Re: ADFS, ISA and SSL offloading

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Avis77 <Avis77@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 15 Jan 2009 02:33:01 -0800

---

Phillip,

Thanks for your response. I totally agree that maintaining SSL is the best
option to keep things straight forward. But, do you know whether ADFS will
work properly if the traffice hitting the web server is http instead of https?

--
Avis

"Phillip Windell" wrote:

"Avis77" <Avis77@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C08173F6-A1D1-4171-A1A7-6EF06AAD38E2@xxxxxxxxxxxxxxxx

For example, if the external ip for the published web site is 10.32.181.1
on
port 80 and the internal ip for the web site is 172.20.1.1 on port 81, ISA
tries to resolved it as 10.32.181.1:81 and fails with the message
unidentified ip traffic : 81. Whereas, everything works fine if SSL
offloading is not performed.

Don't offload the SSL. Leave the SSL "intack" from end to end. That is the
expected way it is supposed to be done anyway. An believe it or not there
can be "legal issues" in some cases if you break open the SSL Tunnel
anywhere along the path before it reaches the final destination.

Besides that, leave all HTTP on 80 and all SSL on 443. Do not change that.
Use Host Headers or distinct IP#s to differenciate the Sites. ISA is going
to expect you to keep SSL on 443 anyway,...and on HTTP things may not always
seem what they appear when you start monkeying with the ports with firewalls
between the two end points.

When SSL is maintained ISA just "keeps it simple" and proxys the SSL Tunnel
without worrying about what is inside the contents of the encrypted Tunnel.
But when you change to HTTP,... the HTTP Application Filter tries to process
the contents of the HTTP Stream and apply various filtering actions which
then may screw up the communication in some circumstances. So leave it
SSL.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

.

---

• Follow-Ups:
  • Re: ADFS, ISA and SSL offloading
    • From: Joe Kaplan
  • Re: ADFS, ISA and SSL offloading
    • From: Phillip Windell

• References:
  • ADFS, ISA and SSL offloading
    • From: Avis77
  • Re: ADFS, ISA and SSL offloading
    • From: Phillip Windell

• Prev by Date: Re: [WARNING] Failed to query SPN registration on DC
• Next by Date: Re: Unable to block internet access through GPO by using a proxy
• Previous by thread: Re: ADFS, ISA and SSL offloading
• Next by thread: Re: ADFS, ISA and SSL offloading
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ISA configuration question ... - create a certificate that uses either the name or IP of the ISA web proxy listener (depends on how you want the clients to ... - configure the web proxy listener to listen for SSL connections and choose the port you want ... For clients that support secure communication directly with ISA Server, ... > I'm referring to web proxy requests. ... (microsoft.public.isa.configuration) RE: Custom Authentication Form in ISA 2006 ... I am using SSL for this site. ... Do you use ISA 2006 to publish a Web site that requires a Secure Sockets ... Troubleshooting SSL Certificates in ISA Server 2004 Publishing ... Microsoft Online Partner Support ... (microsoft.public.isa) Re: ADFS, ISA and SSL offloading ... I finally enabled logging on the ADFS ... Looking at this made me perform Link Translation in ISA and that's it, ... about it that is different than any normal SSL web app. ... embedded within the HTTP protocol. ... (microsoft.public.windows.server.active_directory) Re: Intranet/Extranet... alerts & the URL sent in them ... I'm afraid Windows SharePoint Services doesn't support off-box SSL ... I have a WSS site that is accessible on our trusted network via HTTP. ... coming in through the extranet hit an ISA Server (which is using link ... (microsoft.public.sharepoint.windowsservices) Re: ADFS, ISA and SSL offloading ... HTTP Application Filter in ISA is a "proxying" filter,...this means that the ... Now this is not unique to ISA ... ISA is extremely picky and is very strick about following all RFCs ... the reason I say to leave the SSL intact from end-to-end and not ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-01