My DMS is configured with IP addresses for every agent in the cluster.
Since I now enabled HTTPS in maintenancesettings I would expect I need to configure the DMS to use hostnames, but the connection remains working as normal with IP addresses only.
Why is that? Is my DMS actually using HTTPS or do I need to enabled something else too?
EDIT: My bindings in IIS already had no mention of http anymore.
Hi Alexander,
DataMiner still functions because Inter-DataMiner connections communicate over .NET Remoting (TCP port 8004), while downloading Cube or opening the web applications actually uses HTTP(S). There’s a nice graphical representation in the docs. (Note the difference between the default Client connections, aka Cube, and the Client web applications).
In short, when you browse to https://<your FQDN>/DataMinerCube (or when using the Cube Desktop Application) you will only download Cube over the HTTPS connection. Actually logging in and communicating with DataMiner, will go over .NET Remoting, which does not support TLS encryption, meaning you can still use the IP address. (Because there is no certificate) Of course, you can also use the hostnames everywhere (even without HTTPS enabled). Note that while using the web applications (Dashboards, Monitoring,…) all communication with the DMA is over the HTTP protocol so there the traffic will be encrypted if HTTPS is enabled.
Leaving this aside, you can also enable HTTPS and include the IP Address of your server in the Subject Alternative Names of the TLS certificate. This will also allow you to use the IP Address while using HTTPS. (Side note: this is in fact required when you’re running DataMiner Failover with a Virtual IP over HTTPS only). For more information, please see setting up HTTPS.
Hi all,
I have a situation in our DMS (failover pair) that touches this topic closely, therefore I’m not creating a new question.
Our DMS is IP address based, so no hostnames are in place. We use IP addresses only at this moment.
I have configured the https as per user guide with the self signed certificate that lists the VIP IP address (and other IP addresses of that server) in SAN. The CN configured is the primary IP address of the server. First I kept the http binding in place too. With that configured I can properly connect from a WEB client over https. Cube app works well.
Secondly I removed the http binding. The WEB still works OK, but now I can’t connect with cube app.
I noticed that the previously opened cube app (one opened and logged in before http binding removal) are working fine and normally interact with the DMS.
So it seems the cube app uses http in the initial stage (probably downloading actual version). How to change this cube initial communication to https so cube app will work well?
Hi Alexander,
When you mention ‘the connection remains working as normal with IP addresses only.’ are you referring that you can still connect via HTTP?
- Enable only HTTPs (recommended): In this case you need edit the site binding and enable only HTTPs
You should have something similar to the screenshot below:
- HTTP redirection: Additional information can be found in DataMiner Docs
Hi Alexander,
Enabling HTTPS also requires changes in IIS. You can find more info on this docs page.
If you want to enforce HTTPS you should also remove the binding for HTTP in IIS manager. That way you will not be able to access it by using the IP address but only by the host name that is present on the certificate you have assigned to the HTTPS binding.
When enforcing HTTPS it’s also useful to block/disable inbound tcp port 80 (or the HTTP port configured in IIS) in the firewall.
Yes, I forgot to mention it, but I did update my bindings in IIS to have https only.
Normally the browser should then give a warning that the connection is not secure. If not try to hard reload the page because it is probably cached.
Yes, I should have mentioned: I did edit the bindings to have https only in IIS.