With the GA of the Microsoft Connected Cache for Enterprise it now also supports HTTPS Content, which allows it to also support Teams and future Intune Content which will move from HTTP to HTTPs. In this part, I will show you how you can enable HTTPS support for your Connected Cache Nodes. It is not enabled by default since it requires you to provide a TLS certificate for your nodes.
Generate CSR on our Linux Node
Let’s start with creating the CSR on our Linux Node, to do that, we need to move into our scripts folder and first mark the script generateCsr.sh as executable:
To generate our CSR, we just need to call this script with our required parameters. Since the exact options will vary depending on your environment, I highly suggest to check out the official docs for available options: mcc-ent-https-linux
For my environment, I go with FQDN and IP Address, since I still have a few places where I call the MCC via IP only (e.g. DHCP Option 235 in my case)
The CSR file will be written to your cache location into a folder certs, you can copy it from there and get it signed by your CA.
Generate CSR on our Windows Node
Let’s do the same for our Windows Node. We will start with navigating to the scripts folder by using that command:
cd (deliveryoptimization-cli mcc-get-scripts-path)
For the exact parameters required for the CSR generation, I again highly suggest to check out the official docs: mcc-ent-https-windows
I will go with this settings for my environment:
Sign the CSR
Now that we have the CSRs ready, we can let them sign from our CA. In my case, I will use my Enterprise PKI for that:
Import Certificate to Linux Node
Now that we have our signed certificate, we can import it to our node. To do that we need to copy our signed certificate next to the csr:
Next, we move back to our scripts folder and mark the importCsr.sh shell script as executable:
And start the actual import process:
Import Certificate to Windows Node
First thing on the Windows Node, is to copy the signed certificate to the folder where you found the csr before:
Next, we go back to our elevated PowerShell windows, and move to the scripts folder:
And run the importCert.ps1 script:
Next, we need to configure the port forwarding and firewall to allow access to port 443 on the Windows Node:
$ipFilePath = Join-Path ([System.Environment]::GetEnvironmentVariable("MCC_INSTALLATION_FOLDER", "Machine")) "wslIp.txt"
$ipAddress = (Get-Content $ipFilePath | Select-Object -First 1).Trim()
netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=$ipAddress
[void](New-NetFirewallRule -DisplayName "WSL2 Port Bridge (HTTPS)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort "443")
[void](New-NetFirewallRule -DisplayName "WSL2 Port Bridge (HTTPS)" -Direction Outbound -Action Allow -Protocol TCP -LocalPort "443")
Test HTTPS Connection from a client
Now that we have our cache nodes ready, we should test if it actually works. We can do that using curl from any of our clients:
curl.exe -v -o NUL "https://[insert-connection-option]/ee344de8-d177-4720-86c1-a076581766f9/070a8fd4-79a7-42c8-b7c8-9883253bb01a/c7b1b825-88b2-4e66-9b15-ff5fe0374bc6.appxbundle.bin" --include -H "host:swda01-mscdn.manage.microsoft.com"If everything worked, we can see the file successfully downloaded:
If it didn’t work, it could look something like this:
Conclusion
Having HTTPS support for the Microsoft Connected Cache is a nice and long awaited feature to make sure it will work for all current and future requirements, especially since teams already switched to HTTPS and Intune is currently working on the transition to HTTPS CDN downloads.
Leave a Reply