Re: ADFS, ISA and SSL offloading

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eZvAJX$dJHA.5288@xxxxxxxxxxxxxxxxxxxxxxx
Regarding ISA, I don't know anything about ISA specifically. However,
ADFS is just normal web traffic. There should be nothing particular about
it that is different than any normal SSL web app.

Your thinking like a NAT Firewall that does not "process" the content
embedded within the HTTP protocol. This doesn't fit ISA's situation. The
HTTP Application Filter in ISA is a "proxying" filter,...this means that the
traffic does not go "through" it,...it only goes "TO" it and then *dies*.
The proxying process then creates and entirely new HTTP session with the
destination and recreates the HTTP content based on its own methods and
inserts it into the HTTP Packets. Now this is not unique to ISA
Server,...every "proxy" server does this,...but not all of them would
nessessarily have the same results in the end, some are more loose and less
picky than others.

ISA is extremely picky and is very strick about following all RFCs
concerning HTTP communication. It would not be the first time that a
Product or Protocol running over HTTP did not have its implementation
stictly follow the RFCs which caused ISA to either reject it or "break" it
when the communication came out the other side. There have already been web
sites that were revealed to have flaws introduced by the Web Server Admins
in the HTTP headers that caused ISA to reject parts of their sites. When
the RFCs were applied it was the site that was wrong and not the ISA,...and
they did get their site fixed later. In the process of that MS found a few
minor flaws of their own and corrected them as well. The site belonged to
one of the major Airlines. Luckily in this story everyone worked together
and fixed the problems rather than just a bunch of finger-pointing.

Anyway, the reason I say to leave the SSL intact from end-to-end and not
open it,....is becuase it will dodge this whole thing. With the SSL ISA will
take a "hands-off" approach to the HTTP Contents and just relay the SSL
packets on their merry way.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


.

Relevant Pages

  • Re: ISA 2004 Server Errors
    ... Tunneling SSL Through a WWW Proxy ... CONNECT is really a lower-level function than the rest of the HTTP methods, ... Through ISA Server ...
    (microsoft.public.isa)
  • Re: SSL cert in ISA 2006
    ... protocol (HTTP, SMRP, POP3, IMAP, etc.) to provide session-level encryption. ... What is the purpose of SSL used in ISA for? ...
    (microsoft.public.isa.configuration)
  • Re: ADFS, ISA and SSL offloading
    ... I finally enabled logging on the ADFS ... Looking at this made me perform Link Translation in ISA and that's it, ... about it that is different than any normal SSL web app. ... embedded within the HTTP protocol. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS, ISA and SSL offloading
    ... Assuming it is a very short, secure segment between your LB and web server, the risk of running that segment unencrypted is likely be very low but still deserving of caution. ... The other aspect of this is that SSL is not likely to be that big of a deal in terms of absolute performance here, so I'm not sure if you gain much by doing this. ... leave all HTTP on 80 and all SSL on 443. ... ISA is going ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing ISA Server for first time
    ... the ISA 2004 can only allow SSL 443 port go through it. ... Microsoft is providing this information as aconvenience to you. ...
    (microsoft.public.windows.server.sbs)
Loading