Re: SSL Bridging & Tunnelling

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 18 Apr 2008 08:48:18 -0700

---

There may be good reason for using the SPR; this is a question you should
ask of the web app owners.
If you want to use SSL web listeners and an SSL server publishing rule, you
cannot bind them to the same IP addresses, regardless of how you handle the
certificates.
You can only assign one certificate per web listener. This is a limitation
of the SSL protocol as currently implemented (changes came in RFCs last
year, but code changes take time).

Basically, if you want multiple SSL sites, you need an equal amount of
public IP addresses.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Rob" <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EA26B89D-8BBF-4B87-B045-8D6EFA85103A@xxxxxxxxxxxxxxxx
Hi Jim,
Thanks for the reply.
q1 - This is now it was setup when I started here. I believe it was done
this way as originally just one site was using ssl and server publishing was
the easiest way to tunnel the ssl as opposed to bridging. To be honest I
don't know and it puzzled me.

q2 - the inbound web listener is configured individually per IP address (we
only have one address tho) and it *does* include the external IP address
that
is used by the server publishing rule. I also noticed that 'Enable SSL
listeners' is *not* checked and no certificate is installed in the listener.

Should I then add the two imported certificates to the listener and confiure
to use SSL? This seems to be the right thing to do as per
http://www.microsoft.com/technet/archive/isa/2000/isafp1/piw.mspx?mfr=true
If so, thanks for pointing me in the direction of the listener
Rob

"Jim Harrison (ISA SE)" wrote:

Q1 - why are you using server publishing?
Q2 - have you checked that the inbound web listener does *not* include the
external IP used by the server publishing rule?

--
Jim Harrison (ISA SE)

.

---

• References:
  • SSL Bridging & Tunnelling
    • From: Rob
  • Re: SSL Bridging & Tunnelling
    • From: Jim Harrison \(ISA SE\)
  • Re: SSL Bridging & Tunnelling
    • From: Rob

• Prev by Date: Re: How Do You Monitor a Published Server
• Next by Date: Re: How Do You Monitor a Published Server
• Previous by thread: Re: SSL Bridging & Tunnelling
• Next by thread: Publishing and Web Proxy Stop Working
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: 2006: Publish additional SSL site - run into problems with Web Listener ... I have already published OWA 2007 with SSL and now I want to publish ... New Web Listener created for this new site. ... Used the OWA wizard to publish OWA, ... ISA will figure out which page to send the ... (microsoft.public.isa.publishing) Re: ISA 2004 install - failing on CIECW ... Configuring ISA2k4 for SSL ... Checking for the existence of an SSL listener returned OK ... Cannot find the web listener ... (microsoft.public.windows.server.sbs) Re: [Lit.] Buffer overruns ... http://www.garlic.com/~lynn/2001e.html#39 Can I create my own SSL key? ... http://www.garlic.com/~lynn/2001g.html#19 Root certificates ... (sci.crypt) Re: SSL certificate modification ... > That's only one reason for the existance of SSL server ... > that certificates contains certified public keys which are used during ... implication then the domain name infrastructure is a trusted server ... (comp.security.misc) Re: Web service Security ... Direct Authentication thru SSL ... X.509 certificates ... we need to secure the soap header as well as message itself. ... Is there any effective & secure solution which doesnt use SSL ... (microsoft.public.dotnet.languages.csharp)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.configuration  > 2008-04