MiVoice Office Application Suite - Technical Manual
Enabling HTTPS
How To's > Enabling HTTPS

To improve security it is recommended to switch access to the MiVoice Office Application Suite website from HTTP (default) to HTTPS.

The website is hosted by IIS server which is part of the host operating system. This following steps explain the process involved in enabling HTTPS for the website.

Enabling HTTPS Steps

  1. Use a valid TLD domain name for external access
  2. Alias your windows server name
  3. Create a CSR (Certificate Signing Request) for the server
  4. Obtain a certificate from your provider
  5. Install the certificate on the server
  6. Renewing the certificate when it expires
If a certificate has already been installed for Phone Manager Mobile, the same certificate can be used for enabling HTTPS on the website.

Use a valid TLD domain name for external access

You can only get a CA certificate for a valid IANA Top level domain. This means you cannot use IP adddress or .lan, .local domain names. If you are currently using IP address for external access for the mobile client then you will need to change to using a valid domain name for which you can get a certificate.

Alias your windows server name

If your internal MCS server name is not the same as you will use to access the server remotely (e.g. your external access will be by mobile.example.com but your server is called server1.example.local) then you will need to add a computer name alias so that the certificate 'common name' or 'alternative name' matches the windows server name or alias.

If you are using a windows domain joined server, creating a computer name alias, is a simple process. You need to run as an elevated Powershell (or command prompt) window on the AppSuite server. Enter the command as below, and you're done.

netdom computername <COMPUTER> /add:<ALIAS>

Example:
netdom computername server1 /add:mobile.example.com

 

The command will also add a DNS A record appropriately for internal access. External DNS access will need to be setup with your external domain name servers.

More details are available in the Microsoft Technet article here:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-computer-name-aliases-in-place-of-dns-cname-records/ba-p/259064

Creating a CSR & Obtaining a Certificate

A CSR (certificate signing request) must be generated on the host server before a certificate can be purchased and installed. For ease of renewal we do this through IIS not MCS.

***This step must be done on the AppSuite server itself or you will not have the private key and the certificate will not work ***
Ensure the Client Location addresses have been correctly configured with the servername/FQDN for local and remote connections before creating a CSR.

The method for doing this manually on the server will differ depending on the version of IIS installed. A good reference on how to generate the CSR can be found on the Digicert website: https://www.digicert.com/csr-creation.htm. The process is slightly different for different versions of Windows (as they have different versions of IIS) so scroll down the page to find the instructions for the version if IIS you are using.

Common name - The fully-qualified external domain name of the MCS server. This should be the Client Location Remote 'NAT IP Address/Hostname' address configured on your MCS server. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.example.com
Alternative names - Enter any alternative hostnames or IP addresses that may be used to connect to the server, for example the internal DNS name. This must include the Client Location Local 'IP Address/Hostname' address configured on your MCS server.

You should receive a certificate .cer file at the end of the process.

Once you have a CSR, a certificate must be obtained from your Certificate Authority.

Obtain a certificate from your provider

The previous step will provide a csr text file.

This manual does not cover the exact steps you will need to get a certificate from your CA (certificate Authority) as it will vary from CA to CA. You will need to follow the steps from your specific provider on how to use this to order a certificate.

Installing a Certificate

Once a certificate has been purchased/generated, it must be installed on the host server. A good reference on how to install the certificate can be found on the Digicert website: https://www.digicert.com/csr-creation.htm. The process is slightly different for different versions of Windows (as they have different versions of IIS) so scroll down the page to find the instructions for the version of IIS you are using and follow the 'To install your certificate' section.

If when viewing the certificate it does not say at the bottom of the screen 'You have a private key that corresponds to this certificate' then it will NOT work. The most commeon reasn fior this is the CSR creation was not done on the AppSUite server you are trying to install the certificate on. You need to go through the CSR creation process on the server.

When following the guide, the Friendly name must be set to 'MCS - Phone Manager client connections', not as they recomend. This is so that MCS will find and use the certificate.
A restart of the system is required for certificate changes to take effect.
The maximum period a certificate can be valid for is 1 year (Let's Encrypt 90 days) so we recommend you diary to renew the certificate just before so you can schedule the renewal before it expires so you don't lose service.

Renewing the Certificate

Obtain the new certificate from your CA (certificate authority) .cer file.

Update the certificate

Run Certificate Manager certmgr.msc
Select Personal > Certificates from the left hand pane.

Select the existing certificate, right click choose Properties and delete the friendly name and OK to save.

Right click on Certificates (under Personal) choose All Tasks > Import. Follow the wizard and import the new certificate from your .cer file.

Select the new certificate, right click, choose Properties and change the friendly name to 'MCS - Phone Manager client connections' and OK to save.

Bind the new certificate:

Run Internet Information Services (IIS) Manager (inetmgr.exe)

In connections pane on the left under Sites select Mitel MCS and then Bindings under Edit Site in the right hand pane.

Select https and press Edit button.

In the SSL certificate dopt down list slect the 'MCS - Phone Manager client connections' and OK to save.

Restart the server.

A restart of the system is required for certificate changes to take effect.