Jump to content

[How-To] Emby Server on Windows Server with IIS as Reverse Proxy with Automatic Certificate Renewal


TheITJedi

Recommended Posts

TheITJedi

This guide will explain how to setup a Windows Server instance of Emby server with IIS as full transparent reverse proxy with SSL offload and auto-renewing certificates via Lets Encrypt. 

First, What is IIS? IIS or Internet Information Services is the web server service provided with Windows and Windows server installations. It is industry standard technology and is widely supported and regularly maintained by Microsoft.

Second, What is a reverse proxy? A reverse proxy will take requests coming into your server (in this case HTTPS on port 443) and route them to a backend application (in this case Emby Server on port 8096 on the same box or another). Reverse proxies are very useful if you only have 1 public IP and multiple services you would like to run on a single port (443, for example is standard secure web traffic) or multiple servers that need to appear as one.

Third, Why do I want a certificate for my site from Lets Encrypt? Well, most sites now days are secure (read they encrypt your traffic to prevent people from seeing your data), browsers these days flag sites that are not using properly signed certificate chains or run on insecure ports. If you use a self signed certificate in Emby, you may have difficulty getting things like the iOS app or Roku app to work properly outside your home. (Not sure about the rest of you, but Emby on the kid’s iPad is a life saver for long car rides). Let’s Encrypt provides free SSL certificates that are signed by certificate authorities that will be recognized on all devices and platforms.

I will be using Windows Server 2019 with IIS 10 and AAR 3. All of this should work with Windows Server 2012R2 and Windows Server 2016 as well as Windows 10, however there may be some differences. You can use either stable or beta version of Emby Server, however in this guide we will use the stable version.

At the time of writing, this guide will get you a full A+ rating from SSLlabs.com security test. (For comparison purposes, Facebook’s rating is a B.)

SSL Labs Test Results

In this guide we will:

  • Install Emby Server
  • Move Emby Server Installation to a non-user-locked location
  • Setup a service user to run Emby Server as
  • Configure Emby Server to run as a service
  • Configure Windows Firewall
  • Install IIS
  • Install AAR
  • Install IIS Rewrite module
  • Configure AAR
  • Configure IIS as a reverse proxy for Emby
  • Configure SSL cypher suites for the server
  • Install the Certify the Web client.
  • Configure Certify the Web for auto-renewing SSL certificate for your domain

Note: To be externally accessible, you will need to configure your route/modem to port forward 80 and 443 to your server.

Pre-reqs/Assumptions:

  • A physical server or VM running Windows Server
  • An Internet Connection
  • A DynDNS/No-IP URL (or similar routable dns name pointed at your router’s public IP)
  • You have port forwarded ports 80 and 443 through your router to the machine you will use as a reverse proxy (in this guide we will use the same box for the reverse proxy and Emby server, but these can be run on different hosts).
  • You have installed Notepad++ on the machine you will be setting up. 

 

Install Emby Server

  • Download Emby Server 
    Download Emby Server
  • Run the Installer
  • Click Run when prompted
    Install Emby
  • If prompted by smart screen, click run anyway
    Windows Smart Screen
  • If prompted to install Visual C++ runtime, click install
    VisualC++
  • It will install to default location of %APPDATA%\Emby-Server.
    image.thumb.png.5973bdc41c73c7a23aa67261ce20f65e.png

Move Emby Server to Non-User Locked Location

  • Ensure that Emby Server is not running (right click icon in system tray if present and click Exit)
    image.png.a75e9f407728818e46e64b82cfe7ef59.png
  • Navigate to default location of %APPDATA% (%userprofille%\appdata\roaming)
    image.thumb.png.5973bdc41c73c7a23aa67261ce20f65e.png
  • Right click the folder and click "cut"
  • Navigate to C:\ (or root of the drive you wish to have Emby run from)
  • Right click in the whitespace and paste. (if prompted to provide administrator permission, approve)
    image.png.30767f375b32dafdd296a07c1a1c618c.png

Create a Service Account to run Emby as

Note: Instructions show how to do this using local users and computers, you can also do this with Active Directory Users and Computers if your server is running that role.

  • Right click on the start button (Windows flag) on the left side of the task bar
  • Click Computer Management
    image.thumb.png.0e3568ec757462adedcee9b77298b5f9.png
  • Expand Local Users and Groups on the left side
  • Click Users
  • Right click the whitespace and click new user
    image.png.9e0e824aedef49fa6859f67579061077.png
  • Complete the new user dialog as shown (make sure you save whatever password you use as you will need it later, ProTip: don't re-use passwords)
    image.thumb.png.63c90fcfbe50f37b5af3dd33da0efee9.png
  • Click create
  • Click close
  • Close the computer management window

Setup NSSM

NSSM (Non-Sucking Service Manager) is needed to run Emby Server as a service as Emby Server does not include the nessicary components to run as a Windows service by default.

  • Download here: https://nssm.cc/download
  • Double click downloaded zip to open it in windows explorer
  • Navigate to /win64 folder inside zip
    image.png.bbd00e6343c2e59f52291f0525c35ca2.png
  • Copy/extract 64 bit version of the file to C:\Emby-Server
    image.png.eb3334c3c2b53e37b0a66e19da65e98f.png

 

Setup Folder Permissions

  • Navigate to C:\
  • Right click the Emby-Server folder
  • Click Properties
  • Click Security tab
    image.thumb.png.7a7968fd5f7da3d78a5a6cb16d12c0cf.png
  • Click Advanced
  • Click Disable Inheritance
  • Click Convert to Explicit
    image.thumb.png.9454de4f8e17bb0d99a275eff0899edd.png
  • Select CREATOR OWNER
  • Click Remove
  • Select Users (special)
  • Click Remove
  • Click Add
  • Enter SvcEmby in the dialog
  • Click OK
  • Click Full Control
    image.thumb.png.798a29378681f72af9f48cfc9b9d48bf.png
  • Click OK
  • Click Change next to owner at the top of the box
  • Type SvcEmby in the dialog
  • Click OK
  • Check the Replace owner check box
  • Check the Replace permissions checkbox
  • Verify the dialog window looks similar to this (computer name will be different)
    image.thumb.png.4dcdabf94a96f6a2b43df90932bbeafa.png
  • Click OK
  • When prompted if you want to replace permissions click Yes
    image.png.03d279ba2a9f1f70f8dbda5773db0ca1.png
  • Verify security tab looks like this
    image.thumb.png.71499fece01fa446dbc966d4df67d82e.png
  • Click OK

Setup Emby as a Service using NSSM

  • Right click the start button on the left side of the task bar
  • Click Windows Powershell (Admin)
  • Type: "cd C:\Emby-Server" and press enter
    image.png.6d0dc61e01dbdd225a4bfd57caefe87b.png
  • Type ".\nssm.exe install Emby" and press enter
    image.png.661d39597fc1a9201c92a3e1a4cff9c6.png
  • The install service dialog will launch, fill out as follows:
    • Application Tab
      image.png.ed35b64e7ee1192fe68b718b445f504f.png
    • Details Tab
      image.png.6861e51dd4916f95c48e1aa41680b0b0.png
    • Logon Tab (note, if you are using active directory it should be: YOURDOMAIN\SvcEmby)
      image.png.148c9c191347533d855c4043608f7fbc.png
    • Exit Actions Tab
      image.png.08bbfb1548399fd408a8e1a93e6bf513.png
  • Click Install Service
  • Click OK
    image.png.2bd7f9db87ce6a2f4f0628863c2251ea.png

Config ure Windows Firewall

  • Click Start
  • Click Control Panel
  • Click Windows Defender Firewall
    image.png.9b7cedf1a14a5dbdf980a01b4a88b673.png
  • Click Advanced Settings on the left hand side
  • Click Inbound Rules
  • Click New Rule on the right hand side
  • Click Port
    image.thumb.png.7eab71cee987daa494dae54ffec69547.png
  • Click Next
  • Type 80, 443 in the ports box
    image.thumb.png.1e5bf7a0ddc8c27c8299e77980a08f53.png
  • Click Next
  • Click Next
    image.thumb.png.a7fcee0537a9e99745a830be0eaf37ad.png
  • Click Next
    image.thumb.png.a956840016d376916f916464caf80d80.png
  • Name it Web Server Ports
    image.thumb.png.8b877ac2b3d4f7212518b2331f755589.png
  • Click Finish

Install IIS (Internet Information Services)

  • Click Start
  • Click Server Manager
  • Click Add Roles and Features
    image.png.13ffca555a702880bd000a7e804c4b0d.png
  • Click next on the Before you Begin page
  • Click Role Based install
    image.thumb.png.2148560b63f1290a450988664f8724d8.png
  • Click Next
  • Verify you are installing on your local server
    image.thumb.png.f6b2fc10c359e25ffa424613dafacf59.png
  • Click Next
  • Check the box for "Web Server (IIS)"
  • When prompted to install management tools
    image.thumb.png.e9cd552eb83fec43e0568072bdf461f3.png
  • Click Add Features
  • Click Next
  • Under Features, click Next
  • Click Next again to get to role services
  • Check the boxes for all of the following role services
    image.png.19e2ad75630c52ee2c2b8f2cf5b7edcb.png
    image.png.b9e918cd51eb5e52dc45ca114f1def92.png
    image.png.89aef32abfb53e0604035d4e0e344aa7.png
    Make sure you check the box for web sockets under Application Development, this is needed for various features of Emby to work right. 
  • Click Next
  • Click Install
    image.thumb.png.2b1ecae4854ec82f69550cc80ff313d0.png
  • Once installation completes, click close

Install Web Platform Installer add-on

Install AAR (Advanced Application Routing)

Install IIS Re-Write Module

 

  • Click Start
  • Click Administrative Tools
  • Open Internet Information Services (IIS) Manager
  • Click the name of your server on the left
  • Double Click on the Web Platform Installer
    image.png.f35a5a72d0b6f2eae8ee0e10bf7d286a.png
  • In the search box type "url rewrite"
    image.thumb.png.9f382e5f640a68a215961ca9a63d89cb.png
  • Click Add
  • Click Install
  • Click I Agree
    image.thumb.png.5a1cbce5a7b1cc40ccf2978cba2b322b.png
  • Click Finish
    image.thumb.png.46c932aa6d8f2991067546c8eb25c1b0.png

Configure AAR

  • Click Start
  • Click Administrative Tools
  • Open Internet Information Services (IIS) Manager
  • Click the name of your server on the left
  • Right Click Server Farms
    image.png.e918056508abff7af01e213d0b434b89.png
  • Click Create Server Farm
  • Name your Server Farm
    image.png.cefe9f5ad011467f86ea6cab7c8a5418.png
  • Click Next
  • Enter the IP address of the server or "localhost"
    image.thumb.png.daa6d5ec5270c235ba2aaaae0a4bd501.png
  • Click Add
  • Click Finish
  • Click No in the dialog that pops up
    image.png.11945d4778fb02a68b49ef831e557a6b.png
  • Expand your newly created Server Farm
    image.thumb.png.b144adffa3d30460126f2795eb2c7557.png
  • Click Proxy
  • Configure settings as shown
    image.thumb.png.3e0bf38d58c64618990b02287546b12f.png
  • Click Apply
  • Click your Server
    image.png.fe37f918a53e8eb88a05a32793f83e87.png
  • Click Application Request Routing
  • Click Server Proxy Settings
    image.thumb.png.30bf1c8dc3ea03cfbd5a368e051d88f8.png
  • Configure settings as shown
    image.thumb.png.60e338bbc07db39b846cc83a3181bc05.png
  • Click Apply
  • Click Your Server

