TheITJedi 35 Posted March 3, 2021 Share Posted March 3, 2021 (edited) This guide will explain how to setup a Windows Server instance of Emby server with IIS as full transparent reverse proxy with SSL offload and auto-renewing certificates via Lets Encrypt. First, What is IIS? IIS or Internet Information Services is the web server service provided with Windows and Windows server installations. It is industry standard technology and is widely supported and regularly maintained by Microsoft. Second, What is a reverse proxy? A reverse proxy will take requests coming into your server (in this case HTTPS on port 443) and route them to a backend application (in this case Emby Server on port 8096 on the same box or another). Reverse proxies are very useful if you only have 1 public IP and multiple services you would like to run on a single port (443, for example is standard secure web traffic) or multiple servers that need to appear as one. Third, Why do I want a certificate for my site from Lets Encrypt? Well, most sites now days are secure (read they encrypt your traffic to prevent people from seeing your data), browsers these days flag sites that are not using properly signed certificate chains or run on insecure ports. If you use a self signed certificate in Emby, you may have difficulty getting things like the iOS app or Roku app to work properly outside your home. (Not sure about the rest of you, but Emby on the kid’s iPad is a life saver for long car rides). Let’s Encrypt provides free SSL certificates that are signed by certificate authorities that will be recognized on all devices and platforms. I will be using Windows Server 2019 with IIS 10 and AAR 3. All of this should work with Windows Server 2012R2 and Windows Server 2016 as well as Windows 10, however there may be some differences. You can use either stable or beta version of Emby Server, however in this guide we will use the stable version. At the time of writing, this guide will get you a full A+ rating from SSLlabs.com security test. (For comparison purposes, Facebook’s rating is a B.) In this guide we will: Install Emby Server Move Emby Server Installation to a non-user-locked location Setup a service user to run Emby Server as Configure Emby Server to run as a service Configure Windows Firewall Install IIS Install AAR Install IIS Rewrite module Configure AAR Configure IIS as a reverse proxy for Emby Configure SSL cypher suites for the server Install the Certify the Web client. Configure Certify the Web for auto-renewing SSL certificate for your domain Note: To be externally accessible, you will need to configure your route/modem to port forward 80 and 443 to your server. Pre-reqs/Assumptions: A physical server or VM running Windows Server An Internet Connection A DynDNS/No-IP URL (or similar routable dns name pointed at your router’s public IP) You have port forwarded ports 80 and 443 through your router to the machine you will use as a reverse proxy (in this guide we will use the same box for the reverse proxy and Emby server, but these can be run on different hosts). You have installed Notepad++ on the machine you will be setting up. Install Emby Server Download Emby Server Run the Installer Click Run when prompted If prompted by smart screen, click run anyway If prompted to install Visual C++ runtime, click install It will install to default location of %APPDATA%\Emby-Server. Move Emby Server to Non-User Locked Location Ensure that Emby Server is not running (right click icon in system tray if present and click Exit) Navigate to default location of %APPDATA% (%userprofille%\appdata\roaming) Right click the folder and click "cut" Navigate to C:\ (or root of the drive you wish to have Emby run from) Right click in the whitespace and paste. (if prompted to provide administrator permission, approve) Create a Service Account to run Emby as Note: Instructions show how to do this using local users and computers, you can also do this with Active Directory Users and Computers if your server is running that role. Right click on the start button (Windows flag) on the left side of the task bar Click Computer Management Expand Local Users and Groups on the left side Click Users Right click the whitespace and click new user Complete the new user dialog as shown (make sure you save whatever password you use as you will need it later, ProTip: don't re-use passwords) Click create Click close Close the computer management window Setup NSSM NSSM (Non-Sucking Service Manager) is needed to run Emby Server as a service as Emby Server does not include the nessicary components to run as a Windows service by default. Download here: https://nssm.cc/download Double click downloaded zip to open it in windows explorer Navigate to /win64 folder inside zip Copy/extract 64 bit version of the file to C:\Emby-Server Setup Folder Permissions Navigate to C:\ Right click the Emby-Server folder Click Properties Click Security tab Click Advanced Click Disable Inheritance Click Convert to Explicit Select CREATOR OWNER Click Remove Select Users (special) Click Remove Click Add Enter SvcEmby in the dialog Click OK Click Full Control Click OK Click Change next to owner at the top of the box Type SvcEmby in the dialog Click OK Check the Replace owner check box Check the Replace permissions checkbox Verify the dialog window looks similar to this (computer name will be different) Click OK When prompted if you want to replace permissions click Yes Verify security tab looks like this Click OK Setup Emby as a Service using NSSM Right click the start button on the left side of the task bar Click Windows Powershell (Admin) Type: "cd C:\Emby-Server" and press enter Type ".\nssm.exe install Emby" and press enter The install service dialog will launch, fill out as follows: Application Tab Details Tab Logon Tab (note, if you are using active directory it should be: YOURDOMAIN\SvcEmby) Exit Actions Tab Click Install Service Click OK Config ure Windows Firewall Click Start Click Control Panel Click Windows Defender Firewall Click Advanced Settings on the left hand side Click Inbound Rules Click New Rule on the right hand side Click Port Click Next Type 80, 443 in the ports box Click Next Click Next Click Next Name it Web Server Ports Click Finish Install IIS (Internet Information Services) Click Start Click Server Manager Click Add Roles and Features Click next on the Before you Begin page Click Role Based install Click Next Verify you are installing on your local server Click Next Check the box for "Web Server (IIS)" When prompted to install management tools Click Add Features Click Next Under Features, click Next Click Next again to get to role services Check the boxes for all of the following role services Make sure you check the box for web sockets under Application Development, this is needed for various features of Emby to work right. Click Next Click Install Once installation completes, click close Install Web Platform Installer add-on Download from: https://www.microsoft.com/web/downloads/platform.aspx Run the Web Platform Installer add-on installer Click Install Click Finish Install AAR (Advanced Application Routing) Download from: https://www.microsoft.com/en-us/download/details.aspx?id=47333 Run the Request Router installer Click Install Install IIS Re-Write Module Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Double Click on the Web Platform Installer In the search box type "url rewrite" Click Add Click Install Click I Agree Click Finish Configure AAR Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Right Click Server Farms Click Create Server Farm Name your Server Farm Click Next Enter the IP address of the server or "localhost" Click Add Click Finish Click No in the dialog that pops up Expand your newly created Server Farm Click Proxy Configure settings as shown Click Apply Click your Server Click Application Request Routing Click Server Proxy Settings Configure settings as shown Click Apply Click Your Server Configure IIS Server Variables Click Url Re-Write Click View Server Variables Click Add Type "HTTP_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_ORIGINAL_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_FORWARDED_FOR" Click OK Click Add Type "HTTP_X_REAL_IP" Click OK Click Your Server Create Emby Site Expand Sites on the left hand side Right Click "Default Web Site" Highlight "Manage Website" Click Stop Right Click the white space in the Sites list Click Add Website Click the "..." button to the right of Physical Path Browse to C:\inetpub\wwwroot Click it Click Make New Folder Call it Emby Click OK Under Binding Fill in with your public host name (see dynamic dns mentioned in pre-reqs) Click OK Configure Logging Click your server Click Logging Click Select Fields Click Add Field Configure as shown Click OK Click OK Click Apply Install and Configure Certify The Web client Download From: https://certifytheweb.com Run the Certify the Web installer Click Next Click Next Click Next Click Install Click Finish Click New Certificate Click on on Contact Prompt Fill in your contact email Click Register Contact Click New Certificate again Select Emby from the sites list Name and domain will populate automatically. Click Deployment Configure as shown Complete certificate verification process Click your site in IIS manager Click Bindings Verify there is an HTTPS binding and that it looks similar to this (with your domain information) Edit Web.Config for Emby Site Click HTTP Response Headers Click Add Configure as show (we are just creating a header to get the web.config to exist, we will paste in a premed one below, so these values dont really matter) Click OK Open an Explorer window and Browse to C:\inetpub\wwwroot\Emby Right click web.config and Edit with Notepad++ Replace existing content with web.config below <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear></clear> <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> <rule name="Proxy to Emby" stopProcessing="false"> <match url="(.*)" /> <serverVariables> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" /> </serverVariables> <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" /> <conditions> <add input="/{R:1}" pattern=".well-known" negate="true" /> </conditions> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" /> <action type="Rewrite" value="http{R:1}://media.example.com/{R:2}" /> </rule> <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding"> <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" /> <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </outboundRules> </rewrite> <caching enabled="false" enableKernelCache="false" /> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Xss-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="same-origin" /> <add name="Feature-Policy" value="sync-xhr 'self'" /> <add name="Cache-Control" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> Save changes (if prompted to restart Notepad++ in admin mode allow it and then try saving again) IIS will now be properly configured as a reverse proxy for Emby. Under IIS Manager > Rewrite you should now see the following rules: Configure Server Cyphers Download here: https://www.nartac.com/Products/IISCrypto/Download (GUI version) Run the IISCrypto too Click Templates In the template drop down box, select PCI 3.2 This will disable IIS from being able to serve via SSL 2.0, 3.0; TLS 1.0 and TLS 1.1. This will leave just the industry standard TLS 1.2. Click Apply Click OK. Reboot your server. Emby Internal Settings Navigate to your server via the localhost:8096 address Click the gear in the top right corner Click Network from the list of tabs on the right Configure as shown (use your hostname in the external domain box) Conclusion Upon rebooting your computer will start IIS services and Emby server as a service. Traffic coming in on port 80 (if someone just types your url without HTTPS in their browser's address bar) will be automatically redirected to port 443 and the HTTPS:// version of your host name. Your certificate will auto-renew every so often and re-bind to the site in IIS without any interaction on your part. This allows for a server that you can for the most part setup, and forget about and just manage your Emby installation via its web ui. There are a lot of ways to set up Emby server depending on your environment and other factors. For my environment this made the most sense and since large portions of this took quite a bit of digging and research to get working just right, I figured Id make someone else's life a little easier if they were trying to do something similar. These instructions can be adapted for Windows Server 2012 R2, Windows Server 2016, Windows 8 and Windows 10. In the end browsing to your domain should look like this in the browser Additional Information for Updating When Updating your Emby installation. Simply stop the service for Emby, install like you normally would, then just cut the system folder inside the %appdata%\emby-server folder and paste it into the C:\Emby-Server folder. When prompted replace all files, then start the service again once the copy completes. Additional Information about Connecting with Emby Apps When connecting to your Emby installation remotely with Emby apps remember to prefix your domain name with https:// and use 443 for the port number. <Edit> Additional Information about changing Emby Server Title: For those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! Using IIS Re-Write rules to change the page title means, you don't have to edit files to reset it every time you upgrade your Emby Server! Add these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="<title>(.*)</title>" /> <action type="Rewrite" value="<title>NAME_OF_YOUR_SERVER</title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title="Emby"" /> <action type="Rewrite" value="document.title="NAME_OF_YOUR_SERVER"" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||"Emby":"Emby"" /> <action type="Rewrite" value="title.Name||"NAME_OF_YOUR_SERVER":"NAME_OF_YOUR_SERVER"" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </Edit> Edited July 2, 2021 by TheITJedi Additional Information Added 7 7 Link to comment Share on other sites More sharing options...
rbjtech 4671 Posted March 3, 2021 Share Posted March 3, 2021 (edited) Nice This comprehensive guide should probably go in the Guides section (https://emby.media/community/index.php?/forum/24-tutorials-and-guides/) and/or a Wiki doc. btw - you can just install the 'portable' version of Emby server where you like - no need to install it and then move it.. @cayars can probably get that sorted for you. Edited March 3, 2021 by rbjtech Link to comment Share on other sites More sharing options...
