Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides instructions on how to validate HTTPS Support on Microsoft Connected Cache for Enterprise and Education nodes running on Windows with WSL (Windows Subsystem for Linux).
Test HTTP and HTTPS content downloads
Before testing, you need to identify how clients connect to your Connected Cache server. This is the same connection method you configured in your certificate's Subject Alternative Name (SAN) during CSR generation.
Important
Replace [mcc-connection] and [test-url] in all commands below
To determine your [mcc-connection]:
- If you used
-sanIpin your CSR: Use the IP address (e.g.,192.168.1.100) - If you used
-sanDnsin your CSR: Use the hostname (e.g.,mcc-server.contoso.com)
[test-url] is the full path of a test Intune Win32 application: ee344de8-d177-4720-86c1-a076581766f9/070a8fd4-79a7-42c8-b7c8-9883253bb01a/c7b1b825-88b2-4e66-9b15-ff5fe0374bc6.appxbundle.bin"
The following curl commands test both HTTP and HTTPS content retrieval:
HTTPS Test
curl.exe -v -o NUL "https://[mcc-connection]/[test-url]" --include -H "host:swda01-mscdn.manage.microsoft.com"Expected successful output:
* Connected to [your-server] ([ip-address]) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: [your-certificate-subject] < HTTP/1.1 200 OK < Content-Length: [file-size]HTTP Test
curl.exe -v -o NUL "http://[mcc-connection]/[test-url]" --include -H "host:swda01-mscdn.manage.microsoft.com"Expected successful output:
* Connected to [your-server] ([ip-address]) port 80 (#0) < HTTP/1.1 200 OK < Content-Length: [file-size]
Service-side validation
Perform the following tests on your Windows host machine:
Test connectivity with PowerShell:
Invoke-WebRequest -Uri "https://[mcc-connection]/[test-url]" -Headers @{"host"="swda01-mscdn.manage.microsoft.com"} -Method HeadExpected result:
StatusCode: 200indicates successful HTTPS connection.Check Delivery Optimization logs for HTTPS activity:
# Search for HTTPS connections in recent logs Select-String -Path "C:\Windows\Logs\DeliveryOptimization\*.log" -Pattern "https://" | Select-Object -First 5 # Search for your specific Connected Cache server connections Select-String -Path "C:\Windows\Logs\DeliveryOptimization\*.log" -Pattern "[mcc-connection]" | Select-Object -First 5Expected result: Log entries showing HTTPS URLs and your Connected Cache server address indicate clients are using HTTPS successfully.
Client-side validation
Perform the following commands on a client device (not your Windows host machine).
Prerequisite: Ensure that host machine is targeted via policy. Update the Connected Cache IP address (the value for the "DOCacheHost" policy) to whatever is relevant for their environment:
$parentKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization"
if (!(Test-Path $parentKeyPath))
{
New-Item -Path $parentKeyPath -ItemType RegistryKey -Force -ErrorAction Stop | Out-Null
}
Set-ItemProperty -Path $parentKeyPath -Name "DOCacheHost" -Value "[mcc-connection]" -ErrorAction Stop
Request Teams app download from Connected Cache via HTTPS:
Add-AppxPackage "https://statics.teams.cdn.office.net/production-windows-x64/enterprise/webview2/lkg/MSTeams-x64.msix"OR
Add-AppxPackage "https://installer.teams.static.microsoft/production-windows-x64/25177.2002.3761.5185/MSTeams-x64.msix"Expected result: Download completes without error and should be faster than typical internet downloads.
Check that content is actually being cached (not just falling back to CDN):
Get-DeliveryOptimizationStatus | Select-Object DownloadMode, TotalBytesDownloaded, BytesFromCacheServerExpected result:
BytesFromCacheServershould be greater than 0, indicating successful caching.
Troubleshooting
If you encounter any of the following common errors during validation, use these troubleshooting approaches:
Important
Reminder to replace [mcc-connection] and [test-url] in all commands below
To determine your [mcc-connection]:
- If you used
-sanIpin your CSR: Use the IP address (e.g.,192.168.1.100) - If you used
-sanDnsin your CSR: Use the hostname (e.g.,mcc-server.contoso.com)
[test-url] is the full path of a test Intune Win32 application: ee344de8-d177-4720-86c1-a076581766f9/070a8fd4-79a7-42c8-b7c8-9883253bb01a/c7b1b825-88b2-4e66-9b15-ff5fe0374bc6.appxbundle.bin"
Certificate validation errors
Symptoms: SSL certificate problem, certificate subject name does not match
Quick Test:
curl.exe -v -k -o NUL "https://[mcc-connection]/[test-url]"
If the test succeeds: Your certificate has validation issues. Verify that:
- SAN configuration matches your connection method
- CA root certificate is installed in the client's trusted store
If the test fails: See Connection errors below.
Certificate revocation errors
Symptoms: Slow HTTPS responses or timeouts
Quick Test:
curl.exe -v --ssl-no-revoke -o NUL "https://[mcc-connection]/[test-url]"
If the test succeeds: Your CA's certificate revocation list (CRL) distribution point is unreachable. Check that corporate firewall allows access to CRL URLs.
If the test fails: See Connection errors below.
Connection errors
Symptoms: Connection refused, Could not resolve host
For HTTPS connection errors:
Verify firewall rules and port forwarding are configured correctly
Check that no other service is using port 443:
netstat -an | findstr :443
For HTTP connection errors: Verify that Connected Cache service is running and port 80 is accessible
netstat -an | findstr :80
For DNS resolution issues: Verify hostname resolution and network connectivity
nslookup [mcc-connection]
Corporate proxy interference
Symptoms: Certificate validation fails despite correct configuration.
Solution: Ensure that corporate proxy doesn't intercept HTTPS traffic to your Connected Cache server. Consider disabling TLS inspection for internal Connected Cache traffic.