My current installation has an SSL bridging setup with client SSL to ISA and ISA SSL to the web server. I believe that my internal network is secure enough not to require SSL from ISA to the web server and that removing the SSL encryption role from the web server could help to improve performance.
My question is: I want to make the above change and to ensure that the secured areas are only accessible by SSL. As the majority of the site is accessed by normal http I need to keep a rule that says all paths are allowed by http.
Under the current config with SSL to the IIS web server, I can achieve this by choosing require SSL for the specific directories in the secure area. I won't be able to do this after the above change using IIS so is there a way to apply the equivalent through isa?
I've just thought, maybe I could put a deny rule for http access to the paths of the secure area which would help however is there a more elegant solution that I'm missing? Maybe one that redirects the incoming http access to the https access?
I think Iím following what you are trying to accomplish. The only way youíre probably going to get it to work is to create a new non-SSL server publishing rule and enable both HTTP and HTTPS on the bridging tab to allow corresponding port traffic to the web server. If you donít and force HTTP to the back-end, any web pages that you are forcing SSL on will fail. This way you can control what you need to secure on your web server.
Thanks for the reply RotorBlade, but I'm still not clear as how to do this. Maybe I should be posting this as a new post as I seem to be guilty of making it up as I go along!
I realise more than ever that there are many ways of configuring ISA and IIS. Some seem to be more secure/more performance/more complex than others etc. If I can try to spell it a bit more clearly (I hope!)
Essential HTTP for the all paths on the site except for 1 specific path HTTPS/SSL between client and ISA for that specific path Authenticate all users at ISA that attempt access to the secure path
Desirable: Keep rules to the minimum required Reduce the encryption overhead by not using SSL between ISA and the web server unless it proves to a waste of time because of complexity/practicality vs benefit
Suggestion 1: Rule1 Listen for HTTP/HTTPS for the site/secure/* path authenticate all bridge to HTTP specify "Notify HTTP to use HTTPS instead" Rule2 Listen for HTTP for the site/* (all basically) path
Suggestion 2: Rule1 Listen for HTTPS for the site/secure/* path authenticate all bridge to HTTP Rule2 Listen for HTTP for the site/secure/* path deny access Rule 3 Listen for HTTP for the site/* (all basically) path
My concerns are: Suggestion 1 Will HTTPS bridge to HTTP ok? Will the "Notify HTTP to use HTTPS instead" option successfully and seamlessly direct the client from HTTP to HTTPS? Will it change to HTTPS before any authentication and content transfer?
Suggestion 2 Will HTTPS bridge to HTTP ok? Over complicated, too many rules?
Bridging to SSL Is it a worthwhile measure to reduce encryption overhead on ISA and IIS?