Website under construction



Download 13,37 Mb.
Pdf ko'rish
bet77/131
Sana27.03.2022
Hajmi13,37 Mb.
#512480
1   ...   73   74   75   76   77   78   79   80   ...   131
Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

Supporting non

SPI-capable clients 
Server Name Indication (SNI) is a feature of Secure Sockets Layer (SSL) Transport Layer Security (TLS) 
that is used in Web Application Proxy server and AD FS to reduce network infrastructure 
requirements. Traditionally, an SSL certificate had to be bound to an IP address/port combination. This 
meant that you would need to have a separate IP address configured if you wanted to bind a different 
certificate to the same port number on a server. With the use of SNI, a certificate is instead bound to 
the host name and port, allowing you to conserve IP addresses and reduce complexity. 
It’s important to realize that SNI relies on the requesting client supporting SNI. If the SSL Client Hello 
doesn’t contain the SNI header, http.sys won’t be able to determine which certificate to offer the client 
and will reset the connection. 
Most modern clients support SNI, but there are some clients that tend to cause issues. Generally, 
older browsers, legacy operating systems, hardware load balancers, health probes, older versions of 
WebDAV, ActiveSync on Android, and some older VoIP conferencing devices might be non–SNI-
capable devices. 
If it is necessary to support non-SNI clients, the easiest solution is to create a fallback certificate 
binding in http.sys. The fallback certificate needs to include any fully qualified domain names (FQDNs) 
that may need to be supported, including the FQDN for the AD FS service itself (adfs.contoso.com), 
the FQDN of any applications published via Web Application Proxy (mail.contoso.com), and the FQDN 
to support Enterprise registration (enterpriseregsitration.contoso.com) if you are using Workplace 
Join. 
When you have generated the certificate, get the application GUID and certificate thumbprints in use 
by using the following Windows PowerShell cmdlet: 
Get-WebApplicationProxyApplication | fl Name,ExternalURL,ExternalCertificateThumbprint 
Now that you have the application GUID and certificate thumbprint, you can bind it to the IP wildcard 
and port 443 by using the following syntax: 
netsh http add sslcert ipport=0.0.0.0:443 certhash=certthumprint appid={applicationguid}
Note that you will need to run this on each server in the AD FS farm as well as on any Web 
Application Proxy server. 

Download 13,37 Mb.

Do'stlaringiz bilan baham:
1   ...   73   74   75   76   77   78   79   80   ...   131




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish