Web Server Screen

Enabling this feature may require you to import a server certificate authority (CA) to agent endpoints. You can use the automatically-created certificate and CA, or you can use your own certificate and public or private CA. Typically, you only need to import a private CA.

To secure connections using Transport Layer Security (TLS) or Secure Sockets Layer (SSL), do the following:

1. Select Enable TLS/SSL. Setup automatically creates the required certificate.

   To learn about TLS/SSL implementation in Endpoint Application Control, see TLS/SSL Considerations.

2. Optionally, add your own certificate and public or private CA to the Endpoint Application Control server certificates folder.

   To replace the automatically-generated certificate, follow the steps to import a certificate for your web server type:

   Table 1. Import TLS/SSL Certificate

   Web Server Type	Steps
   Apache Tomcat	Do the following: Use a P12 format file that includes the certificate and private key. Tip: To create a P12 format file from a PEM format file or files, after completing server installation, use OpenSSL on the Endpoint Application Control server. For example, you might type the following single-line command at the command prompt: openssl pkcs12 -export -password pass:changeit -chain -name WebServerCert -in WebServerCert/WebServer_Cert.pem -inkey WebServerCert/WebServer_Key.pem -out WebServerCert/WebServer_Cert.p12 Set the P12 format file name to WebServer_Cert.p12 and use the password from the Apache Tomcat server.xml configuration file. The default password is changeit. Copy the P12 format file to the following path on the Endpoint Application Control server: C:\Program Files (x86)\Trend Micro\Endpoint Application Control\SSLCerts\WebServerCert\
   Microsoft Internet Information Server (IIS)	In Windows Server 2008, do the following: Open the IIS Microsoft Management Console (MMC). For example, click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. In the left pane, click your server name. The Home screen for your server appears in the center pane. In the center pane, double-click Server Certificates. The Server Certificates screen appears. Under Actions in the rightmost pane, click Complete Certificate Request.... The wizard window appears. Under File name containing the certification authority's response type the file name or click "..." to browse to the file. Then, type a Friendly name and then click OK. The certificate is installed to the server and the wizard window closes. In the left pane of the Internet Information Services (IIS) Manager window, expand your server name, expand Sites, and then click the EndpointApplicationControl virtual site. The Home screen for the virtual site appears in the center pane. Under Actions in the rightmost pane, click Bindings.... The Site Bindings window appears. Under Type, click https, and then click Edit.... The Edit Site Binding window appears. Under SSL Certificate, select the certificate that you installed using the wizard and then click OK. The Edit Site Binding window closes. Click Close to close the Site Bindings window. The certificate is configured for use with Endpoint Application Control.

3. To use the automatically-created certificate or your own private certificate, import the CA.

   For example, do one of the following:

   • Import to the Trusted Root Certification Authorities store for your domain.

     See Microsoft Technet https://technet.microsoft.com/en-us/library/cc772491.aspx.

   • Import to specific Group Policy Objects.

     See Microsoft Technet https://technet.microsoft.com/en-us/library/cc770315.aspx.