Microsoft IIS

The Microsoft IIS (Internet Information Services) server is a web server developed by Microsoft. It is used to host and serve web applications and websites on Windows Server operating systems. In a typical deployment, an IIS server device is configured with SSL/TLS certificates to secure communications and establish trust between the server and its clients.

Prerequisites

Both the Windows gateway agent and the windows machine running Microsoft IIS must have administrative privileges.
Ensure that PowerShell and WinRM tools are installed and running on the Windows machine.
Verify that Microsoft IIS services are active on the Windows machine.
At least one website must be configured on the Microsoft IIS server.
If the Gateway type is selected as WMI, ensure that WMI is properly configured (optional).
The user must have read and write permissions for the folder specified as the discovery path and the push location.
The user must have the right access permissions to the drive, and the drive must be configured in sharing mode to allow discovery and push operations.
To discover and push the certificate to the store, user should have Read and write access to the trust store (to discover and push certificates).

Onboarding Microsoft IIS

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select Microsoft IIS from the Vendors list.

In the Server details section, select/enter the details as follows.

Table 1. Server Details - Field Description Table
Fields	Description
*Server name	Enter the name of the designated Microsoft IIS server.
*Hostname	Enter the hostname of the Microsoft IIS server that is to be onboarded. Note: If the Microsoft IIS server is configured for the integrated Windows Gateway mode, ensure that the hostname used is resolvable in the cloud connector. The usage of FQDN is preferred.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the Microsoft IIS server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, select/enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the Microsoft server device.

Table 2. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Gateway credential All supported external vaults Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values. If Gateway credential is selected no other fields are displayed. AppViewX supports the following external credential types: HashiCorp CyberArk BeyondTrust Thycotic
Certificate Location Details	By default, only the Certificate store option is selected for certificate discovery. If the user wants to discover certificates from the Centralized file system, they must select the corresponding checkbox, specify the certificate location. The certificate location supports both a shared path and a local file system directory; however, only one of these can be configured at a time. From the given location `pfx and p12 certificates will be discovered.` Choose a pre-configured password vault from the dropdown menu to parse the password protected certificates.
*Username	Enter the designated username for authentication.. (field displayed for manual entry only)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

Enter/Select the Windows gateway details.

Table 3. Windows Gateway Details - Field Description Table
Fields	Description
*Windows Gateway Mode	For communicating with Windows-based devices, from the following options, select the gateway agent mode to be used: External This mode will use the AppViewX Windows Gateway Agent that is set up on a Windows device. Integrated This mode will use the prepackaged gateway that is integrated in the AppViewX Cloud Connector (enabled only in the SaaS and Managed Kubernetes installations). Prerequisites for using the Integrated Windows Gateway mode Note: The integrated gateway functionality is not compatible with the following feature: Server addition using the import feature
*Gateway type	From the following options, select the required gateway type: PowerShell WMI Note: The integrated gateway uses only the PowerShell gateway command execution mode and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
*Gateway location	From the following options, select the gateway location: Remote LocalSystem Note: By default, the integrated gateway is remotely located. and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
*FQDN	Note: This field is displayed when Gateway location = LocalSystem. Enter the FQDN of the local system on which the Windows Gateway Agent will be installed.
*Port	Note: This field is displayed when Gateway location = LocalSystem. Enter the port number of the local system on which the Windows Gateway Agent will be installed.
*Select gateway	Note: This field is not displayed when Windows Gateway Mode = Integrated. From the following options, select the gateway: New Existing
*Windows gateway	Note: This field is displayed only when Select gateway = Existing. From the dropdown list, select an existing Windows gateway.
*Windows gateway name	For Windows Gateway Mode = External and Select gateway = New, enter a name for the Windows Gateway. For Windows Gateway Mode = Integrated, this field is auto-populated with the value integrated-gateway.
*Windows gateway URL	Note: This field is displayed only when Windows Gateway Mode = External. Enter the URL of the Windows Gateway endpoint.
Client authentication certificate	Note: This field is displayed only when Windows Gateway Mode = External and Select gateway = New. Upload the client certificate used while installing Windows Gateway. You can use the default client certificate (ClientCertificateGateway.pfx) or a custom certificate.
*: Mandatory fields

