• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

change to client ssl to isa, isa http to webserver

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> change to client ssl to isa, isa http to webserver Page: [1]
Login
Message << Older Topic   Newer Topic >>
change to client ssl to isa, isa http to webserver - 30.May2007 9:04:40 AM   
bobbba

 

Posts: 11
Joined: 4.Aug.2006
Status: offline
My current installation has an SSL bridging setup with client SSL to ISA and ISA SSL to the web server. I believe that my internal network is secure enough not to require SSL from ISA to the web server and that removing the SSL encryption role from the web server could help to improve performance.

My question is:
I want to make the above change and to ensure that the secured areas are only accessible by SSL. As the majority of the site is accessed by normal http I need to keep a rule that says all paths are allowed by http.

Under the current config with SSL to the IIS web server, I can achieve this by choosing require SSL for the specific directories in the secure area. I won't be able to do this after the above change using IIS so is there a way to apply the equivalent through isa?

Any help greatly appreciated.

Many thanks

Rob

Post #: 1
RE: change to client ssl to isa, isa http to webserver - 30.May2007 9:33:26 AM   
bobbba

 

Posts: 11
Joined: 4.Aug.2006
Status: offline
I've just thought, maybe I could put a deny rule for http access to the paths of the secure area which would help however is there a more elegant solution that I'm missing? Maybe one that redirects the incoming http access to the https access?

(in reply to bobbba)
Post #: 2
RE: change to client ssl to isa, isa http to webserver - 30.May2007 9:34:32 AM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Hi Rob,

I think Iím following what you are trying to accomplish. The only way youíre probably going to get it to work is to create a new non-SSL server publishing rule and enable both HTTP and HTTPS on the bridging tab to allow corresponding port traffic to the web server. If you donít and force HTTP to the back-end, any web pages that you are forcing SSL on will fail. This way you can control what you need to secure on your web server.

RB
HTH

(in reply to bobbba)
Post #: 3
RE: change to client ssl to isa, isa http to webserver - 4.Jun.2007 10:19:30 AM   
bobbba

 

Posts: 11
Joined: 4.Aug.2006
Status: offline
Thanks for the reply RotorBlade, but I'm still not clear as how to do this. Maybe I should be posting this as a new post as I seem to be guilty of making it up as I go along!

I realise more than ever that there are many ways of configuring ISA and IIS. Some seem to be more secure/more performance/more complex than others etc. If I can  try to spell it a bit more clearly (I hope!)

My criteria:

Essential
HTTP for the all paths on the site except for 1 specific path
HTTPS/SSL between client and ISA for that specific path
Authenticate all users at ISA that attempt access to the secure path

Desirable:
Keep rules to the minimum required
Reduce the encryption overhead by not using SSL between ISA and the web server unless it proves to a waste of time because of complexity/practicality vs benefit

Suggestion 1:
Rule1 Listen for HTTP/HTTPS for the site/secure/* path authenticate all bridge to HTTP specify "Notify HTTP to use HTTPS instead"
Rule2 Listen for HTTP for the site/* (all basically) path

Suggestion 2:
Rule1 Listen for HTTPS for the site/secure/* path authenticate all bridge to HTTP
Rule2 Listen for HTTP for the site/secure/* path deny access
Rule 3 Listen for HTTP for the site/* (all basically) path

My concerns are:
Suggestion 1
Will HTTPS bridge to HTTP ok?
Will the "Notify HTTP to use HTTPS instead" option successfully and seamlessly direct the client from HTTP to HTTPS?
Will it change to HTTPS before any authentication and content transfer?

Suggestion 2
Will HTTPS bridge to HTTP ok?
Over complicated, too many rules?

Bridging to SSL
Is it a worthwhile measure to reduce encryption overhead on ISA and IIS?

Many thanks

Rob




(in reply to Rotorblade)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> change to client ssl to isa, isa http to webserver Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts