Note: When setting up TLS on your Carousel Server it is best to start before installing or upgrading to Version 7.3.0.
1. Configuring IIS for TLS
You will need go into IIS and right click on Default Web Site and select Edit Bindings...
Then you can add or edit the bindings for port 443
You will need to set the Host name to be the same as the certificate that you have procured. If you don't set the host name, you probably won't notice issues accessing Carousel from a browser, but internally, Carousel will be unable to validate the certificate and will fail to update bulletins. (If unsure, check Configure > System > System Health to verify internal communication is working properly.)
You also have to install the certificate in IIS. On the same screen as above you will click on Select... and that will allow you to select the certificate that you would like to use on the server.
Carousel requires at least the https binding on port 443 with a host name specified in order to use TLS. Optionally the server can also be configured to have an http binding on port 80. The http binding allows access to the server without encryption, which might be desirable. You may not want people or players to access the server without encryption, but you might still use the http binding to redirect, so bookmarks or players pointing to http://<server> will redirect to https://<server> and still be encrypted (see Notes)
2. Installing or Upgrading to 7.3.0+
Once you have configured your IIS, install the Carousel upgrade as normal.
3. Setting up or Upgrading Players
To setup or upgrade your players, they will need to be configured or reconfigured to use https. This will be done the standard way that you setup each type of player, but you will specify a full URL instead of just the host name. For example, you will now have to enter https://carousel.trms.com/ instead of carousel.trms.com. You can also still specify the protocol as http if you are not using TLS.
Notes:
- It is recommended that you set up a redirect from http to https once all of you players have been converted to https within IIS so users can still operate securely, even if they use an old bookmark. For details, check: https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/ with one important exception: the "Redirect Target" should use the host name specified in the https binding, not "{HTTP_HOST}" to force requests made to http://localhost to redirect to the correct secure URL (otherwise, it will redirect to https://localhost and cause a certificate validation error which will prevent internal Carousel requests from working properly). The redirect can be tested by entering http://localhost into the browser on the Carousel server and ensure that it properly follows the redirect without an error.
- Self-sign certificates will not work for allowing players to connect over TLS.
- Carousel will automatically use the host name from the IIS binding in step 1 for internal communication as long as you use the "Default Web Site," and the service and app pool are running as users who can read IIS settings. If these requirements are all not met, there are Options within Carousel to help it find the right information as follows: General/WebSiteName can be used to change the site name if it is not "Default Web Site"and General/ServerURL can be used to set the internal URL Carousel uses if the binding host name isn't set or cannot be read. Internally, when communicating with the web server, Carousel will try:
- If set, the General/ServerURL will be used.
- If it exists, an http binding, it will respect the host name and port of the first http binding, following any redirects to https if configured.
- An https binding, it will use the host name and port of the first https binding.
- If all else fails, it will use http://localhost.
- The firmware on BrightSign players defines which root certificate authorities those players trust, which isn't necessarily the same as Windows or Apple TV players, and there may be discrepancies. If everything is set up properly and you are having issues specifically with BrightSign players, this is a possible cause. The only solution is to switch to a certificate by a trusted provider on the Carousel server. If a certificate isn't trusted by the BrightSign firmware, you'll see:
- If using the provisioning script, you'll see a message for error -60 and it not be able to "download brs files."
- If using the configuration tool, it will potentially be able to configure against the player but, unfortunately, you will never see content appear on the player.
- If the Carousel server is on the internet, it is possible to use letsencrypt for your certificates (even with BrightSign players).