Adobe Connect 8 uses stunnel for software-based SSL/TLS connections, and it's pretty easy to set up. However, there are a couple of gotchas.
First, you have to decide whether to use SSL/TLS for the web interface, for meetings, or for both. If you want to encrypt both, you'll need two IP addresses and two hostnames defined in DNS, which you may not have planned for in advance. If you want to encrypt just one or the other, though, the instructions in the documentation (PDF link) are just a tiny bit off. You'll need to comment out all the lines for the other service. For example, if I just want to encrypt the web interface, the items in the section [https-vip] will remain uncommented, but the items in the section [rtmps-vip] must be commented out for stunnel to start successfully - including the section header itself:
;[rtmps-vip]
; incoming vip for fms (This is to secure Meeting) IP address that resolves to meeting FQDN
;accept = 123.123.123.2:443
; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1
; Send unencrypted request to 1935
;connect =127.0.0.1:1935
; Certificate information for Connect Meetings.
; This assumes you put the cert and key in the root folder of stunnel
;cert = CertificateNameHere.pem
;key = CerificateKeyNameHere.pem
;ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Second, the documentation refers to a Start Menu item for the stunnel service. Unfortunately, this doesn't exist. Fortunately, it's easy to register stunnel as a service. Just switch to the stunnel directory, typically something like C:\Breeze\8.2.0.1\stunnel, then type
stunnel -install
This won't create the Start Menu item, but it will register the service and set it up to start automatically.
Edit: 2011-12-14
Also, if you change the IP address of your Connect server, you'll need to stop stunnel, edit stunnel.conf, and change the IP addresses for the external listeners:
accept = 123.123.123.2:443
First, you have to decide whether to use SSL/TLS for the web interface, for meetings, or for both. If you want to encrypt both, you'll need two IP addresses and two hostnames defined in DNS, which you may not have planned for in advance. If you want to encrypt just one or the other, though, the instructions in the documentation (PDF link) are just a tiny bit off. You'll need to comment out all the lines for the other service. For example, if I just want to encrypt the web interface, the items in the section [https-vip] will remain uncommented, but the items in the section [rtmps-vip] must be commented out for stunnel to start successfully - including the section header itself:
;[rtmps-vip]
; incoming vip for fms (This is to secure Meeting) IP address that resolves to meeting FQDN
;accept = 123.123.123.2:443
; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1
; Send unencrypted request to 1935
;connect =127.0.0.1:1935
; Certificate information for Connect Meetings.
; This assumes you put the cert and key in the root folder of stunnel
;cert = CertificateNameHere.pem
;key = CerificateKeyNameHere.pem
;ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Second, the documentation refers to a Start Menu item for the stunnel service. Unfortunately, this doesn't exist. Fortunately, it's easy to register stunnel as a service. Just switch to the stunnel directory, typically something like C:\Breeze\8.2.0.1\stunnel, then type
stunnel -install
This won't create the Start Menu item, but it will register the service and set it up to start automatically.
Edit: 2011-12-14
Also, if you change the IP address of your Connect server, you'll need to stop stunnel, edit stunnel.conf, and change the IP addresses for the external listeners:
accept = 123.123.123.2:443
No comments:
Post a Comment