ISA 2006 SSL Encryption

Posted on 2009-04-29
Last Modified: 2012-05-06
Quick question, can you encrypt traffic to and from the internet on an ISA 2006 box using SSL without configuring SSL on any of the internal sites?

Or would you need to set up both http and https to enable both encrypted and unencrypted traffic. I am struggling to understand what my manager requires.

I have been told that he doesn't want SSL set up on any of the IIS servers, only the ISA box, and wants external traffic encrypted only. I dont know the model I need to be investigating.

Please advise.
Question by:carlnys
    LVL 17

    Expert Comment

    Internally you can use HTTP and externally use HTTPS with SSL but in order to do this, IIS would need to be configured with both. You can tell ISA to only accept SSL connections from the internet by using the wizard to deploy the web server.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Don't change anything.
    When you run your publishing rule you can select bridging which will make the ISA listen for external requests on port 443 and these can then be forwarded on port 80 to the internal site.

    Two things to bear in mind.
    one - the ISA will need a certificate
    two - ISA can only listen on one IP address for each port 443 rule (publishing) rule you set up.


    Author Comment

    Hi Keith,

    When I select Bridging and SSL 443, I hit two problems 1)without the certificate option, I get SSL authentication Errors, 2) If I select it I cant see my cert even though I can see it in the web listener SSL cert section.

    If I don't bridge https it works if I do it fails, currently I can get anonymous authentication to the https://domain/application and to both http and https for internal traffic via http/s://server/application, I can live without http://domain/application but would still love to know why it fails when https is enabled. No redirection of htto to https is enabled currently.

    The server is a development server and the devs want to be able to access it by all of the methods listed above. If it helps the certificate is a selfssl.exe generated .pfx the CN= is the doamin ie

    Any thoughts would be appreciated.


    ISA Newbie 8^)
    LVL 51

    Assisted Solution

    by:Keith Alabaster
    What is the certificate for - just the ISA server - but named as the destination site?

    What do you get when you run up the BPA?

    I assume you imported the cert and the private key to the machine account? If not, it will fail.

    have you read this? It is for ISA2004 but the concept is identical for 2006

    Accepted Solution

    Hi Keith,

    told you I was newbie 8^), the certificate is for the published webserver, then exported to the ISA server, I didn't know I could secure traffic through the ISA box any other way. How do you install a cert on the ISA box and encrypt traffic if the IIS webserver server doesn't have SSL enabled.

    This self signed cert is a proof of concept before we use the verisign certs in production.
    The certificate was created for the domain name (external url) using selfssl.exe
    I imported via the local computer account option in the mmc snap in.

    I haven't run the BPA yet, I am hoping I can use the certificate on the ISA box only option.



    Author Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
    In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now