Re: Question about using SSL on an IIS server, and ISA on another server

From: Phillip Windell (_at_.)
Date: 12/21/04 

Date: Tue, 21 Dec 2004 10:03:06 -0600

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eHjl8hV5EHA.2316@TK2MSFTNGP15.phx.gbl...
> Hi Rod.
>
> I have never done this myself, but below are a few links I found that may
> help get you started. --- Steve
>
> http://www.microsoft.com/technet/Security/prodtech/isa/isafp1/sslbat.mspx
> http://www.isaserver.org/tutorials/Configuring_SSL_Bridging.html

Rod,

One additional thing is to keep in mind that ISA will only allow SSL on port
443. Don't use "odd-ball" port numbers. The registry can be "hacked" to
allow other ports, but there is a security risk if you do that. The
security comes from SSL itself and not from using odd-ball port numbers.

Here's an article on this topic, with the relevant paragraph quoted just
before the link.

----quote----
Security Considerations
CONNECT is really a lower-level function than the rest of the HTTP methods,
kind of an escape mechanism for saying that the proxy should not interfere
with the transaction, but merely forward the data. This is because the proxy
should not need to know the entire URI that is being accessed (privacy,
security), only the information that it explicitly needs (hostname and port
number). Due to this fact, the proxy cannot verify that the protocol being
spoken is really SSL, and so the proxy configuration should explicitly limit
allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for
SNEWS, as assigned by the Internet Assigned Numbers Authority).
----quote----

Tunneling SSL Through a WWW Proxy
http://muffin.doit.org/docs/rfc/tunneling_ssl.html