Re: Problem with IIS 6.0

From: Phillip Windell (_at_.)
Date: 07/30/04 

Date: Fri, 30 Jul 2004 08:47:38 -0500

"George Valkov" <null@somewhere.com> wrote in message
news:OmK5KMidEHA.216@TK2MSFTNGP11.phx.gbl...
> Hi Miha,
> In general I can assign any free TCP port number for the SSL and It will
> work fine. I don't want to provide You with the exact port number for
> security reasons.

I'm not sure about the original problem, but using SSL on non-standard ports
is in itself a security risk and most proxy servers are hardcoded to only
allow SSL on the standard 443 port. The security of SSL is based on the
abilities of SSL itself and not by being used on a "secret" port. Here's is
a quote from one article on that subject. It originated from Netscape
Communications Corporation. The first of the three links below is the link
to the full article.

"CONNECT is really a lower-level function than the rest of the HTTP methods,
kind of an escape mechanism for saying that the proxy should not interfere
with the transaction, but merely forward the data. This is because the proxy
should not need to know the entire URI that is being accessed (privacy,
security), only the information that it explicitly needs (hostname and port
number). Due to this fact, the proxy cannot verify that the protocol being
spoken is really SSL, and so the proxy configuration should explicitly limit
allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for
SNEWS, as assigned by the Internet Assigned Numbers Authority). "

Tunneling SSL Through a WWW Proxy
http://muffin.doit.org/docs/rfc/tunneling_ssl.html
(For Proxy2)
184028 - Error Message: 12204 SSL Port Specified Is Not Allowed
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b184028
(For ISA)
283284 - Blank Page or Page Cannot Be Displayed When You View SSL Sites
Through ISA Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;283284&Product=ISAS 

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • Re: Question about using SSL on an IIS server, and ISA on another server
    ... One additional thing is to keep in mind that ISA will only allow SSL on port ... Don't use "odd-ball" port numbers. ... security comes from SSL itself and not from using odd-ball port numbers. ... This is because the proxy ...
    (microsoft.public.isaserver)
  • Re: security implications of allowing WAN access to LAN pop3 server.
    ... There are security issues with allowing any port from your wan to your ... Implement a web based e-mail system that uses SSL to encrypt all ... > allow POP3 retrieval from the LAN to the WAN and setting up the ...
    (comp.security.firewalls)
  • Re: Accessing url on specific port
    ... >> Security FUD from an MVP? ... > Yea I guess us o' MVPs are just idiots. ... >> protocol travelling over the tunnel IS SSL. ... Since the proxy doesn't ...
    (microsoft.public.windows.server.sbs)
  • Re: Installing ISA Server for first time
    ... Please note that though correct for HTTP SSL on non standard ports I'm not ... the ISA 2004 can only allow SSL 443 port go through it. ... Microsoft is providing this information as aconvenience to you. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cisco VPN Client Version 4.0.2
    ... but I have already opened the port 8080 that it uses ... I'm not getting a proxy eror as the article discusses. ... SSL is not inspected by the proxy as ... > Deployment Guidelines for ISA Server 2004 Enterprise Edition ...
    (microsoft.public.isa)