RE: ISA 2006 and SSL

Hello,

Thank you for using newsgroup!

In ISA Server 2006, SSL bridging is automatically configured when the
specified Web listener is configured to listen for HTTPS traffic.
Specifically, SSL bridging works in the following scenarios:

1. A client requests an SSL object. ISA Server decrypts the request, and
then encrypts it again and forwards it to the Web server. The Web server
returns the encrypted object to ISA Server. ISA Server decrypts the object
and then encrypts it again and sends it to the client. SSL requests are
forwarded as SSL requests.

1. A client requests an SSL object. ISA Server decrypts the request and
forwards it to the Web server. The Web server returns the HTTP object to
ISA Server. ISA Server encrypts the object and sends it to the client. SSL
requests are forwarded as HTTP requests.

For incoming Web requests, an external client uses HTTPS to request an
object from a Web server located on your Internal network. The client
connects to ISA Server on a port-by default, port 443.

After receiving the client's request, ISA Server decrypts it, terminating
the SSL connection. The Web publishing rules determine how ISA Server
communicates the request for the object to the publishing Web server (FTP,
HTTP, or SSL).

If the secure Web publishing rule is configured to forward the request
using HTTPS, ISA Server initiates a new SSL connection with the publishing
server, sending a request to port 443. Because the ISA Server computer is
now an SSL client, it requires that the publishing Web server responds with
a server-side certificate.

Secure Application Publishing
http://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| Thread-Topic: ISA 2006 and SSL
| thread-index: AccILIAo7lgFESD7TqqriFyuatgNrQ==
| X-WBNR-Posting-Host: 209.217.222.70
| From: =?Utf-8?B?U211cmZtYW4=?= <smurfman@xxxxxxxxxxxxxx>
| Subject: ISA 2006 and SSL
| Date: Tue, 14 Nov 2006 12:36:02 -0800
| Lines: 26
| Message-ID: <9C523D31-2720-460E-950D-953A168AD3F4@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.isa
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:69508
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.isa
|
| Afternoon,
| In my firewall rules, I have an (All Access) rule for "All Outbound
| Protocols" for my administrators. For my users there are various special
| rules for obscure ports, but the main rule is an "HTTP / HTTPS / HTTPS"
| Server rule.
|
| When my administrator connects to a site using a client installed
program,
| say xxx.xxx.xxx.xxx:443 the traffic passes out my (All Access) rule just
fine.
|
| When my client connects to the same site, using the same client installed
| program, xxx.xxx.xxx.xxx:443 the log shows that the traffic was denied,
using
| the (HTTP/HTTPS/HTTPS Server) rule. It reports SSL-Tunnel on port 443.
|
| I can't figure out how to allow this type of traffic xxx.xxx.xxx.xxx:443
so
| that non-browser programs can get out to these SSL enabled sites.
|
| I don't want to allow all of my users (All Access)
|
| My one option that I thought of, was an All access rule to the specific
IP
| address of the software that the client is trying to go to.
|
| Please advise, how do I add a protocol for SSL-Tunnel so that it can be
| added to my HTTP rule?
|
| Thanks
| J
|

.

Relevant Pages

  • Re: ISA configuration question
    ... - create a certificate that uses either the name or IP of the ISA web proxy listener (depends on how you want the clients to ... - configure the web proxy listener to listen for SSL connections and choose the port you want ... For clients that support secure communication directly with ISA Server, ... > I'm referring to web proxy requests. ...
    (microsoft.public.isa.configuration)
  • Re: Intranet/Extranet... alerts & the URL sent in them
    ... I'm afraid Windows SharePoint Services doesn't support off-box SSL ... I have a WSS site that is accessible on our trusted network via HTTP. ... coming in through the extranet hit an ISA Server (which is using link ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Automatically Redirecting HTTP to HTTPS
    ... if I set the site to require SSL ... > is installed on ISA). ... What you have to di is to change bridging mode on ISA server. ... To bypas this change bridging mode on ISA server to use SSL on http ...
    (microsoft.public.windows.server.sbs)
  • Re: SSL VPN appliance vs ISA server
    ... If you have the opportunity to use IAG then do it. ... I disagree with the term SSL VPN,...it may be SSL but there is nothing "VPN" ... Microsoft ISA Server Partners: Partner Hardware Solutions ... points to using a reverse proxy like ISA server or a SSL VPN appliance to ...
    (microsoft.public.isa.configuration)
  • Re: ISA - IIS - SSL question
    ... > IIS. ... Enabled SSL Listeners on ISA server for our public IP ... > that is made available to the internet by a device other than your ISA ...
    (microsoft.public.isaserver)