Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Publishing Multiple SSL websites with SSL Bridging
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Publishing Multiple SSL websites with SSL Bridging - 9.Feb.2005 1:25:00 AM
|
|
|
asutherland
Posts: 51
Joined: 23.Jan.2003
From: Nelson, B.C.
Status: offline
|
How many Incoming Web Request Listeners do I need to use web publishing with multiple SSL WebSites, using SSL Bridging?
It is my understanding that Web Publishing rules need Incoming Web Request Listeners and the Web Proxy service to redirect Port 443 on a specific external IP address to the appropriate internal server name.
1. Do I need 3 Listeners, each with their own external IP address:443 redirecting to different internal machine names, where the certificate has been imported for use by the listener? Assume I have 3 external IP addresses.
i.e.
mailowaserver.domain = owa SSL site (Listener1)
webserver1.domain = multiple SSL sites (Listener2)
webserver2.domain =oneormore SSL sites (Listener3)
2. Then the web publishing rule is looking at the FQDN and resolving that to an internal IP address/webserver/website... assume that webserver1 has multiple internal IPs.
i.e.
sslsite1.webserver1.domain = 10.0.0.12:443
sslsite2.webserver1.domain = 10.0.0.13:443
Can you help clarify this for me please.
Thanks for your time.
Allison
|
|
|
|
RE: Web Publishing Multiple SSL websites with SSL Bridging - 9.Feb.2005 10:17:00 AM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
Allison,
If you have three IP addresses, and three certificates, you are best publishing using the three of them.
The cardinal rule with SSL sites in general is that you can have only ONE certificate per IP address. This is due to the way that SSL handshaking is done prior to any HTTP headers being sent. Therefore you cannot generally redirect based on host headers. Furthermore, the subject name on the certificate should match the FQDN of the site, or the user will either see a warning or nothing at all. ISA rejects non-matching certificates out of hand as "Principal Target name is incorrect".
There is a technique that allows you to use wildcard certificates instead, but this technique is not universally accepted: ISA server itself again rejects wildcard certificates as "Principal Target name is incorrect".
So, as per original advice, if you have three IP addresses, and three certificates, then use them!
Good luck.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
