SSL bridging

Secure Socket Layer (SSL) bridging refers to the ability of Microsoft Internet Security and Acceleration (ISA) Server to encrypt or decrypt client requests and pass on the request to a destination Web server. For example, in a publishing (or reverse proxy) scenario, ISA Server can service a client SSL request by terminating the SSL connection from a client and reopening a new connection with a Web server.

SSL tunneling—and not SSL bridging—is used whenever a client browser (from the local, internal network) requests an object using HTTPS on port 8080 through the ISA Server computer. For more information, see SSL tunneling.

SSL bridging is used when ISA Server ends an SSL connection or when it initiates an SSL connection. Specifically, SSL bridging works in the following scenarios:

• A client requests an Hypertext Transfer Protocol (HTTP) object. ISA Server encrypts the request and forwards it to the Web server. The Web server returns the encrypted object to ISA Server. Then, ISA Server decrypts the object and then sends it to the client. In other words, HTTP requests are forwarded as SSL requests.

• A client requests an SSL object. ISA Server decrypts the request, then encrypts it again and forwards it to the Web server. The Web server returns the encrypted object to ISA Server. ISA Server decrypts the object and then sends it to the client. In other words, SSL requests are forwarded as SSL requests.

• A client requests an SSL object. ISA Server decrypts the request and forwards it to the Web server. The Web server returns the HTTP object to ISA Server. ISA Server encrypts the object and sends it to the client. In other words, SSL requests are forwarded as HTTP requests.

SSL bridging can be configured for outgoing and incoming Web requests. However, for outgoing Web requests, the client browser must support secure communication with the Web Proxy service of ISA Server.

In the reverse publishing scenario, the client requests objects from ISA Server, which forwards the request to the published Web server. In the figure, the Web Proxy client (browser) connects to ISA Server. ISA Server returns a server-side certificate, authenticating itself to the client. When the client and ISA Server complete the SSL negotiation, the client sends an encrypted HTTP request to the ISA Server. ISA Server decrypts the request and checks if the requested object is in its cache. If the object is in the cache, ISA Server returns the object to the client.

If the object is not in the cache, then ISA Server encrypts the request and sends the request to the Web server. The Web server returns a server-side certificate to the ISA Server. When the ISA Server and the Web server complete the SSL negotiation, the ISA Server sends the encrypted HTTP request to the Web server. The Web server decrypts the request and returns it to the ISA Server.

ISA Server receives the object, encrypts it, and passes it to the requesting client.

In an SSL bridging scenario, ISA Server caches cacheable Web objects returned. You can use the FPCWebRequestConfiguration COM object to configure whether SSL objects should be cached. For more information, see the ISA Server Software Development Kit documentation.

Incoming Web requests

For incoming Web requests, an external client uses HTTPS to request an object from a Web server located on your internal network. The client connects to the ISA Server on a port — by default, port 443. In this case, ISA Server responds with a server-side SSL certificate to the client.

For this scenario, ISA Server must be configured to listen for SSL requests on port 443 and a server certificate must be specified. For more information, see Enable SSL listeners and Configure server certificates for Web requests.

Having received the client's request, ISA Server decrypts it, terminating the SSL connection. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server: File Transfer Protocol (FTP), HTTP, or SSL. For more information, see Web publishing rules.

If the Web publishing rule is configured to forward the request using HTTPS, then the ISA Server initiates a new SSL connection with the publishing server, sending a request to port 443. That is, since the ISA Server is now an SSL client, it will require that the publishing Web server respond with a server-side certificate. If the Web server requires a client certificate, then ISA Server must respond with the appropriate certificate as well.

Outgoing Web requests

In most cases, when an internal client uses HTTPS to request an object from a server on the Internet, the ISA Server uses SSL tunneling to establish the connection.

For clients that support secure communication directly with ISA Server, you can configure routing rules to enable SSL bridging, instead. In this case, the client uses HTTP or HTTPS to request an object from an external Web server (on the Internet), connecting to the ISA Server on port 8080 or port 443, respectively (or whichever port is configured to listen for TCP and SSL requests). A routing rule, which applies to the specified destination server, specifies that the request should be redirected as an SSL request.

For more information, see SSL tunnelingand Routing Web requests.