Note:

Microsoft IIS Discovery

The discovery process for Microsoft IIS can leverage multiple sources, as outlined below:

File System Discovery: Requires at least one file path to be specified during device addition.
Microsoft Certificate Store Discovery: Automatically scans the server’s certificate store for available certificates.
Shared Network Path Discovery:IIS supports discovery through shared network paths. This means that within the network of the managed IIS device, the logged-in user can be granted access to a shared folder on another system. By specifying that shared network path in the certificate location, the discovery process can be performed successfully.

The AppConnector is created dynamically based on the discovery method used.

Connector Behavior for IIS

For certificates discovered from the File System in Microsoft IIS, both Push-only/Default connectors and detailed profile connectors are created. The available profiles depend on the selected push certificate type in the application connector.

Push Certificate Type Options

When adding or updating certificates in Microsoft IIS using the app connector, users can select the desired Push Certificate Type:

Push Certificate: You can only push certificates to the Certificate store or Centralized File System.
- Only the Device Name profile is displayed for selection.
- Profile naming convention:
  {device_name}
Push and Bind Certificate: You can push a certificate to the Certificate store and bind it to the IIS site.
All detailed profile connectors are displayed for selection, using the convention described below:
MS IIS::<siteName>::<host/IP>:<port>:<hostname (optional)>:CS[:(SNI or protocol)]
- <siteName>: IIS site name or wildcard (*)
- <host/IP>: Hostname or IP address, or *
- <port>: Port number (e.g., 80, 443)
- <hostname (optional)>: FQDN or specific hostname, if applicable
- CS: Certificate Store indicator
- :(SNI or protocol): (SNI) if SNI enabled, (http) for HTTP profile, as applicable
Examples:
- MS IIS::test:*:8090:CS
- MS IIS::test:*:443:CS
- MS IIS::ptpld178.appviewx.net:192.168.12.18:80:www.testiisjune4.com:CS:(SNI)
- MS IIS::PTPLD178.avxdevlab.net:*:443:PTPLD178.avxdevlab.net:(http)
HTTP Sites Checkbox Behavior
If the HTTP Sites check box is selected in the app connector, only profiles that represent HTTP sites (with port 80 or marked as (http)) will be displayed for selection; other profile connectors, such as HTTPS or SNI, will be excluded.
- You can only push certificates to the Certificate store or Centralized File System.
- If the customer wants to perform custom operations (such as validations, service-related activities, backup, etc) before the push or after a successful push operation, they need to configure and use the Pre-Script and Post-Script Execution options.
- One or more Store profiles can be selected to push the certificate to the respective store

In the Certificate location details section, enter the details as indicated below.

Table 4. Certificate Location Details - Field Description Table
Fields	Description
*Location type	Select to the checkbox for Certificate store or Centralized file system or both as the location type.
*Certificate location	Enter the directory or path where the certificate is stored. Example: C:\Cert\folder
*Password vault	Select any of the preconfigured password vault values. None is selected by default.
*: Mandatory fields

In the Folder credential details section, enter the details as indicated below.

Table 5. Folder Credential Details - Field Description Table
Fields	Description
*Folder credentials	Select from Use gateway credential New Use device credential (disabled by default)
*Credential type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Credential List - CyberArk Credential List - Thycotic Credential List - Hashicorp Credential List - BeyondTrust Note: If Credential list - Appviewx or Credential list - CyberArk is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry only)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

Click Save.
The Microsoft IIS device is onboarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:

Go to ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
The Server Inventory page is displayed.
Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
From the Status column, click the Managed/Monitored.
Device Status Log pop-up is displayed.
Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions:

If you want to discover certificates from the onboarded device, see Managed Devices Scan.
If you want to enroll a new server certificate, see Enrolling a Server Certificate.