1. Intro
In the last 8 months we were contacted by customers in several support cases regarding the question how to implement a secure connection with https between 2 servers, the publishing server and the management server in an App-V environment. The customers had Windows Server 2019 in place and were using the latest version of App-V Server 5.1.136.1*. That’s the reason, why we shared our experiences with the community in November 2024 during the M.A.D. days and now want to share the procedure how to setup such a connection in this blog.
During the M.A.D. Days in Hamburg 2024, we demoed and discussed a failure when setting up https with an Server 2019 and TLS 1.2. In this blog I want to show how to setup it up directly https between App-V in short steps. We are using Windows Server 2022 what has some advantages regarding the handling for the https handling. For example we do not need to think about the used TLS version. It uses automatically the highest TLS version or can be set to use any available TLS 1.2 or higher protocol.
2. Basic communication Client and Server (Sync-Publishing)
2.1. Client process
On a client you can switch easily from an http connection to the publishing service to an https connection. In preparation you need to setup the bindings on the Server and create a SSL certificate for the Clients.
In a Microsoft PKI environment, you can request a certificate over the CA:
After the enrolment you can test to reach the https url on the Server:
2.2. Using HTTPS for Sync Publishing on clients
In our Lab I have setup 4 Publishing connections:
To the 1st publishing Server http and https and to the 2nd server the same. Overall I have 4 possible connections to Publish from the client. The Screenshot shows the GPO:
To use HTTPS you need to configure Binderies on the IIS of the Management Server.
Set a port of your choice and be sure the Firewall is not blocking these ports.
In the event viewer we see that the Publishing Refresh was successful:
3. Preparing and enable Publishing Server for HTTPS between the servers
3.1. Existing environment
On a basic setting of the main App-V Server with the Management Service and Publishing Service (Hostname in the LAB HAMWS2022S2), we have the following ports configured:
Management
HTTP: 60000
HTTPS: 8000
Publishing
HTTP: 60001
HTTPS: 8001
3.2 Standard Setting
On the main server, https will not be configured to connect to the Management Database on the same machine. The connection is on the same machine and we are using “http://localhost:[Port]/
3.3 Confirm Working Environment
We want to check before we make changes that communication on http is working correctly from 2nd Publishing Server (HAMWS2022S3) to the main Server (HAMWS2022S2):
When we check now the console on the main server we the 2 Servers are syncing (Last Publishing):
Additional we need to check the Sequence ID is the same on both Metadata files.
For that we need to compare the files on both servers:
Path is C:\ProgramData\Microsoft\AppV\Server\Publishing
4. Preparing on the main App-V Server HAMWS2022S2
4.1 Binding
As mentioned above, the Bindings we have set for https. The Ports are 8000 for Management and 8001 for Publishing
4.2 Certificate
Create a SSL certificate and select it for the HTTPS settings in the Publishing Binding for the configured Port:
4.3 Registry Key
On Server 2022 we additional set the following keys to force using TLS 1.2:
Based on the following article, you can find the details of the RegKeys and how to set it.
Link: TLS 1.2 enforcement for Microsoft Entra Connect
4.4 Change to HTTPS
The RegKey on the 2nd Server to connect to the Management Server via HTTPS:
4.5 Restart and Test
Now we can see that the connection between the 2 servers is over https as described above with the console or the same Sequence ID. Additional we can collect the traffic with Wireshark and see the TLS 1.2 traffic:
We can see the handshake between the 2 servers and data has been exchanged.
Thanks for reading
Peter Rüttinger
Microsoft