Configure IIS Server Variables

  • Click Url Re-Write
    image.png.36a11b7d5733da0d5905c499fa4faa81.png
  • Click View Server Variables
    image.thumb.png.d00d6da25620162e47cfdb4f44088c94.png
  • Click Add
    image.thumb.png.91e54324d6e93162de0ddb18c87508cb.png
  • Type "HTTP_ACCEPT_ENCODING"
    image.png.76831149983cdf34161aee5deebd281b.png
  • Click OK
  • Click Add
  • Type "HTTP_X_ORIGINAL_ACCEPT_ENCODING"
    image.png.e2f2da7fd6a47017b9c695d8eb1e2ad6.png
  • Click OK
  • Click Add
  • Type "HTTP_X_FORWARDED_FOR"
    image.png.3a5740e4090e691ce0bd994d41368751.png
  • Click OK
  • Click Add
  • Type "HTTP_X_REAL_IP"
    image.png.1a8ecd947b984859c75ef3006c22ea35.png
  • Click OK
  • Click Your Server

     

Create Emby Site

  • Expand Sites on the left hand side
    image.png
  • Right Click "Default Web Site"
  • Highlight "Manage Website"
    image.png.e86bdcfeb119e7bf191fb16c96e6fbca.png
  • Click Stop
  • Right Click the white space in the Sites list
    image.png.4bf92e6fcc87c4272290d4a9017cded3.png
  • Click Add Website
  • Click the "..." button to the right of Physical Path
  • Browse to C:\inetpub\wwwroot
  • Click it
  • Click Make New Folder
  • image.png.13a50501e08a042771bece3b3ea27a34.png
  • Call it Emby
  • Click OK
  • Under Binding Fill in with your public host name (see dynamic dns mentioned in pre-reqs)
    image.thumb.png.d7c3095a294565710f79f90372de2ef4.png
  • Click OK

Configure Logging

  • Click your server
  • Click Logging
    image.png.14f4e568bdc334592bfe113d8768f728.png
  • Click Select Fields
    image.png.4cab1e9918a1409d7f2bc0bb5764324c.png
  • Click Add Field
  • Configure as shown
    image.png.429ce7ccfdf9386e38b4fdb75f6a0373.png
  • Click OK
  • Click OK
  • Click Apply

Install and Configure Certify The Web client

  • Download From: https://certifytheweb.com
  • Run the Certify the Web installer
    image.png.57bccad08a5c1f2302704b992e3821b1.png
  • Click Next
    image.thumb.png.94335f89f0ffa7b52f294a3efa6c7e2f.png
  • Click Next
    image.thumb.png.c008614d9a01277bac361b5bcaa4b32e.png
  • Click Next
    image.thumb.png.a465bc33f67114fa9ccc6b2a9dfa924b.png
  • Click Install
    image.thumb.png.5c93f8c9cc242c174a133d436fe6f6a9.png
  • Click Finish
    image.thumb.png.cc595c0bf6832f93b9d2a099f7e8bf45.png
  • Click New Certificate
    image.png.c8de8ccab60650d0268d8aa615d5f128.png
  • Click on on Contact Prompt
  • Fill in your contact email
    image.thumb.png.f0c7db2e2944f6e5cb9c94b7d605b247.png
  • Click Register Contact
  • Click New Certificate again
    image.png.5175a316586715895f880cf134eccd89.png
  • Select Emby from the sites list
    image.thumb.png.b800c3f14a07aac0160d2780d77b21d5.png
  • Name and domain will populate automatically. 
  • Click Deployment
  • Configure as shown 
    image.thumb.png.7a0318c3702512ce07b6ae2536830d0c.png
  • Complete certificate verification process
  • Click your site in IIS manager
  • Click Bindings
  • Verify there is an HTTPS binding and that it looks similar to this (with your domain information)
    image.png.a5981c83c7d8a93897523acf09c93fa3.png

