When trying to login to the Email and Server Security 14.xx WebGUI via a browser using the address https://127.0.0.1:25023, a message is shown that the page cannot be displayed.
To access the web console from other hosts in the network, you need to allow them via Internet Information Services (IIS). To allow access to the web console for all hosts
If the ESS WebGUI isn't been displayed and the certificate is missing in IIS, you can run the setup F-Secure.Ess.Config to create a new certificate.
- In Administrative Tools, start Internet Information Services (IIS) Manager.
- Go to Sites > EssWebConsole.
- Select Bindings.
- Select the row with port 25025 127.0.0.1 and click on Edit.
- Under SSL certificate, select Local ESS Web Console Self Signed Cert and select OK.
The tool can be found from: C:\Program Files (x86)\F-Secure\Email and Server Security\ui\F-Secure .Ess.Config
(The .exe file but the one with the F-Secure icon and you need to run as admin).
Following the steps, at step 7 you should be able to select the certificate: Local ESS Web Console Self Signed or create a self signed one.
Once completed, you should now be able to select the certificate in IIS> EssWebConsole> Bindings.
If the Browser gives you again the error: page cannot be displayed.
- Make sure TLS 1.0 and TLS 1.1 is enabled for the server.
- If you are using 2008R2, 2012 and 2012R2 make sure this update KB3042058 is installed.
Dropped support for weak cipher suites for TLS protocol. This may result in connectivity issues with outdated Windows hosts that are missing e.g. KB3042058 updates from May 2015.
The easiest way to check if the host is able to use Policy manager or not is to open Policy Manager's HTTPS welcome page with Internet Explorer from the managed host, because Internet Explorer is the only browser using the same 'schannel' library as all Windows clients to establish secure connections with the Policy Manager Server. Other browsers will connect to the Policy Manager even without KB3042058 update.
Sometimes 'schannel' library attempting to use TLS 1.0 even with the KB3042058 update installed. It was discovered at Windows Servers running AD role. Making any changes to SSL Cipher Suite Order Group Policy setting as described in More Information at https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2 and rebooting the server fixes this, even if SSL Cipher Suite Order Group Policy setting value is later reset to default.
Add '-DenableVistaInteroperability=true' to the additional_java_args configuration property to enable weak cipher suites and TLS 1.0, 1.1 back.
This can be done from Policy Manager server by opening regedit:
HKEY_LOCAL_MACHINE>SOFTWARE>Woe6432Node>Data Fellows>F-Secure>Management Server
And edit the additional_java_args: -DenableVistaInteroperability=true
Article no: 000022837