I have an ISA2004 server that publishes a few webservers that sit behind it.
I would like to add SSL to one of the sites on one of my webservers.
In order for me to do this, do I just get an SSL certificate for the www server and then configure the HTTP listener on ISA to also allow HTTPS to that server? I've tried this and when I enable SSL on the weblistener for that server then ISA asks me for a certificate. Do I also have to get an SSL certificate for ISA??
hi ZD! It depends if you want to host just one secure site or more than one. If you only want to host one you can just get one SSL certificate for the webserver then export it to the ISA server and then setup ssl to ssl bridging. It becomes a little more complicating if you wanna host more than one secure site. Then the isa server will need a wildcard cert like *.yourdomain.com then a normal cert on each backend website its all in this article:
PS: Thats only if u have 1 internet address to play with if u have a few ips you can just bind them to the external nic in the isa server and setup multi ssl listeners on each different IP then no need for a wildcard cert. Just to import the certs from the webservers and import them into ISA's certificate store.
From: Sharon Center, OH
Sorry if this post is too old to respond to..
citrixman said --
quote:...if u have a few ips you can just bind them to the external nic in the isa server and setup multi ssl listeners on each different IP then no need for a wildcard cert. Just to import the certs from the webservers and import them into ISA's certificate store.
If I were to do it this way, am I still using application filtering on my ISA box, or is this considered tunneling?
Never too old to post!
If you have a certificate on your ISA Server, then it is able to decrypt the traffic coming into the server, and so you can perform stateful application layer inspection on the traffic. This will usually be the case when you are publishing a (secure) web server.
If you have no certificate that matches the FQDN of the published server, and you allow the traffic to be proxied through the ISA server, then this is tunnelling. The ISA server cannot decrypt the traffic because it does not have the private key for the certificate. This is usually the case in an outbound scenario.
So, in this case, you are:
quote: still using application filtering on my ISA box.