Edit Web.Config for Emby Site

  • Click HTTP Response Headers
    image.thumb.png.3c7176eca58b9c20e91e9b4b0da7cde2.png
  • Click Add
    image.thumb.png.4d749e82322d60fe1f48b7c01a870028.png
  • Configure as show (we are just creating a header to get the web.config to exist, we will paste in a premed one below, so these values dont really matter)
    image.png.6cd2246a15f91f20d33767d6694667ff.png
  • Click OK
  • Open an Explorer window and
  • Browse to C:\inetpub\wwwroot\Emby
  • Right click web.config and Edit with Notepad++
    image.png.44603b0a374ca1cd161709dc20bb3346.png
  • Replace existing content with web.config below
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <clear></clear>
        <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
          <match url="*" negate="false" />
          <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
        </rule>
        <rule name="Proxy to Emby" stopProcessing="false">
          <match url="(.*)" />
          <serverVariables>
            <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
            <set name="HTTP_ACCEPT_ENCODING" value="" />
            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
          </serverVariables>
          <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" />
          <conditions>
            <add input="/{R:1}" pattern=".well-known" negate="true" />
          </conditions>
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
        </rule>
        <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true">
          <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" />
          <action type="Rewrite" value="http{R:1}://media.example.com/{R:2}" />
        </rule>
        <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
          <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
          <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
        </rule>
        <preConditions>
          <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
          </preCondition>
          <preCondition name="NeedsRestoringAcceptEncoding">
            <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
    <caching enabled="false" enableKernelCache="false" />
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Xss-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Referrer-Policy" value="same-origin" />
        <add name="Feature-Policy" value="sync-xhr 'self'" />
        <add name="Cache-Control" value="no-cache" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>
  • Save changes (if prompted to restart Notepad++ in admin mode allow it and then try saving again)
  • IIS will now be properly configured as a reverse proxy for Emby.
  • Under IIS Manager > Rewrite you should now see the following rules:
    image.thumb.png.06a1f6417dbb3ee5515a92c1dcdbfa5b.png

Configure Server Cyphers

  • Download here: https://www.nartac.com/Products/IISCrypto/Download (GUI version)
  • Run the IISCrypto too
    image.png.107bb2ba6fda738c52db8e895ac5eb33.png
  • Click Templates
  • In the template drop down box, select PCI 3.2
    image.thumb.png.0fd7438434f876baad6703c702c16a6c.png
    This will disable IIS from being able to serve via SSL 2.0, 3.0; TLS 1.0 and TLS 1.1. This will leave just the industry standard TLS 1.2. 
  • Click Apply
    image.png.ada308005d7699077aad2fbdb5ed257c.png
  • Click OK. 
  • Reboot your server.

Emby Internal Settings

  • Navigate to your server via the localhost:8096 address
  • Click the gear in the top right corner
  • Click Network from the list of tabs on the right
  • Configure as shown (use your hostname in the external domain box)
    image.thumb.png.397bd8a9d1fce43f815e48ecc24c0966.png

Conclusion
Upon rebooting your computer will start IIS services and Emby server as a service. Traffic coming in on port 80 (if someone just types your url without HTTPS in their browser's address bar) will be automatically redirected to port 443 and the HTTPS:// version of your host name. Your certificate will auto-renew every so often and re-bind to the site in IIS without any interaction on your part. This allows for a server that you can for the most part setup, and forget about and just manage your Emby installation via its web ui. There are a lot of ways to set up Emby server depending on your environment and other factors. For my environment this made the most sense and since large portions of this took quite a bit of digging and research to get working just right, I figured Id make someone else's life a little easier if they were trying to do something similar. These instructions can be adapted for Windows Server 2012 R2, Windows Server 2016, Windows 8 and Windows 10. 
 

In the end browsing to your domain should look like this in the browser
image.png.5fb976e65ad919876924e65996e7eeae.png


Additional Information for Updating
When Updating your Emby installation. Simply stop the service  for Emby, install like you normally would, then just cut the system folder inside the %appdata%\emby-server folder and paste it into the C:\Emby-Server folder. When prompted replace all files, then start the service again once the copy completes. 

 

Additional Information about Connecting with Emby Apps

When connecting to your Emby installation remotely with Emby apps remember to prefix your domain name with https:// and use 443 for the port number. 

 

<Edit>

Additional Information about changing Emby Server Title:

For those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! Using IIS Re-Write rules to change the page title means, you don't have to edit files to reset it every time you upgrade your Emby Server!

Add these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.:
NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. 

<rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true">
	<match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" />
	<action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" />
</rule>
<rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="document.title=&quot;Emby&quot;" />
	<action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" />
	<action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<preConditions>
    <preCondition name="ResponseIsHtml1">
        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
    </preCondition>
	<preCondition name="ResponseIsJS">
		<add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" />
	</preCondition>
	<preCondition name="NeedsRestoringAcceptEncoding">
        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
    </preCondition>
</preConditions>

 

</Edit>

Edited by TheITJedi
Additional Information Added
  • Like 7
  • Thanks 7
Link to comment
Share on other sites

rbjtech

Nice :)

This comprehensive guide should probably go in the Guides section (https://emby.media/community/index.php?/forum/24-tutorials-and-guides/) and/or a Wiki doc.

btw - you can just install the 'portable' version of Emby server where you like - no need to install it and then move it.. 

 

@cayars can probably get that sorted for you.

 

Edited by rbjtech
Link to comment
Share on other sites

Very nice tutorial :)

I don't my self use IISCrypto. I use more powerfull poweshell script from this website.

With a little modifications you get TLS 1.3 security protocol enabled on Windows IIS.

I now this latest protocol isn't recommend for production use as yet. But for testing purposes I tested my self..

Remember take backup before if you are going try this..

 

I have tested this on Windows 10, version 21H1 Enterprice (preview) with IIS.

First I run Version 3.0.1, SetupIISForSSLPerfectForwardSecrecy.ps1 (Recommended) and then

Save text below like IIS-TLS-1.3.ps1 and run it as admin. Reboot after.

<# ============================== Enable TLS 1.3 ================================ #>

# Add and Enable TLS 1.3 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.3 has been enabled.'

  
# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
$cipherSuitesOrder = @(
    'TLS_CHACHA20_POLY1305_SHA256',
    'TLS_AES_256_GCM_SHA384',
    'TLS_AES_128_GCM_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'
)
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null


# Reboot
Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
Restart-Computer -Force -Confirm

 

I think Emby feels little faster too :)

 

Edited by XSR
  • Like 1
Link to comment
Share on other sites

TheITJedi
15 hours ago, XSR said:

Very nice tutorial :)

I don't my self use IISCrypto. I use more powerfull poweshell script from this website.

With a little modifications you get TLS 1.3 security protocol enabled on Windows IIS.

I now this latest protocol isn't recommend for production use as yet. But for testing purposes I tested my self..

Remember take backup before if you are going try this..

 

I have tested this on Windows 10, version 21H1 Enterprice (preview) with IIS.

First I run Version 3.0.1, SetupIISForSSLPerfectForwardSecrecy.ps1 (Recommended) and then

Save text below like IIS-TLS-1.3.ps1 and run it as admin. Reboot after.



<# ============================== Enable TLS 1.3 ================================ #>

# Add and Enable TLS 1.3 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.3 has been enabled.'

  
# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
$cipherSuitesOrder = @(
    'TLS_CHACHA20_POLY1305_SHA256',
    'TLS_AES_256_GCM_SHA384',
    'TLS_AES_128_GCM_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'
)
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null


# Reboot
Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
Restart-Computer -Force -Confirm

 

I think Emby feels little faster too :)

 

@XSR, Thanks! 

As a Systems/Server/Network admin for almost 2 decades I am inclined to warn that these settings will cause issues on lower builds of Windows 10/Windows Server, and are not recommended. TLS 1.3 is not supported by most thing at this time and most browsers will end up only using TLS 1.2. Please only apply the settings provided by @XSRIf your build of Windows is at least what he listed!

Side note, IIS Crypto was used as it was an easy-to-use, highly tested, industry standard tool that if using one of the template settings won't break things. 

I can however confirm, that those settings will enable TLS 1.3 if you're on one of the latest preview builds of Windows 10 21H1. 

