Export (0) Print
Expand All

ISA Server 2000 Feature Pack 1

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

SSL Bridging
SSL Tunneling

Microsoft ISA Server 2000 Feature Pack 1, Version 1

Secure Sockets Layer (SSL) bridging and tunneling are how ISA Server handles SSL requests. SSL bridging refers to whether ISA Server passes SSL requests to an internal Web server as SSL (HTTPS) or as HTTP in a Web publishing scenario. SSL tunneling refers to the use of server publishing to route incoming SSL requests to an internal server. SSL tunneling also refers to how outgoing SSL requests from an internal client are passed to a Web server on the Internet.

The table below compares SSL bridging and SSL tunneling for incoming requests.

SSL Bridging and SSL Tunneling

Advantages

Disadvantages

SSL Bridging (redirecting SSL requests as SSL)

Provides the benefits of Web publishing, such as making rule decisions based on host headers.

Data can be inspected at the ISA server since the SSL connection is ended and then recreated internally.

Digital certificate must also be configured on the ISA server computer.

Name resolution issues could arise if the certificate is exported from the internal web server. See "SSL Bridging and Digital Certificates" later in this document for more information.

SSL Bridging (redirecting SSL requests as HTTP)

Provides the benefits of Web publishing, such as making rule decisions based on host headers.

Data can be inspected at the ISA server since the SSL connection is ended at the ISA Server.

Digital certificate must also be configured on the ISA server computer.

Traffic is unencrypted between the ISA Server computer and the Web Server computer.

SSL Tunneling

Easy to configure using a server publishing rule.

Client-to-server encrypted SSL tunnel.

Does not provide the features of Web Publishing.

ISA server does not intercept the SSL communication traffic and the encrypted data is forwarded without inspection to its final destination on the internal network.

SSL Bridging

If you are publishing a server that requires SSL communication, you must have an SSL certificate installed on your ISA Server computer. In addition, you may have an SSL certificate installed on the Web server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you have to configure SSL bridging accordingly.

Secure Sockets Layer (SSL) bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as HTTP requests, as follows:

  • If there is no SSL certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

  • If there is an SSL certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the external client to ISA Server and on the ISA Server to Web server levels.

If your Web server has an SSL certificate, and you want ISA Server to listen for SSL requests without purchasing an additional certificate, you have to export the certificate from the Web server and import it to the ISA Server computer. For more information, see HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server (http://go.microsoft.com/fwlink/?LinkID=10713).

To modify the SSL bridging configuration

  1. Click the Web Publishing Rules node.

  2. Double-click the applicable Web publishing rule.

  3. Select the Bridging tab.

  4. For the first two redirection options, select the appropriate redirection:

    • If you are using the ISA Server SSL certificate to handle SSL requests (no SSL certificate installed on the Web server), in Redirect HTTP requests as: and Redirect SSL requests as: select HTTP requests, and then click OK. This configuration is shown in the figure.

      Cc723733.sslb01(en-us,TechNet.10).gif

    • If you want to continue to use an existing SSL certificate on the Web server as well as the certificate on the ISA Server, in Redirect HTTP requests as: select HTTP requests and in Redirect SSL requests as: select SSL requests, and then click OK.

Note: There are two other options available on the SSL bridging tab:

  • Require secure channel (SSL) for published site will reject HTTP requests that are received by ISA Server. This option also provides the possibility of returning 128-bit encryption for HTTPS requests.

  • Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.

SSL Bridging and Digital Certificates

A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule Action tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page.

This problem can be resolved using one of the following approaches:

  • Obtain a new certificate that matches the name on the server

  • Change the server name on the Web publishing rule Action tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server

  • Change the server name on the Web publishing rule Action tab to match the name on the certificate. On the ISA Server computer, in the file WINNT\system32\drivers\etc\hosts, add a mapping from the certificate/ Action tab-name to the IP address of the internal Web server.

For more information see Troubleshooting_Web_Publishing.doc.

SSL Tunneling

Incoming SSL Tunneling

Incoming SSL tunneling refers to the mechanism used when you publish an internal server using a server publishing rule for the HTTPS protocol. You can publish an internal server to any HTTPS request, or limit it to specific clients using a client address set.

Incoming SSL tunneling requires that you have an SSL certificate installed on your internal server.

Create a client address set

Create a client set representing the computers that you will allow access to your server using the HTTPS protocol. If you are going to allow server access for any HTTPS request, you should skip this procedure.

To create a client address set

  1. In the console tree of ISA Management, right-click Client Address Sets, point to New, and then click Set.

  2. On the Client Set dialog box, provide a name for the client address set, such as Clients for the HTTPS server. You can also provide a description for the set (optional).

  3. Click Add.

  4. In the Add/Edit IP Addresses dialog box, use the From and To fields to define a range of computer IP addresses that will be allowed to access your server. You can repeat steps 3 and 4 to add additional ranges. To add a single computer, use the same IP address in the From and To fields.

  5. Click OK in the Client Set dialog box.

Create a server publishing rule

To create a server publishing rule for the HTTPS protocol

  1. In the console tree of ISA Management, right-click Server Publishing Rules, point to New, and then click Rule.

  2. In the Server Publishing Rule Name field, type a name for the rule, such as Publish Internal Server for HTTPS protocol, and then click Next.

  3. On the Address Mapping page, enter the IP address of the internal server and the IP address of the external network adapter of the ISA Server computer, and then click Next.

  4. On the Protocol Settings page, select HTTPS Server.

  5. On the Client Type page, select Any request if you are going to allow server access for any HTTPS request, or Specific computers (client address sets) if you are going to limit access to specific computers, and then click Next.

  6. If you selected Specific computers (client address sets) in Step 5, you will see the Client Sets page (if not, proceed to Step 7). On this page specify the client set you created and then click Next.

  7. Check the information on the Summary page, and then click Finish.

Outgoing SSL Tunneling

Whenever a client browser requests an HTTPS object through ISA Server, it uses SSL tunneling. Secure Sockets Layer (SSL) tunneling establishes a tunnel through the ISA Server computer directly to the external Web server with the requested Secure Hypertext Transfer Protocol (HTTPS) object. The figure illustrates the SSL tunneling process:

SSL Tunneling

Cc723733.sslb02(en-us,TechNet.10).gif

  1. A client requests an SSL object from a Web server on the Internet by typing the following in the browser address field:

    https://URL_name
    
  2. The following request is sent to port 8080 on the ISA Server computer:

    CONNECT Server_name:443 HTTP/1.1
    
  3. ISA Server connects to the destination Web server on port 443.

  4. When the TCP connection is established, the ISA Server returns:

    HTTP/1.1 200 connection established
    

From that point on, the client communicates directly with the external Web server.

SSL tunneling works by default for outgoing client requests to ports 443 and 563. You can add SSL tunneling for additional ports through FPCTunnelPortRange, an ISA administration COM object. For more information, see the ISA Server Software Development Kit.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft