Issue:
When I am trying to login to the Email and Server Security 14.x or 15.x WebUI (Web Console) via the browser using the address https://127.0.0.1:25023 or https://localhost:25023, a message is shown that the page cannot be displayed.
Resolution:
Set up the Binding in Internet Information Services (IIS) Manager
To access the Email and Server Security's WebUI from any host in the network, you need to allow them via Internet Information Services (IIS).
To allow access to the WebUI for all hosts, follow these steps:
- In Administrative Tools, start Internet Information Services (IIS) Manager
- Go to Sites > EssWebConsole
- Select Bindings
- Select the row with port 25025 127.0.0.1 and click on Edit
- Under SSL certificate, select Local ESS Web Console Self Signed Cert and select OK
Missing Email and Server Security SSL certificate
If the Email and Server Security WebUI is not displayed and the certificate is missing in IIS, you can run the setup F-Secure.Ess.Config.exe to create a new certificate.
This tool can be found from C:\Program Files (x86)\F-Secure\Email and Server Security\ui\F-Secure.Ess.Config.exe
On page 7 you are able to select the certificate: Local ESS Web Console Self Signed or create a self-signed one.
Once completed, you should now be able to select the certificate in IIS> EssWebConsole> Bindings
Verify that TLS is enabled and the SChannel library is correct
- Make sure TLS 1.0 and TLS 1.1 is enabled on the Email and Server Security host
- If you are using 2008 R2, 2012 and 2012 R2 make sure this update KB3042058 is installed
Note: Dropped support for weak cipher suites for TLS protocol. This may result in connectivity issues with outdated Windows hosts that are missing e.g. KB3042058 updates from May 2015.
The easiest way to check if the host is able to communicate with the designated Policy Manager is to access the Policy Manager address:HTTPS port (example: https://mypolicymanager.local:443) via Microsoft Internet Explorer from the managed client's host. Microsoft Internet Explorer uses the same secure channel library as our F-Secure client to establish a secure connection to the Policy Manager Server. Most other internet browsers utilize their own TSL library and do not rely on the same as our clients, hence are irrelevant for validation.
Occasionally the 'SChannel' library will attempt to use TLS 1.0 even with the KB3042058 update installed. It was discovered that this can happen if the Windows Server is running in the Active Directory role. Making any changes to SSL Cipher Suite Order Group Policy setting as described in More Information under https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2 and rebooting the server fixes this, even if SSL Cipher Suite Order Group Policy setting value is later reset to default.
Workaround
If you are unable to install the cipher suite Windows update on the host or fix the SSL Cipher Suite Order Group Policy setting, a workaround would be to allow TLSv1 and TLSv1.1 for the Policy Manager Server by using these steps:
- Stop the Policy Manager Server service using command prompt command: net stop fsms
- Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
- Open the additional_java_args string and add: -DenableVistaInteroperability=true
- Start the Policy Manager Server service using command prompt command: net start fsms
Now hosts using TLSv1 and TLSv1.1 will be again able to connect to the Policy Manager Server and download policies.
Note: This workaround should be considered as a temporary solution and we advise you to update your system to the latest TLS version.
Article no: 000022837