 

Edited by TheITJedi
  • Agree 1
Link to comment
Share on other sites

t123thomas

@ TheITJedi, Thanks for the write up, very detailed, I struggled with implementing these processes many times , but for lack of adequate literature or guidance I end up abandoning the project. I most followed youtube lecture for most of my needs which I found very helpful, watching a visual lecture, I hope someone will create a youtube lecture of these procedures for people like people me to follow. Anyway, I'm yet to implement the process, I shall do so when I have the time

Thanks

Edited by t123thomas
Link to comment
Share on other sites

t123thomas
1 hour ago, TheITJedi said:

@t123thomas I could probably do a video of how to do it. Finding time to make it is the hard part. 

This will be great and exciting , I am sure the youtube lecture will attract a lot of attention ( I hope ), coz I shared my server with few families, securities of has always been my major concern. I hope this alleviate my concern. I have checked to follow topic to be notify when you upload youtube.

Edited by t123thomas
Link to comment
Share on other sites

t123thomas

@TheITJedi,  I use DD-wrt firmware in my router,  with openVPN,  the VPN provider offers me an static IP address, so I do not have issue with change of ISP IP, how will this be incorporated in the settings or it does not matter? As your instruction is base on Dynamic DNS, so if I have a static IP, do I still need to be concern with DynDNS? How will this altered your instruction.?

 

Edited by t123thomas
Link to comment
Share on other sites

TheITJedi
1 hour ago, t123thomas said:

@TheITJedi,  I use DD-wrt firmware in my router,  with openVPN,  the VPN provider offers me an static IP address, so I do not have issue with change of ISP IP, how will this be incorporated in the settings or it does not matter? As your instruction is base on Dynamic DNS, so if I have a static IP, do I still need to be concern with DynDNS? How will this altered your instruction.?

 

If you have a static IP address, I’d get a domain (I use a .me top level domain, they are pretty cheap $10-30 a year). I’d then setup a dns record pointing to your static IP.

I have a top level domain that I’ve setup with ClouDNS and lets me have dynamic IPs against my domain name. You don’t have to use a dynamic address if you have a static IP. As dynamic dns is just a way to compensate for your public IP changing. The configuration information will work for your case. Just update configs shown in screenshots and web.config to reflect your domain name instead of media.example.com. 
 

 

Link to comment
Share on other sites

Nathanael

@TheITJedi, I have followed your post to the letter.  I have not much experience with IIS, but your steps are well explaned.

The server is running, all steps went fine. But i am stuck at error 500 when the page is loading from withing my LAN. From outside my network the page is not available at all (PR END OF FILE ERROR)

The server is available with http.
I'm using Windows 2019 server

Any ideas?

 

Forget my ticket. After reading it over and over i discovered a typo error on my part. HTTPS is working.

Edited by Nathanael
Link to comment
Share on other sites

TheITJedi

@Nathanael

Have you opened ports on your router such that port 80 and 443 are forwarded at the machine you have IIS on?

Are your IIS and Emby installations on the same machine (and not separate VMs running on the same machine)? 

 

Link to comment
Share on other sites

TheITJedi
On 3/15/2021 at 4:29 AM, Nathanael said:

Forget my ticket. After reading it over and over i discovered a typo error on my part. HTTPS is working.

Glad to hear it is working for you! 

Link to comment
Share on other sites

  • 2 weeks later...
tonytoronto

Thank You so much for the guide. Saved me so many frustrating hours. I had tried other ways of doing this was there was always something else that broke or didn't work.

If you ever in Toronto, i'm buying you beer.

  thanks

PS- Just heads up, the Crypto settings will break Remote Desktop Services on the server. Seems RDP doesn't support TLS 1.2.  Had to re-select 1.0 and 1.1. :(   Kinda sucks, would had been nice to have it more secure.

 

 

Edited by tonytoronto
Link to comment
Share on other sites

tonytoronto
On 4/2/2021 at 1:06 AM, TheITJedi said:

@tonytoronto

What are you connecting to your server with? Windows 10 or something else? 

  Just a few Windows 10 Desktop/Laptops, one windows 7 PC.

Should had mentioned, using Windows Server 2016 Essentials. When using TLS 1.2 only, the remote desktop services stop and won't start. It looks like remote services were built to support TLS 1.0 only, and Microsoft not updating it. I looked into some workarounds but involves either buying extra software or changing way remote pc's connect, too much work and headaches. I use the server as client backup/media server mainly.

