• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SSL Publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> SSL Publishing Page: [1]
Login
Message << Older Topic   Newer Topic >>
SSL Publishing - 30.Nov.2005 5:52:52 AM   
xmental

 

Posts: 12
Joined: 6.Jun.2002
Status: offline
Can anyone help with this:

I want to publish multiple ssl sites on a single IIS 6 server, through one external ip.

I've read the articles, but it seems my situation is different than the tutorials, or maybe I just didn't read carefully enough.

I have two domains hosted on IIS 6:
domain1.com
domain2.com
(The tutorials I have read regarding wildcard certificates all have the same domain)
Both have ssl certificates installed.

I have followed the article at:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx

which allows you to configure ssl host headers in IIS 6 (after a little editing of the metabase as well)

When tunneling the ssl request:
It appears not to pass the "original host header"

When publishing the site with web publishing rules:
It will only allow access to the ssl site that I specify the certificate for under the preferences tab of the listener properties

Does anyone know how I can publish two ssl sites with different domains while only using one external ip?

IMO the ability to add ssl host headers to IIS 6 is welcomed, it's just too bad it doesn't seem to work behind their own firewall....

Thanks in advance,

Rob
Post #: 1
RE: SSL Publishing - 30.Nov.2005 3:13:02 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

What is the exact configuration of your Web Publishing Rules?

What is the common/subject name on the Web site certificate bound to the Web listener?

What is the name of the Web site certificate bound to each of the Web sites behind the ISA firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to xmental)
Post #: 2
RE: SSL Publishing - 30.Nov.2005 3:38:49 PM   
xmental

 

Posts: 12
Joined: 6.Jun.2002
Status: offline
Hi Tom, thanks for the quick reply

Web publishing rule:
Action: Allow
From: Anywhere
To:192.168.0.25 (internal webserver IIS 6) Forward original host header enabled, requests from original client
Traffic: HTTPS HTTP
Listener: 'ExListener1' bound to 1 specific external IP, HTTP 80 HTTPS 443 (pick a certificate: either secure.domain1.com or secure.domain2)
Public Name: All requests
Paths: <same as internal> /*
Bridging: Web Server Redirect requests to http port 80 enabled rediect ssl not selected, FTP bridging not selected
Users: All Users
Schedule: Always
Link Translation: Replace absolute links not selected

Hope that gives you all you need for that.

We have exported both certificates to the ISA server so you can select either secure.domain1.com or secure.domain2.com certificates for the listener.
Whichever one is picked that SSL site works.

The names of the certificates on the webserver are secure.domain1.com and secure.domain2.com

Thanks,

Rob

(in reply to tshinder)
Post #: 3
RE: SSL Publishing - 30.Nov.2005 3:45:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

OK, the problem is that if you have a single address and want to publish multiple Web sites, you need to use a wildcard certificate on the ISA firewall's Web listener, like *.domain.com. At that point, you want accept incoming connections to sites such as www.domain.com and www2.domain.com and sales.domain.com, but you cannot accept a connection for a site that isn't part of the same second level domain, such as www.domain1.com.

Check out the article on this site on using wildcard certificates to publish secure Web sites.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to xmental)
Post #: 4
RE: SSL Publishing - 30.Nov.2005 3:57:06 PM   
xmental

 

Posts: 12
Joined: 6.Jun.2002
Status: offline
Thanks for the reply,

From what I am understanding then, it will not be possible to publish mulitple SECOND LEVEL Domains (using SSL) with a single external ip address then?

It's really too bad that adding host headers to SSL is available in IIS 6, yet ISA has no way to take advantage of them.

Rob

(in reply to tshinder)
Post #: 5
RE: SSL Publishing - 15.Dec.2005 2:18:51 PM   
rennera

 

Posts: 11
Joined: 15.Dec.2005
Status: offline
Rob, did you find a solution for this or did you abandom the idea for now?  I think this would work using SSL tunnelling but I to would like a solution using Bridging to take advantage of ISA's SSL securities.

(in reply to xmental)
Post #: 6
RE: SSL Publishing - 15.Dec.2005 2:52:06 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:

It's really too bad that adding host headers to SSL is available in IIS 6, yet ISA has no way to take advantage of them


The same requirements for Win2003 SP1 Host Headers with SSL in IIS6 are the same requirements for SSL Host header support in ISA - you have to use a Wildcard certificate. ISA had this ability long before IIS did.

Just to make sure I understand your point - what EXACTLY do you mean by 'multiple SECOND LEVEL domains'?  As in, having ISA with 1 IP and trying to publish clintd.com and clint.com on a single IP? IIS can't do this either - you have to use the wildcard cert on EITHER the clintd.com or clint.com domains in order for SSL/Host Header support to work right.

The IIS Program Manager talks about this in his blog.

Windows Server 2003 Service Pack 1 AND IIS 6.0: Host Headers and SSL
http://blogs.technet.com/chrisad/archive/2005/11/17/414726.aspx


< Message edited by ClintD -- 15.Dec.2005 2:58:26 PM >

(in reply to rennera)
Post #: 7
RE: SSL Publishing - 15.Dec.2005 10:11:15 PM   
rennera

 

Posts: 11
Joined: 15.Dec.2005
Status: offline
All over this board I see talk of the wildcard cert.  I must admit that I have used toms article to deploy this on ISA for my OWA...  BUT this is not a good solution as the security warning will pop up.  How confident would you be if you went to your banks website and a security warning popped up saying something isn;t right here...

What I am looking for is a way to use ONE single external IP Address with multiple SSL secured domains.  From what I am reading the only way to do this is by using SSL Tunnelling directly to the web server.  Obviously this is not ideal... is there a better solution?

(in reply to xmental)
Post #: 8
RE: SSL Publishing - 16.Dec.2005 12:28:59 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You shouldn't get a pop up from IE with a wildcard cert (unless it is created by an internal CA) as IE is clever enough to realise that *.domain.com is applicable for all hostnames.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rennera)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> SSL Publishing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts