13 Replies Latest reply on Jun 15, 2017 12:54 PM by dale_allyn

    Recommended SSL Setup on Private FMS16 Server?

    LSNOVER

      My understanding of SSL certificates is that they require a publicly accessible server in order to be verified.

       

      If a user has a private FMS 16 server that is not public, what is the recommended setup for dealing with an SSL certificate?  I.e. how can we install a proper certificate without having a public server and URL?

       

      Thanks,

      Lee

        • 1. Re: Recommended SSL Setup on Private FMS16 Server?
          fmpdude

          Pardon the possibly unhelpful question, but why do you need an SSL certificate at all if the server isn't public/Internet-facing?  Certificates are a pain. Yearly updating is a pain. Avoid if you can.

          • 2. Re: Recommended SSL Setup on Private FMS16 Server?
            LSNOVER

            No problem.  The SSL features do not work properly without a third party certificate.  While the server may not be "public facing", the network traffic can still be compromised internally or breached externally, since the office does have internet access.  Having secure data flow is a best practice, in my opinion.  If the computers have internet access, then the data should be protected to the degree possible.

            • 3. Re: Recommended SSL Setup on Private FMS16 Server?
              fmpdude

              Gotcha, sounds good.

              • 4. Re: Recommended SSL Setup on Private FMS16 Server?
                dale_allyn

                I'm facing this same situation (and agree with your comment to security). It's a new installation (and new company) and I'm considering activating a domain and allowing access to the internet for the sole purpose of validating. Then removing that access. The problem is, that only buys a year. I'd like not to have to "connect the pipes" again each renewal.

                 

                Looking forward to someone providing a better solution.

                 

                Thanks for your post, LSNOVER.

                • 5. Re: Recommended SSL Setup on Private FMS16 Server?
                  LSNOVER

                  I am not even sure that that would work, as my understanding is that the SSL cert. has to be verified when a connection is made.  I will make a call to Tech. support and report back what I find out.

                  • 6. Re: Recommended SSL Setup on Private FMS16 Server?
                    greglane

                    Hi Lee,

                     

                    I'm not aware of any step in the process of setting up DNS or an SSL cert that would require your server to be publicly accessible. We have internal FileMaker development servers that are not publicly accessible that have valid SSL certs installed. The clients need to be able to resolve the DNS name to an IP address, but that can be a private address. We have domain names registered via Amazon AWS Route 53 that point to internal, private IP addresses and FileMaker clients work just fine. If your LAN is completely isolated, you would need a local DNS server.

                     

                    When you purchase an SSL cert, you're required to go through a process to verify you own the domain name you're buying the cert for. That's typically done via email using the admin address used when registering the domain. If you don't have access to that email address, you can use an HTTP-based method where you put a hash file on the server. This is the only scenario I can think of where the server would have to be publicly accessible in order for the SSL vendor to validate domain control.

                     

                    Is there a particular obstacle you've encountered?

                     

                    Greg

                    1 of 1 people found this helpful
                    • 7. Re: Recommended SSL Setup on Private FMS16 Server?
                      LSNOVER

                      OK, according to FMI OFFICIAL support... there is no way to setup SSL without a third party cert. and without a "public" domain name that resolves to the Filemaker server.

                       

                      The rep. stated that the certificate MIGHT work if the server is not publicly accessible (after it has been setup), as long as the URL resolves for the internal clients and they have internet access to the public DNS servers.  But they admitted they were not a network expert, and could not guarantee/verify this.  So this remains an open question.  Hopefully someone else with specific experience/expertise can chime in. 

                      • 8. Re: Recommended SSL Setup on Private FMS16 Server?
                        LSNOVER

                        Hi Greg:

                         

                        Thank you for the info.  I haven't encountered the issue yet, per say.  I was just trying to work through the scenario and find out if it's doable.

                         

                        So, if I understand you correctly, you have the Domain setup to point to your internal IP?  ie. like a 192.x.x.x type IP?  
                        All of the installations I've done with the SSL certs have been otherwise accessible via the internet.  I am not a network expert, so forgive me if I am asking questions that seem not to make sense.  I understand the basics, but not all the intricacies, especially with routing issues.

                         

                        Regards,

                        Lee

                        • 9. Re: Recommended SSL Setup on Private FMS16 Server?
                          bigtom

                          This is an issue for private LAN use. Certs  need to validate every so often.

                           

                          Have you searched for Enterprise Internal SSL? Not sure there are any supported CAs but looks to be something that might work.

                          • 10. Re: Recommended SSL Setup on Private FMS16 Server?
                            greglane

                            Hi Lee,

                             

                            That's exactly right. We have internal servers on private IP addresses that can only be accessed from our local LAN or via VPN. We're using a wildcard cert from DigiCert and it's working fine.

                             

                            Greg

                            1 of 1 people found this helpful
                            • 11. Re: Recommended SSL Setup on Private FMS16 Server?
                              wimdecorte

                              dale_allyn wrote:

                               

                              I'm considering activating a domain and allowing access to the internet for the sole purpose of validating

                               

                              Can you expand on that? That shouldn't be necessary.  If you have an internal DNS on your network then you are already using a 'domain' name.  If you get an SSL cert for that domain then you are good to go.

                               

                              SSL certs sorta require proper DNS and in the long run it is going to be much smoother to set that up internally if you don't have it.

                              • 12. Re: Recommended SSL Setup on Private FMS16 Server?
                                dale_allyn

                                Thanks for your sharing the info.

                                • 13. Re: Recommended SSL Setup on Private FMS16 Server?
                                  dale_allyn

                                  I guess my only "expansion" is that my experience with installing SSL certs is with web servers (Web facing LAMP stacks) and not isolated internal networks. So I was exposing my inexperience with what's required for an FM server which is not connected to the web.  

                                   

                                  Learning from you and others here as I read and follow along.