MBAM and Secure Network Communication

Summary

This article discusses on how to configure Microsoft’s BitLocker Administration and Monitoring (MBAM) with Secure Network Communication.

MBAM can encrypt the communication between the MBAM Recovery and Hardware Database, the Administration and Monitoring servers and the MBAM clients. If you decide to encrypt the communication, you are asked to select the certification authority-provisioned certificate that will be used for encryption.

The channel between MBAM Administration & Monitoring Server and SQL SSRS can also be encrypted. An Administrator needs a certificate approved from CA (Certificate Authority) or a Self-Signed Certificate before deploying MBAM.

Note: If you decide to go with SSL, make sure you have the correct certificate to configure SSL before running MBAM Setup on your server.

Step 1: Encrypt Channel between MBAM Client and Administration & Monitoring Server.

  1. Using Self Signed Certificate.
    1. Connect to Server where MBAM Administration & Monitoring Role will be installed.
    2. Make sure you have installed IIS.
    3. Open Server Manager and Click on Roles.
    4. Select webserver and click on IIS.
    5. In Feature View, Double Click Server Certificates.
    6. Under Actions Pane, Select Self-Signed Certificate.
    7. On the Create Self-Signed Certificate page, type a friendly name for the certificate in the Specify a friendly name for the certificate box, and then click OK.
    Notes:
    • This procedure generates a self-signed certificate that does not originate from a generally trusted source; therefore, you should not use this certificate to help secure data transfers between Internet clients and your server.
    • Self-signed certificates may cause your Web browser to issue phishing warnings.
  2. Using Certificate Approved by Certificate Authority

    There are 2 ways to import a certificate
    1. Request or Import a certificate from a CA using IIS:
    2. Request or Import a certificate into the Personal Certificate Store using Certificate Manager:
      http://windows.microsoft.com/en-us/windows-vista/Request-or-renew-a-certificate

      Certificate Templates to be used:
      MBAM Client to MBAM Administration & Monitoring Server: Use Standard Web Server Template.

      After you have certificate ready, when you execute MBAM Setup, we will show you the thumbprint of the certificate in “Configure Network Communication Security” wizard for MBAM Setup.
Step 2: Encrypt Channel between MBAM Administration & Monitoring Server and MBAM Recovery & Hardware SQL DB.

MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the Certificate Authority-provisioned certificate that is used for encryption.

Certificate Templates to be used:
MBAM SQL DB Server to Admin & Monitoring Server: Standard Server Authentication Template

When you execute MBAM Setup Program on a server where you will install MBAM Recovery & Hardware DB Role, you can see the certificate thumbprint in "Configure Network Communication Security" wizard for MBAM Setup Program.




Step 3: How to Configure SSL for SQL Compliance and Audit DB Server.

Note: You will have to configure SSL for SQL before you run MBAM Setup on your server.
  1. Open SQL Reporting Services Configuration Manager on Server where you installed MBAM Audit Reports Role.
  2. Connect to your Server and Click Web Service URL.
  3. Click Advanced and then select your certificate. See image below:
  4. Repeat “Step 3” for Report Manager URL in SQL Reporting Services Configuration Manager.
  5. Now when you open MBAM Reports it will use SSL to connect to SQL SSRS.


Step 4: Configure SQL to force encryption on all protocols
  1. Login to SQL Server and Open SQL Server Configuration Manager.
  2. Expand SQL Server Network Configuration and select "Protocols for MSSQLSERVER".
  3. Right Click on "Protocols for MSSQLSERVER" and Select Yes for Force Encryption.



  4. Select Certificates tab and choose your certificate from drop down.
  5. Click Apply and restart your SQL Services.
  6. When you try to restart SQL Services, you will hit an error message " The request failed or the service did not respond in a timely fashion. Consult the event log or other applicable error logs for details."
  7. It fails since SQL account does not have rights on Private keys of the certificate.
  8. Open Certificate Manager MMC console and give the SQL account which is used for SQL services Full access on the certificate.



  9. Restart the SQL Server Services now and it should be successful.

More Information

Propiedades

Id. de artículo: 2754259 - Última revisión: 6 mar. 2015 - Revisión: 1

Comentarios