• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 721
  • Last Modified:

ISA 2006 SSL Encryption

Quick question, can you encrypt traffic to and from the internet on an ISA 2006 box using SSL without configuring SSL on any of the internal sites?

Or would you need to set up both http and https to enable both encrypted and unencrypted traffic. I am struggling to understand what my manager requires.

I have been told that he doesn't want SSL set up on any of the IIS servers, only the ISA box, and wants external traffic encrypted only. I dont know the model I need to be investigating.

Please advise.
0
carlnys
Asked:
carlnys
  • 3
  • 2
2 Solutions
 
OriNetworksCommented:
Internally you can use HTTP and externally use HTTPS with SSL but in order to do this, IIS would need to be configured with both. You can tell ISA to only accept SSL connections from the internet by using the wizard to deploy the web server.
0
 
Keith AlabasterCommented:
Don't change anything.
When you run your publishing rule you can select bridging which will make the ISA listen for external requests on port 443 and these can then be forwarded on port 80 to the internal site.

Two things to bear in mind.
one - the ISA will need a certificate
two - ISA can only listen on one IP address for each port 443 rule (publishing) rule you set up.

Keith
ISA MVP
0
 
carlnysAuthor Commented:
Hi Keith,

When I select Bridging and SSL 443, I hit two problems 1)without the certificate option, I get SSL authentication Errors, 2) If I select it I cant see my cert even though I can see it in the web listener SSL cert section.

If I don't bridge https it works if I do it fails, currently I can get anonymous authentication to the https://domain/application and to both http and https for internal traffic via http/s://server/application, I can live without http://domain/application but would still love to know why it fails when https is enabled. No redirection of htto to https is enabled currently.

The server is a development server and the devs want to be able to access it by all of the methods listed above. If it helps the certificate is a selfssl.exe generated .pfx the CN= is the doamin ie xx.xxxx.com.au.

Any thoughts would be appreciated.

Carl

ISA Newbie 8^)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Keith AlabasterCommented:
What is the certificate for - just the ISA server - but named as the destination site?

What do you get when you run up the BPA?
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

I assume you imported the cert and the private key to the machine account? If not, it will fail.

have you read this? It is for ISA2004 but the concept is identical for 2006
http://technet.microsoft.com/en-us/library/cc302619.aspx
0
 
carlnysAuthor Commented:
Hi Keith,

told you I was newbie 8^), the certificate is for the published webserver, then exported to the ISA server, I didn't know I could secure traffic through the ISA box any other way. How do you install a cert on the ISA box and encrypt traffic if the IIS webserver server doesn't have SSL enabled.

This self signed cert is a proof of concept before we use the verisign certs in production.
The certificate was created for the domain name (external url) using selfssl.exe
I imported via the local computer account option in the mmc snap in.

I haven't run the BPA yet, I am hoping I can use the certificate on the ISA box only option.

Cheers,

Carl.
0
 
carlnysAuthor Commented:
Thankyou
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now