How to Configure a Secure, Public-Facing CloudM Migrate Instance

This guide provides instructions and best practices for securely exposing your CloudM Migrate web application to the internet.

By default, the CloudM Migrate web interface is installed for local access only (via https://cloudm.local). To allow secure access from any external location, you must configure DNS, bind a commercial SSL/TLS certificate in Internet Information Services (IIS), and implement several security hardening measures.

Following these recommendations will significantly strengthen the security posture of your web server.

Audience: This article is intended for System Administrators or IT professionals familiar with Windows Server, IIS, DNS, and SSL/TLS certificate management.

---

1. Prerequisites

Before you begin, ensure you have the following:

• A static public IP address assigned to your CloudM Migrate server.
• Administrative access to the Windows Server hosting CloudM Migrate.
• Access to your public DNS provider's management console (e.g. GoDaddy, Cloudflare, etc.).
• A purchased SSL/TLS Certificate in a .pfx file format from a trusted Certificate Authority (CA).

---

2. Preparing for Public Access

2.1. Configure DNS

For users to access CloudM Migrate using a domain name (e.g., https://migrate.yourcompany.com), you must create a public DNS 'A' record. This record points your chosen domain name to the server's public IP address.

1. Log in to your DNS provider's management portal.
2. Navigate to the DNS management or Zone Editor section for your domain.
3. Add a new 'A' Record with the following details:
   • Host/Name: The subdomain you will use (e.g., migrate).
   • Points to/Value: The static public IP address of your CloudM Migrate server.
   • TTL (Time to Live): Leave the default value unless you have a specific requirement.
4. Save the record. Note that DNS changes may take some time to propagate across the internet.

2.2. Obtain an SSL/TLS Certificate

Using a certificate from a trusted CA (e.g. Symantec, Comodo, Let's Encrypt) is essential for securing your public-facing site. It encrypts data and verifies your site's identity to users. While self-signed certificates can be used, they will generate browser security warnings and are not recommended for production environments.

• When purchasing your certificate, the Common Name (CN) must match the fully qualified domain name (FQDN) you configured in DNS (e.g. migrate.yourcompany.com).
• A wildcard certificate (e.g. *.yourcompany.com) can also be used.
• After purchase and validation, you will typically receive a .pfx file, which includes the certificate, private key, and any intermediate certificates.

---

3. Configuring IIS for Public Access

3.1. Import Your SSL/TLS Certificate

First, import the certificate into the server's certificate store.

1. Open the Microsoft Management Console (MMC) by pressing Win + R, typing mmc, and clicking OK.
2. In the MMC, go to File > Add/Remove Snap-in....
3. Select Certificates and click Add.
4. Choose Computer account and click Next.
5. Select Local computer and click Finish, then OK.
6. In the console tree, expand Certificates (Local Computer) > Personal.
7. Right-click the Certificates folder and select All Tasks > Import....
8. Follow the Certificate Import Wizard to import your .pfx file. Ensure you select the option to Automatically place the certificates in the certificate stores based on the type of the certificate.

3.2. Create the HTTPS Binding in IIS

Next, bind your new domain name and SSL/TLS certificate to the CloudM Migrate website.

Important: When you upgrade or reinstall CloudM Migrate, your custom IIS bindings will be reset to the default configuration. You must re-apply these steps after any upgrade.

1. Open IIS Manager by pressing Win + R, typing inetmgr, and clicking OK.
2. In the Connections pane, expand the server node, then expand the Sites folder.
3. Select the cloudm.local site.
4. In the Actions pane on the right, click Bindings....
5. First, edit the existing binding:
   • Select the https binding for the hostname CloudM.local.
   • Click Edit....
   • Check the box for Require Server Name Indication. This ensures the default local access continues to work alongside your public site.
   • Click OK.
     
6. Next, add the new public binding:
   • In the Site Bindings window, click Add....
   • Type: Select https.
   • IP address: Choose All Unassigned.
   • Port: 443.
   • Host name: Enter the public FQDN (e.g., migrate.yourcompany.com).
   • SSL certificate: Select your newly imported certificate from the dropdown menu.
   • Click OK, then Close.

3.3. Test Your Configuration

Open a web browser on a machine outside your local network and navigate to your public URL (e.g. https://migrate.yourcompany.com). The CloudM Migrate login page should load securely without any certificate warnings.

---

4. Security Hardening Recommendations

These optional but highly recommended steps will further secure your IIS web server.

4.1. Harden IIS Configuration

Remove Server Version Headers

This prevents IIS from publicly announcing its version, hiding information from potential attackers.

1. Download and install Microsoft URLScan.
2. Open Notepad as an Administrator.
3. Open the configuration file at C:\Windows\System32\inetsrv\urlscan\UrlScan.ini.
4. Find the RemoveServerHeader setting and change its value from 0 to 1.
5. Save the file.

Remove "X-Powered-By" Header

This hides the underlying technology (e.g., ASP.NET) used by the web application.

1. In IIS Manager, navigate to the cloudm.local site.
2. In the center pane, double-click HTTP Response Headers.
3. Right-click the X-Powered-By header and select Remove.

Disable the OPTIONS Method

The OPTIONS verb can be used by attackers to gather information about allowed server methods.

1. In IIS Manager, navigate to the cloudm.local site.
2. Double-click Request Filtering.
3. Select the HTTP Verbs tab.
4. In the Actions pane, click Deny Verb....
5. Enter OPTIONS as the verb and click OK.

Enable and Configure Request Filtering Rules

It is good practice to restrict some types of HTTP requests that will be processed by IIS. Exclusions rules can be setup to prevent this.

1. If not open, click on the Start menu click Run and then type inetmgr.
2. In the IIS Manager, click the server name.
3. Expand the sites folder.
4. Select https://cloudm.local
5. Double click on ‘Request Filtering’
6. Change to the Rules tab
7. From the Actions pane, select ‘Add Filtering Rule’
8. Set the required rules, and press OK to save changes

The following rule will check for the provided strings in requests for .asp and .aspx pages. IIS will block any requests containing these strings.

More information on this can be found here http://technet.microsoft.com/en-us/library/hh831621.aspx

4.2. Enhance SSL/TLS Security

Test and Strengthen Ciphers

Ensure your server is not using weak or outdated cryptographic protocols (like SSLv3 or older TLS versions).

1. Go to Qualys SSL Labs SSL Test and test your public domain. Note the initial grade.
2. Download the IIS Crypto GUI tool on your server.
3. Run the application and click the Best Practices button. This will disable weak protocols and ciphers.
4. Click Apply and reboot the server when prompted.
5. Re-run the SSL Labs test. Your grade should improve, ideally to an 'A' or 'A+'.

4.3. System-Level Security

Configure Firewall Rules

If you only intend to serve traffic over HTTPS, you can disable unencrypted HTTP access at the firewall level.

1. Open Windows Defender Firewall with Advanced Security.
2. Select Inbound Rules.
3. Locate and disable the following rules:
   • World Wide Web Services (HTTP Traffic-In)
   • Web Management Service (HTTP Traffic-In)

Apply Windows Updates

Always ensure your server is fully patched to protect against known vulnerabilities.

1. Run a full Windows Update after installing CloudM Migrate.
2. Install all available security and critical updates.
3. Reboot the server if required.