 

  Thank you again for the guide, Emby Everything working perfect. 

PS-- Stumbled into a fix for Server Essentials only using TLS 1.0 for remote access. Simple registry change to .NETframework. Not my work, and please backup/record .Netframework settings before changing it.

 

TLS 1.2 enable server.reg

Edited by tonytoronto
Found fix
  • Like 1
Link to comment
Share on other sites

TheITJedi
On 4/2/2021 at 10:02 AM, tonytoronto said:

  Just a few Windows 10 Desktop/Laptops, one windows 7 PC.

Should had mentioned, using Windows Server 2016 Essentials. When using TLS 1.2 only, the remote desktop services stop and won't start. It looks like remote services were built to support TLS 1.0 only, and Microsoft not updating it. I looked into some workarounds but involves either buying extra software or changing way remote pc's connect, too much work and headaches. I use the server as client backup/media server mainly.

 

  Thank you again for the guide, Emby Everything working perfect. 

PS-- Stumbled into a fix for Server Essentials only using TLS 1.0 for remote access. Simple registry change to .NETframework. Not my work, and please backup/record .Netframework settings before changing it.

 

TLS 1.2 enable server.reg 652 B · 0 downloads

@tonytoronto Yes! I had just signed on to send you those exact settings to fix your issue with RDP access, In 2019 these values are set as the defaults. If you are using Server 2012R2 or 2016, the registry settings you posted will make RDP use TLS 1.2 instead of 1.0. 

Link to comment
Share on other sites

tonytoronto
22 hours ago, TheITJedi said:

@tonytoronto Yes! I had just signed on to send you those exact settings to fix your issue with RDP access, In 2019 these values are set as the defaults. If you are using Server 2012R2 or 2016, the registry settings you posted will make RDP use TLS 1.2 instead of 1.0. 

  Thank You so much. 

  Everything finally working right, your guide saved many hours of cursing and drinking :) RDP connections are so much faster now too.

Link to comment
Share on other sites

  • 1 month later...
skooogis

Hi, if I were to host multiple applications on the same server, would you only need more rules in web.config or how would you do that?

Link to comment
Share on other sites

TheITJedi

@skooogisYou’d need an additional site in IIS or to expand rule set. You could set it up to listen on different host names or it’s possible to use rewrite rules to have them layout as example.com/serverA and example.com/serverB. What’s your specific use case?

Link to comment
Share on other sites

skooogis

Ok, I would like to do that since I run everything in a Win2019-server but dont have the knowledge to do so..Been running nginx and caddy before, now I'm only running Emby without any reverse proxy so ATM I can only use SSL for that.

Link to comment
Share on other sites

  • 3 weeks later...
centuryx476

This is the greatest windows tutorial I have seen in a long time. Usually us window server admins are forgotten and majority of tutorials for apps like emby are in linux.
THANK YOU

  • Like 1
  • Agree 1
Link to comment
Share on other sites

Fender1978

Yep, ditto - you've done such a great job creating this tutorial! It literally held my hand all the way through and after days of headaches trying to get SSL/TLS working, I was so grateful and now have a secure remote stream. Thank you!!

Additionally out of interest, are there any remote streaming performance hits using:

1. Ddns url with dynamic IP vs .com or .co.uk url with static IP.

2. Using a reverse proxy in general.

 

Thanks! :)

Link to comment
Share on other sites

TheITJedi

@Fender1978 happy to help!

1. No, as long as either option is pointed at your IP won’t matter. 
 

2. there is the tiniest bit of delay added by reverse proxy, but it’s only a couple milliseconds per request and will be unnoticeable (example for my environment: request without RP: 316ms, with reverse proxy: 337ms). I’ve had no complaints with performance. 

Link to comment
Share on other sites

travisgreen37

Hi,

I am having issues with this. I have set up the reverse proxy on a Windows Server 2016 machine. I have my Emby server on a windows 10 machine. I am getting the following error:

image.thumb.png.d190f4ab4e1da344b3b30e8fbb6b7697.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...