XSR 12 Posted March 6, 2021 Share Posted March 6, 2021 (edited) Very nice tutorial I don't my self use IISCrypto. I use more powerfull poweshell script from this website. With a little modifications you get TLS 1.3 security protocol enabled on Windows IIS. I now this latest protocol isn't recommend for production use as yet. But for testing purposes I tested my self.. Remember take backup before if you are going try this.. I have tested this on Windows 10, version 21H1 Enterprice (preview) with IIS. First I run Version 3.0.1, SetupIISForSSLPerfectForwardSecrecy.ps1 (Recommended) and then Save text below like IIS-TLS-1.3.ps1 and run it as admin. Reboot after. <# ============================== Enable TLS 1.3 ================================ #> # Add and Enable TLS 1.3 for client and server SCHANNEL communications New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.3 has been enabled.' # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy). Write-Host 'Use cipher suites order for Windows 10/2016 and later.' $cipherSuitesOrder = @( 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' ) $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null # Reboot Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?' Restart-Computer -Force -Confirm I think Emby feels little faster too Edited March 6, 2021 by XSR 1 Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted March 7, 2021 Author Share Posted March 7, 2021 (edited) 15 hours ago, XSR said: Very nice tutorial I don't my self use IISCrypto. I use more powerfull poweshell script from this website. With a little modifications you get TLS 1.3 security protocol enabled on Windows IIS. I now this latest protocol isn't recommend for production use as yet. But for testing purposes I tested my self.. Remember take backup before if you are going try this.. I have tested this on Windows 10, version 21H1 Enterprice (preview) with IIS. First I run Version 3.0.1, SetupIISForSSLPerfectForwardSecrecy.ps1 (Recommended) and then Save text below like IIS-TLS-1.3.ps1 and run it as admin. Reboot after. <# ============================== Enable TLS 1.3 ================================ #> # Add and Enable TLS 1.3 for client and server SCHANNEL communications New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.3 has been enabled.' # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy). Write-Host 'Use cipher suites order for Windows 10/2016 and later.' $cipherSuitesOrder = @( 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' ) $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null # Reboot Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?' Restart-Computer -Force -Confirm I think Emby feels little faster too @XSR, Thanks! As a Systems/Server/Network admin for almost 2 decades I am inclined to warn that these settings will cause issues on lower builds of Windows 10/Windows Server, and are not recommended. TLS 1.3 is not supported by most thing at this time and most browsers will end up only using TLS 1.2. Please only apply the settings provided by @XSRIf your build of Windows is at least what he listed! Side note, IIS Crypto was used as it was an easy-to-use, highly tested, industry standard tool that if using one of the template settings won't break things. I can however confirm, that those settings will enable TLS 1.3 if you're on one of the latest preview builds of Windows 10 21H1. Edited March 7, 2021 by TheITJedi 1 Link to comment Share on other sites More sharing options...
t123thomas 60 Posted March 14, 2021 Share Posted March 14, 2021 (edited) @ TheITJedi, Thanks for the write up, very detailed, I struggled with implementing these processes many times , but for lack of adequate literature or guidance I end up abandoning the project. I most followed youtube lecture for most of my needs which I found very helpful, watching a visual lecture, I hope someone will create a youtube lecture of these procedures for people like people me to follow. Anyway, I'm yet to implement the process, I shall do so when I have the time Thanks Edited March 14, 2021 by t123thomas Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted March 14, 2021 Author Share Posted March 14, 2021 @t123thomas I could probably do a video of how to do it. Finding time to make it is the hard part. 2 1 Link to comment Share on other sites More sharing options...
t123thomas 60 Posted March 14, 2021 Share Posted March 14, 2021 (edited) 1 hour ago, TheITJedi said: @t123thomas I could probably do a video of how to do it. Finding time to make it is the hard part. This will be great and exciting , I am sure the youtube lecture will attract a lot of attention ( I hope ), coz I shared my server with few families, securities of has always been my major concern. I hope this alleviate my concern. I have checked to follow topic to be notify when you upload youtube. Edited March 14, 2021 by t123thomas Link to comment Share on other sites More sharing options...
