Configuring ISA Server to Work with SSL Accelerators

Secure Sockets Layer (SSL) accelerators are hardware-based devices that offload cryptographic computations from a computer, enabling the computer to use its resources for other functions. SSL accelerators can be used with Microsoft® Internet Security and Acceleration (ISA) Server 2006 to reduce the load on the ISA Server computer or array that is produced by the encryption and decryption activities associated with handling and inspecting Secure Hypertext Transfer Protocol (HTTPS) traffic.

SSL accelerators in ISA Server scenarios are typically one of these types:

  • A card installed directly on the ISA Server computer.
  • An external device connected to the ISA Server computer with a small computer system interface (SCSI).
  • An external device that is connected to the Internet, which receives and sends all Web traffic. The ISA Server computer is behind this device, and communicates with it over a network connection.
  • An external device that communicates with the ISA Server computer over a network connection, where the ISA Server computer is connected to the Internet and the device is behind the ISA Server computer.

The first two types of accelerators listed do not require any configuration changes in ISA Server. The last two types require you to make configuration changes in ISA Server.

Note

If your SSL accelerator is connected to the Internet, the name on its SSL certificate must match the fully qualified host name or URL that external clients will type in their Web browser to access the Web site.

ISA Server Behind External SSL Accelerator

When you have an external SSL accelerator device in front of ISA Server, all Web traffic is intercepted by the device and then passed to ISA Server. When the device receives HTTPS traffic from a client, it terminates the SSL connection at the device, decrypting the traffic and then passing it as HTTP to ISA Server, which will typically receive the traffic on port 80. ISA Server has to be configured to recognize that there is an SSL accelerator between it and the Internet. ISA Server also has to be configured to send responses to the correct port on the SSL accelerator.

If ISA Server has been configured to work behind an SSL accelerator, when it receives HTTP traffic that originated as HTTPS, ISA Server will return an appropriate response, such as a logon form containing HTTPS links, or responses from internal servers with links translated to HTTPS.

If ISA Server has not been properly configured to work behind an SSL accelerator, ISA Server will return responses containing HTTP links. The client from which the HTTPS request originated either will not have access to those links, or will have access to the links and communicate with the Web server over a connection that is not secure. For example, consider the following scenario in which ISA Server is not configured to work behind an SSL accelerator:

  1. A client computer on the Internet sends an HTTPS request (on port 443) to mail.contoso.com. The server for mail.contoso.com is behind the ISA Server computer, which is behind an SSL accelerator.
  2. The SSL accelerator decrypts the request and forwards it to the ISA Server computer as an HTTP request to mail.contoso.com on port 80.
  3. Because ISA Server is not configured correctly, ISA Server assumes that the client is expecting an HTTP response and returns a Web page containing HTTP links.
  4. The SSL accelerator returns an HTTPS response to the client, but only encrypts the response, and not the links.
  5. The client receives the HTTPS response containing the HTTP links. Clicking one of the links will have the effects described earlier in this document.

Note

For the specific case in which the HTTPS request originating from the client is a Microsoft Outlook® Web Access request, ISA Server automatically appends a header indicating to the Outlook Web Access server that it should return an HTTPS response. This takes place regardless of whether ISA Server has been configured to work behind the SSL accelerator.

Configure ISA Server to Work Behind an SSL Accelerator

To configure ISA Server to work behind an SSL accelerator, you must perform the following steps:

  • Create a Web listener that listens only for traffic from the SSL accelerator on a separate network.
  • Configure the SSL accelerator port on the Web listener.
  • Disable HTTPS listening on the Web listener.

Create a Web Listener

ISA Server will listen on the Web listener for traffic from the SSL accelerator. Because ISA Server will be listening for accelerator traffic on port 80, the standard HTTP port, you must create a distinct listener to listen for this traffic. This will ensure that general HTTP traffic is not handled as decrypted HTTPS traffic received from the SSL accelerator.

The listener must listen on a separate IP address from other listeners. This will require either an additional IP address on a network adapter on the ISA Server computer, or a separate network adapter dedicated to the SSL accelerator. You should then define a new network containing the SSL accelerator and the distinct IP address on the ISA Server computer, and a Web listener that listens on that network.

Configure the SSL Accelerator Port

There is no user interface for configuring ISA Server to work behind an SSL accelerator. You must programmatically set the SSLAcceleratorPort property of the FPCWebListenerProperties object that represents the properties of the applicable Web listener to a port other than 0, typically, the standard SSL port 443. This is the port on the SSL accelerator to which ISA Server will send responses. Using port 443 will ensure responses appropriate to the standard SSL port, rather than responses that include a reference to a nonstandard port.

You must also set the SSLPort property of the FPCWebListenerProperties object to 0, indicating that the Web listener will not listen for HTTPS traffic directly from the Internet. If the SSLPort property is not set to 0, the link translation function of ISA Server will work as if the SSL port is enabled, and links will not be properly translated. This action can also be performed in the user interface, by clearing the Enable SSL (HTTPS) connections on port check box on the Connections tab of the Web listener properties.

The following script retrieves the current value of the SSLAcceleratorPort property for the user-specified Web listener in the local array and asks the user whether the current value should be changed. The script changes the value of the SSLAcceleratorPort property to the value supplied by the user, and then ensures that the SSLPort property is set to 0 if the SSLAcceleratorPort property is not set to zero.

