you may have noticed was installed when we installed Work Folders earlier. To manage the certificates, we’ll need to install the IIS management tools by running the following PowerShell command:

Next, open the Internet Information Services (IIS) Manager and find the Default Web Site for your Work Folders server.

Internet Information Services (IIS) Manager

Internet Information Services (IIS) Manager

The IIS Hostable Web Core should appear to be stopped even though it isn’t. Click on the server name and then double-click on Certificates. In the Actions pane, click on Create Certificate Request.

Create Certificate Request

Create Certificate Request

Fill out the Distinguished Name Properties using your organization’s information. Don’t forget to use the DNS name we created back in Part 2 if you created a DNS entry for the Work Folders server.

Distinguished Name Properties

Distinguished Name Properties

Make sure your Bit length is at least 2048, choose a name for your certificate request file, and click Finish.

Bit lengthFile name for the certificate request

Bit length / File name for the certificate request

You should end up with a certificate request that looks something like the screenshot below that can be submitted to any of the public certificate authorities.

Certificate request

Certificate request

Take the certificate request (CSR) to any of the public Certificate Authorities and purchase your SSL certificate. Once you’ve got the signed certificate, you can go back into the IIS Manager and click Complete Certificate Request to finish the process.

Complete Certificate Request

Complete Certificate Request

Before completing the certificate process, check with your Certificate Authority to see if you need to load their Root and/or Intermediate certificates onto your server. If these certificates are needed, you may receive an error in the IIS Manager when trying to add your new certificate.

Specify the path to the certificate, a friendly name, and where the certificate should be stored. Once you’re done, the certificate should look something like in the second screenshot below.

Specify Certificate Auhtority ResponseServer certificates in IIS Manager

Specify Certificate Auhtority Response / Server certificates in IIS Manager

Click on Default Web Site in the IIS Manager and then click Bindings in the Actions pane.

Bindings

Bindings

Click the Add button.

Add Site Bindings

Add Site Bindings

Specify HTTPS, select the SSL certificate that was just added, and click OK.

Select the SSL certificate

Select the SSL certificate

At this point, Work Folders is configured and ready for users to connect securely. In our next part, I’ll cover setting up the clients to access Work Folders.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
10 Comments
  1. JS 4 years ago

    I have a server 2012 and my clients connect to the server with VPN(I have configured it in my firewall).I had several problems with folder redirection so I decided to use Work Folder.
    Thq question is which one of the method should I use,URL and SSL or just email?

    I have tested with a client and when I wanted to use with EMail adress(test@example.local)
    It can not connect(I can ping the record of Work Folder from my client).

    1+

    • Author
      Kyle Beckman 3 years ago

      ".local" isn't a valid TLD.  Is that your actual TLD?

      0

  2. Yuri 3 years ago

    Thank you for the guide, it really helps.

    I'm truing to set it up on my local domain (domain.local) and I would like to use a self signed certificate. I don't really need this to work from outside the domain as I'd like my users to do the sync over a VPN.

    Can you please include the steps required to get this feature working using a self signed cert?

    So far I have tried many ways but I'm limited with my certificate knowledge.

    0

    • Author
      Kyle Beckman 3 years ago

      Getting clients to work reliably with a self-signed certificate is a massive headache.  I tried doing it in a lab and even I got frustrated.  Imagine how that is going to impact your user adoption if your customers get that frustrated.  Pay for the certificate and save yourself the hassle.

      0

  3. Haydn 3 years ago

    If we have a SSL cert from a public CA already what steps are required in this instance?

    0

    • Author
      Kyle Beckman 3 years ago

      Ummmm.... That's what I cover in the article.  For Work Folders, I only recommend running it with a certificate from a public CA.  Running it with a cert from your corporate CA means every client (including mobile devices) has to have your root cert installed.  That's a huge headache and not worth the cost of a certificate.

      1+

  4. Haydn 3 years ago

    Hi Kyle, I see it it covered in the article if you dont have a SSL cert. But we already have a wildcard cert. It is signed by GoDaddy already for our domain. I simply wish to use this cert instead of having GoDaddy resign another cert.

    Is that possible to use an already signed cert by a CA?

    0

  5. Gangadhar 2 years ago

    For test lab purpose we used "http://hostname.domain.local" at windows 10 client os. unable to connect my work folder "There was a problem finding your work folder". But folder has been created automatically.

    Thank you in advance.

    1+

  6. Thomas 2 years ago

    Kyle:

    I used this guide last year to install and setup Workfolders for all laptop users in our domain.  Everything is running perfect, thank you for such a simple to follow document.

    This year I am tasked with setting up Workfolders for a child domain (child.parent.com). Is there something that needs to be completed differently for a child domain?   I have a wildcard cert, but am still getting errors finding WorkFolder server.

    1+

  7. Stephen Sit 2 years ago

    For Selft-Signed SSL or Enterprise CA, you can always use group policy to install the SSL & CA SSL into the client computer.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account