t123thomas 60 Posted March 14, 2021 Share Posted March 14, 2021 (edited) @TheITJedi, I use DD-wrt firmware in my router, with openVPN, the VPN provider offers me an static IP address, so I do not have issue with change of ISP IP, how will this be incorporated in the settings or it does not matter? As your instruction is base on Dynamic DNS, so if I have a static IP, do I still need to be concern with DynDNS? How will this altered your instruction.? Edited March 14, 2021 by t123thomas Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted March 14, 2021 Author Share Posted March 14, 2021 1 hour ago, t123thomas said: @TheITJedi, I use DD-wrt firmware in my router, with openVPN, the VPN provider offers me an static IP address, so I do not have issue with change of ISP IP, how will this be incorporated in the settings or it does not matter? As your instruction is base on Dynamic DNS, so if I have a static IP, do I still need to be concern with DynDNS? How will this altered your instruction.? If you have a static IP address, I’d get a domain (I use a .me top level domain, they are pretty cheap $10-30 a year). I’d then setup a dns record pointing to your static IP. I have a top level domain that I’ve setup with ClouDNS and lets me have dynamic IPs against my domain name. You don’t have to use a dynamic address if you have a static IP. As dynamic dns is just a way to compensate for your public IP changing. The configuration information will work for your case. Just update configs shown in screenshots and web.config to reflect your domain name instead of media.example.com. Link to comment Share on other sites More sharing options...
Nathanael 4 Posted March 15, 2021 Share Posted March 15, 2021 (edited) @TheITJedi, I have followed your post to the letter. I have not much experience with IIS, but your steps are well explaned. The server is running, all steps went fine. But i am stuck at error 500 when the page is loading from withing my LAN. From outside my network the page is not available at all (PR END OF FILE ERROR) The server is available with http. I'm using Windows 2019 server Any ideas? Forget my ticket. After reading it over and over i discovered a typo error on my part. HTTPS is working. Edited March 16, 2021 by Nathanael Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted March 17, 2021 Author Share Posted March 17, 2021 @Nathanael Have you opened ports on your router such that port 80 and 443 are forwarded at the machine you have IIS on? Are your IIS and Emby installations on the same machine (and not separate VMs running on the same machine)? Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted March 24, 2021 Author Share Posted March 24, 2021 On 3/15/2021 at 4:29 AM, Nathanael said: Forget my ticket. After reading it over and over i discovered a typo error on my part. HTTPS is working. Glad to hear it is working for you! Link to comment Share on other sites More sharing options...
tonytoronto 1 Posted April 2, 2021 Share Posted April 2, 2021 (edited) Thank You so much for the guide. Saved me so many frustrating hours. I had tried other ways of doing this was there was always something else that broke or didn't work. If you ever in Toronto, i'm buying you beer. thanks PS- Just heads up, the Crypto settings will break Remote Desktop Services on the server. Seems RDP doesn't support TLS 1.2. Had to re-select 1.0 and 1.1. Kinda sucks, would had been nice to have it more secure. Edited April 2, 2021 by tonytoronto Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted April 2, 2021 Author Share Posted April 2, 2021 @tonytoronto What are you connecting to your server with? Windows 10 or something else? Link to comment Share on other sites More sharing options...