To use the script, copy it to a Notepad file and save it as Scriptname.vbs. To run the script to check the Web listener weblistenername, at a command prompt, type: cscript scriptname weblistenername

Option Explicit

'Define the constant needed
const Error_FileNotFound = &H80070002

Main(WScript.Arguments)

Sub Main(args)
    If(args.Count = 1) Then
        SetSslAcceleratorPort args(0)
    Else
        Usage()
    End If
End Sub

Sub SetSslAcceleratorPort(wlName)

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    ' Declare the other objects needed.
    Dim isaArray        ' An FPCArray object
    Dim webListener     ' An FPCWebListener object
    Dim text            ' A String
    Dim input           ' A String

    ' Get a reference to the local array object.
    Set isaArray = root.GetContainingArray()

    ' Get a reference to the Web listener specified.
    On Error Resume Next
    Set webListener = isaArray.RuleElements.WebListeners.Item(wlName)
    If Err.Number = Error_FileNotFound Then
        WScript.Echo "The Web listener specified could not be found."
    Else
        Err.Clear
        On Error GoTo 0
        With webListener.Properties
            If .SSLAcceleratorPort = 0 Then
                text = "No SSL accelerator port is configured." & VbCrLf _
                       & "You can enter a nonzero value to enable" & VbCrLf _
                       & "an SSL accelerator port."
            Else
                text = "Current SSL accelerator port: " & .SSLAcceleratorPort _
                       & VbCrLf _
                       & "You can change this value, or enter 0" & VbCrLf _
                       & "to disable the SSL accelerator port."
            End If
            input = InputBox(text,"SSL Accelerator Port", "443")
        End With
        If CInt(input) <> webListener.Properties.SSLAcceleratorPort Then
            WScript.Echo "Changing the SSL accelerator port to " & CInt(input) _
                         & "..."
            webListener.Properties.SSLAcceleratorPort = CInt(input)
        End If
        If webListener.Properties.SSLAcceleratorPort <> 0 Then
            WScript.Echo "Ensuring that the SSL port is set to 0..."
            webListener.Properties.SSLPort = 0
        End If
        isaArray.Save
    End If

End Sub

Sub Usage()
    WScript.Echo "Usage:" & VbCrLf _
        & "  CScript " & WScript.ScriptName & " WebListener" & VbCrLf _
        & "" & VbCrLf _
        & "    WebListener - Name of the Web listener" 
    WScript.Quit
End Sub

External SSL Accelerator Behind ISA Server

When you have an external SSL accelerator device in a network behind ISA Server, you have to enable communication between ISA Server and the device. To do so, create an access rule between the Local Host network (ISA Server) and the network hosting the device. To make the rule apply specifically to the device, create a computer object representing the device, and make that object the destination in the rule. The rule should apply to the proprietary protocol associated with the device. The protocol information should be available in the documentation provided with the device. The following procedures describe how to create a computer object for the external SSL accelerator and an access rule enabling access from the ISA Server computer to the computer object.

Create a Computer Object for the SSL Accelerator

In this section, you will create a computer object for the SSL accelerator. This object will be used when creating the access rule, allowing you to limit the access to the computer object.

Perform the following procedure to create a computer object.

To create a computer object

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, click New, and then select Computer.

  3. Type a name for the computer object, such as SSL Accelerator, in the Name field and type the device's IP address in the Computer IP Address field. If you do not know the IP address, you can use the Browse button to locate the device.

Create a Protocol for the SSL Accelerator

In this section, you will create a protocol definition for the SSL accelerator. This object will be used when creating the access rule, allowing you to limit the access to the computer object.

Perform the following procedure to create a protocol definition.

To create a protocol definition

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Protocols, click New, and then select Protocol.

  3. On the Welcome page, type a name for the protocol, such as SSL Accelerator Protocol, in the Name field, and the click Next.

  4. On the Primary Connection Information page, click New, and in the New/Edit Protocol Connection dialog box, provide the protocol definition information, including the port number provided in the SSL accelerator documentation. Click OK to close the dialog box, and then click Next.

  5. On the Secondary Connections page, leave the default setting, No, and then click Next.

  6. On the summary page, review the protocol definition, and then click Finish.

Create an Access Rule

Perform the following procedure to create an access rule.

To create an access rule

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Tasks tab, click Create Access Rule. Use the wizard to create the rule as outlined in the following table.

    Page Field or property Setting

    Welcome

    Access rule name

    Type a name for the rule, such as SSL Accelerator Access.

    Rule Action

    Action to take when rule conditions are met

    Select Allow.

    Protocols

    This rule applies to

    Protocols

    Select Selected Protocols.

    Add the SSL Accelerator Protocol you previously defined to the list.

    To add the protocol to the list, click Add to open the Add Protocols dialog box. In the Add Protocols dialog box, expand User-Defined, and select SSL Accelerator Protocol. Click Add, and then click Close to close the Add Protocols dialog box.

    Access Rule Sources

    This rule applies to traffic from these sources

    Add the Local Host network to the list.

    To add the Local Host network, click Add to open the Add Network Entities dialog box. In the Add Network Entities dialog box, expand Networks, and then select Local Host. Click Add, and then click Close to close the Add Network Entities dialog box.

    Access Rule Destinations

    This rule applies to traffic sent to these destinations

    Add the computer object created in the previous section. For example, add SSL Accelerator.

    To add a computer object, click Add to open the Add Network Entities dialog box. In the Add Network Entities dialog box, expand Computers, and then select the correct computer object. Click Add, and then click Close to close the Add Network Entities dialog box.

    User Sets

    This rule applies to requests from the following user sets

    Leave the default of All Users.

    Completing the New Access Rule Wizard

    Completing the New Access Rule Wizard

    Review your settings, and then click Back to make changes and Finish to complete the wizard.

  3. Click the Apply button in the details pane to save the changes and update the configuration. It may take a few minutes for the rule to be applied.

Note   Remember that access rules are ordered, so if a deny rule matching requests exists ahead of this allow rule, access will be denied.