Tunneling Outbound SSL Requests

  • Article

You can configure internal client access to external SSL sites using a tunneled SSL connection. This process is as follows:

  • The client browser makes a request to the external Web site in the form: https://URL_Name.
  • The request is sent to port 8080 on the ISA Server computer, as follows: CONNECT Server name:443 HTTP/1.1.
  • ISA Server connects to port 443 on the destination Web server, and when the TCP connection is established, ISA Server returns: HTTP/1.1 200 connection established.

This is shown in the following diagram.

SSL tunneling

Cc302684.3f1adac8-c444-4198-b5e9-b60522424e90(en-us,TechNet.10).gif

SSL tunneling

Configuring this scenario requires you to create an access rule allowing HTTPS from client computers requiring access to the external Web site. The external Web server authenticates to the client computer using a server certificate. To indicate that the server certificate is trusted, the client computer requires a copy of the root certificate for the certification authority (CA) that issued the server certificate in its Trusted Root Certification Authorities store. If the external site requires the client to authenticate using a client certificate, you must have a client certificate present on the client computer for this purpose. If the SSL request must be chained to an upstream proxy server before going out to the Internet, you can create a Web chaining rule for this purpose.

The major disadvantage of this configuration is that after the link is established, ISA Server cannot inspect the contents of the traffic encrypted in the SSL tunnel. The client communicates directly with the Web server, effectively bypassing ISA Server policy rules and inspection. By default, ISA Server limits the port ranges for such tunneled traffic to 443-443 (standard SSL port), and 563-563 (standard NNTPS port). This setting allows connections to SSL sites on the standard ports. There is a script available to extend this tunnel port range, to allow access to SSL sites on alternate ports. For more information, see Managing Tunnel Port Ranges at the Microsoft TechNet Web site. Because traffic bypasses the ISA Server policy rules and Web proxy inspection, there are potential security risks. Your organization should have a clear policy on internal client access to external SSL Web sites, and limit access where possible. Only extend the tunnel port range where specifically required.

Note

Authentication of internal clients to the ISA Server computer using an SSL client certificate is not supported.