tonytoronto 1 Posted April 2, 2021 Share Posted April 2, 2021 (edited) On 4/2/2021 at 1:06 AM, TheITJedi said: @tonytoronto What are you connecting to your server with? Windows 10 or something else? Just a few Windows 10 Desktop/Laptops, one windows 7 PC. Should had mentioned, using Windows Server 2016 Essentials. When using TLS 1.2 only, the remote desktop services stop and won't start. It looks like remote services were built to support TLS 1.0 only, and Microsoft not updating it. I looked into some workarounds but involves either buying extra software or changing way remote pc's connect, too much work and headaches. I use the server as client backup/media server mainly. Thank you again for the guide, Emby Everything working perfect. PS-- Stumbled into a fix for Server Essentials only using TLS 1.0 for remote access. Simple registry change to .NETframework. Not my work, and please backup/record .Netframework settings before changing it. TLS 1.2 enable server.reg Edited April 4, 2021 by tonytoronto Found fix 1 Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted April 6, 2021 Author Share Posted April 6, 2021 On 4/2/2021 at 10:02 AM, tonytoronto said: Just a few Windows 10 Desktop/Laptops, one windows 7 PC. Should had mentioned, using Windows Server 2016 Essentials. When using TLS 1.2 only, the remote desktop services stop and won't start. It looks like remote services were built to support TLS 1.0 only, and Microsoft not updating it. I looked into some workarounds but involves either buying extra software or changing way remote pc's connect, too much work and headaches. I use the server as client backup/media server mainly. Thank you again for the guide, Emby Everything working perfect. PS-- Stumbled into a fix for Server Essentials only using TLS 1.0 for remote access. Simple registry change to .NETframework. Not my work, and please backup/record .Netframework settings before changing it. TLS 1.2 enable server.reg 652 B · 0 downloads @tonytoronto Yes! I had just signed on to send you those exact settings to fix your issue with RDP access, In 2019 these values are set as the defaults. If you are using Server 2012R2 or 2016, the registry settings you posted will make RDP use TLS 1.2 instead of 1.0. Link to comment Share on other sites More sharing options...
tonytoronto 1 Posted April 7, 2021 Share Posted April 7, 2021 22 hours ago, TheITJedi said: @tonytoronto Yes! I had just signed on to send you those exact settings to fix your issue with RDP access, In 2019 these values are set as the defaults. If you are using Server 2012R2 or 2016, the registry settings you posted will make RDP use TLS 1.2 instead of 1.0. Thank You so much. Everything finally working right, your guide saved many hours of cursing and drinking RDP connections are so much faster now too. Link to comment Share on other sites More sharing options...
skooogis 7 Posted May 7, 2021 Share Posted May 7, 2021 Hi, if I were to host multiple applications on the same server, would you only need more rules in web.config or how would you do that? Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted May 7, 2021 Author Share Posted May 7, 2021 @skooogisYou’d need an additional site in IIS or to expand rule set. You could set it up to listen on different host names or it’s possible to use rewrite rules to have them layout as example.com/serverA and example.com/serverB. What’s your specific use case? Link to comment Share on other sites More sharing options...
skooogis 7 Posted May 11, 2021 Share Posted May 11, 2021 Ok, I would like to do that since I run everything in a Win2019-server but dont have the knowledge to do so..Been running nginx and caddy before, now I'm only running Emby without any reverse proxy so ATM I can only use SSL for that. Link to comment Share on other sites More sharing options...
centuryx476 8 Posted May 26, 2021 Share Posted May 26, 2021 This is the greatest windows tutorial I have seen in a long time. Usually us window server admins are forgotten and majority of tutorials for apps like emby are in linux. THANK YOU 1 1 Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted May 27, 2021 Author Share Posted May 27, 2021 @centuryx476 happy to help. I noticed there wasn’t a server guide for Windows, so I made one once I got everything 100% working. Link to comment Share on other sites More sharing options...
Fender1978 8 Posted May 27, 2021 Share Posted May 27, 2021 Yep, ditto - you've done such a great job creating this tutorial! It literally held my hand all the way through and after days of headaches trying to get SSL/TLS working, I was so grateful and now have a secure remote stream. Thank you!! Additionally out of interest, are there any remote streaming performance hits using: 1. Ddns url with dynamic IP vs .com or .co.uk url with static IP. 2. Using a reverse proxy in general. Thanks! Link to comment Share on other sites More sharing options...
TheITJedi 35 Posted May 27, 2021 Author Share Posted May 27, 2021 @Fender1978 happy to help! 1. No, as long as either option is pointed at your IP won’t matter. 2. there is the tiniest bit of delay added by reverse proxy, but it’s only a couple milliseconds per request and will be unnoticeable (example for my environment: request without RP: 316ms, with reverse proxy: 337ms). I’ve had no complaints with performance. Link to comment Share on other sites More sharing options...
travisgreen37 0 Posted May 27, 2021 Share Posted May 27, 2021 Hi, I am having issues with this. I have set up the reverse proxy on a Windows Server 2016 machine. I have my Emby server on a windows 10 machine. I am getting the following error: Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now