Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SSL Host Headers and ISA 2004 with wildcard cert
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SSL Host Headers and ISA 2004 with wildcard cert - 2.Sep.2008 6:12:34 PM
|
|
|
psaul
Posts: 4
Joined: 10.Jan.2007
Status: offline
|
Hello,
I'm trying to check if what I want to do is possible with ISA 2004. I've done some Googling and searching on this site, including reading Tom's wildcard cert article.
I have an SBS 2003 server with ISA 2004, we want to host 3 HTTPS sites on this same server (in addition to the webstuff SBS has, like OWA and RWW). These 3 sites are not OWA related, they're just regular sites that should be run over HTTPS.
The sites will all use a common domain, something like: edmonton.domain.com, calgary.domain.com and vancouver.domain.com, etc.
As far as I can determine I can create a single web listener and use a *.domain.com wildcard certificate. However from what I read I can NOT use the same wildcard cert for the 3 internal sites hosted in IIS, is that true?
It seems we'd need regular FQDN certs for each of the "city" SSL sites (which seems needlessly expensive since we already have a wildcard cert).
Would it be possible to have HTTPS terminate with ISA's WAN interface and then use HTTP to the published sites?
That is, is it possible to do:
client--HTTPS--ISA--HTTP--IIS
Can ISA decrypt the HTTPS data and forward the request as HTTP to IIS and then encrypt the response back to the client? Or would this affect the host headers and cause IIS to not know what was what?
(I know this is less secure, but since it's all on the same machine it's not going across the LAN, besides the LAN is trusted in this case).
Or is the only solution having a wildcard cert for the ISA weblistener and 3 seperate certs for the actual sites?
Thanks so much,
Saul
|
|
|
|
|
RE: SSL Host Headers and ISA 2004 with wildcard cert - 3.Sep.2008 9:49:12 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
As far as I can determine I can create a single web listener and use a *.domain.com wildcard certificate. However from what I read I can NOT use the same wildcard cert for the 3 internal sites hosted in IIS, is that true?
I’m not sure if I follow what your asking but the issue is that IIS will support the use of * wildcard certificates but the problem lies with ISA 2004 and the use of * certificates. Using ISA 2004, wildcard certificates are only supported being installed on ISA and does not support SSL – SSL bridging to the published server.
quote:
Would it be possible to have HTTPS terminate with ISA's WAN interface and then use HTTP to the published sites?
That is, is it possible to do:
client--HTTPS--ISA--HTTP--IIS
Yes, that’s the only way it’s going to work using ISA 2004
quote:
Can ISA decrypt the HTTPS data and forward the request as HTTP to IIS and then encrypt the response back to the client? Or would this affect the host headers and cause IIS to not know what was what?
(I know this is less secure, but since it's all on the same machine it's not going across the LAN, besides the LAN is trusted in this case).
Sure, it’s a reverse-proxy.
quote:
Or would this affect the host headers and cause IIS to not know what was what?
BTW, Although there are hacks that you can use to make it work, host headers are not supported using SSL. The SSL socket is bound the IIS virtual server’s IP.
quote]
Or is the only solution having a wildcard cert for the ISA weblistener and 3 seperate certs for the actual sites?
As mentioned, ISA 2004 only supports the use of wildcards on the ISA itself. Adding three additional certificates on the IIS server is going to be some work too. You will need 3 virtual IP’s or alternate ports to bind the certificates too. The other thing you need to consider when trying to get the job done with only one web listener is authentication requirements for the published servers. If you’re already publishing OWA, are you using FBA? If so, your going to need another web listener.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SSL Host Headers and ISA 2004 with wildcard cert - 3.Sep.2008 12:18:21 PM
|
|
|
psaul
Posts: 4
Joined: 10.Jan.2007
Status: offline
|
Hello Rotoblade, thanks for the reply.
I did some additional digging on reverse proxy and HTTPS to HTTP Bridging. I think I can accomplish what I want (3 external HTTPS sites that point to 3 internal sites -- all with the same external root domain).
You're right that I will have to use the *.wildcard cert on the ISA listener only and not on the IIS website. I can do HTTPS to HTTP Bridging:
http://technet.microsoft.com/en-ca/library/cc302649.aspx
Procedure 5 and Appendix C seem to list what I want to do.
(or since the Bridging tab in ISA's publishing rule has an SSL port number it may be possible to do HTTPS to HTTPS bridging using different internal port numbers for each of the 3 city.domain.com sites if each of the 3 internal city.internal.local sites has SSL on different port numbers, though I suspect this is just extra work on my part...)
I know SSL Host Headers involves some CLI work, which is fine by me:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
and
http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/06/16/IIS-6.0-and-SSL-Host-Headers.aspx
As for OWA, Forms Based Authentication isn't required, though from looking at another client's SBS 2003 I think it can be done.
It seems the way SBS 2003 with ISA 2004 is setup to allow, say, https://mail.domain.com/exchange to point to OWA with FBA is to use a self-signed publishing.internal.local cert on the Default website in IIS for OWA (which is trusted by itself) and the "SBS Web Listener" it creates is where you put the external-CA 3rd party signed mail.domain.com certificate. Authentication types are Integrated and SSL certificate only.
This seems to work. So if I get a 3rd party *.wildcard cert for *.domain.com and place it on the web listener it should continue to work for mail.domain.com, and if I create rules for edmonton.domain.com, calgary.domain.com, vancouver.domain.com, etc it should work for those too. ISA would then do SSL to SSL bridging to publishing.internal.local for OWA, RWW and anything else on the default website.
I can then use SSL to HTTP bridging to 3 other, non-SSL sites, (edmonton.internal.local, etc) and the same listener should work for those, from what I can see.
Thanks for your help,
--Saul
|
|
|
|
|
RE: SSL Host Headers and ISA 2004 with wildcard cert - 3.Sep.2008 2:32:23 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Good, sounds like you have done your homework.
Good luck
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
