SSL and Firewalls

Applies To: Windows Server 2003 with SP1

You must make some additional decisions if you need to conduct SSL/TLS transactions through a firewall. A firewall is a program that can exist in many different forms, but essentially functions as a barrier between your local area network (LAN) and the outside world. The SSL/TLS protocol interprets a computer on which a firewall is running as presenting a man-in-the-middle attack, which prevents the transaction from happening.

You can use one of two approaches to facilitate SSL/TLS transactions through a firewall:

  • Open the firewall to allow all traffic through a designated port. The typical port for HTTP over SSL is 443. This port can be opened to allow traffic through to the destination Web server. Unfortunately, this means that the firewall can make security decisions based only on the apparent origin of the packet and its destination. The firewall cannot examine the encrypted data in the requests.

  • Configure the firewall or boundary system as a proxy server. In this case, the boundary system is the destination for the SSL traffic from the client. The client will authenticate to the boundary system, which will then forward, or proxy, the requests to the internal system. The connection from the boundary system to the internal system might or might not be protected by using SSL. This presents an authentication problem because the proxy needs to transmit the authenticated identity of the original user to the internal system. It is not possible to use the certificate mapping features of Windows Server 2003 at the application server, because the authentication process that relies on the user’s certificate takes place at the proxy.