RE: SSL Publishing to WEB Server and Disable Binding

Hi John:
Thank you for posting here.

>From your description, I understand that you want to publish an internal
SSL web site by tunneling and you are wondering if RWW, OWA, etc. will be
available after disabling socket pooling. If I am off base, please feel
free to let me know.

To answer your concern, you can feel to publish this SSL web site, and the
default web site on SBS box will still work perfectly as well.

Technically speaking, Socket pooling causes Internet Information Services
(IIS) to listen to all IP addresses, and this can present a possible
security risk for secure domains with multiple networks. Disabling socket
pooling won't impact the default web site on the SBS server. We can refer
to this article to disable Socket Pooling:

How to Disable Socket Pooling:
http://support.microsoft.com/kb/238131/EN-US/

Regarding your situation, since you have already deployed OWA/RWW as the
default web site, port 443 is occupied by this site. You may need to create
a new protocol for your internal web site (e.g. port 445. Port 444 is
assigned to companyweb.), and then create a server publishing rule for your
internal SSL web site using this new defined protocol.

In addition, I notice that you are researching the various ways to publish
an SSL web server, and I would like to provide you some useful information
in regard to tunneling/bridging method.

Web publishing, also known as SSL bridging. The SSL channel ends on the ISA
server and you can start another channel to the internal server with HTTP,
HTTPS or FTP. We need to configure the following:

1. ISA Incoming Web request listener. We can configure multiple listeners
and use certificate to encrypt the data for the specific listener.

2. ISA Web publishing rule.

If all the internal Web sites are published to the same external listener
(generally an IP is associated with a specific domain name), you can use a
single certificate to encrypt them. Otherwise, if the internal Web sites
are published to different external IPs, you need to use different
certificates for different IPs (SSL listeners).

Server publishing, also known as SSL tunneling, the SSL connection ends on
the client and internal Web server. ISA will do nothing to the channel and
you need not to configure any certificate on the ISA server.

Generally, SSL tunneling will have less ISA server load for published Web
sites as the ISA server need not to decrypt or encrypt any data. However,
SSL bridging provides the ability to reverse cache the HTTP/FTP contents so
it will cost less internal network resources if the external request load
is high. According to my experience, both have advantages and you can
choose any based on your actual environment. However, for most
environments, they will not have significant difference.

Server publishing can be used to publish any kind of server which
followings the standard TCP/IP definition. For example, we can publish FTP,
HTTP, HTTPS, SMTP, POP3, IMAP, SQL and such. Any kind of server build based
on TCP/IP is possible to be published in this way.

Web publishing can only be used to publish FTP, HTTP, and HTTPS servers as
HTTP or HTTPS server. The other kinds of servers are unable to be published
in this way. Also, destination set can be leveraged to publish multiple
sites on the same port.

For more information:

Understanding SSL bridging and tunneling within ISA:
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_
within_ISA.html

I hope the above information helps, if you have any questions or concerns,
please don't hesitate to let me know, I am standing by to help you.

Have a nice day, John! :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: SSL Publishing to WEB Server and Disable Binding
| thread-index: AcWWv+d43j64svNFSaqOCasUll+f9A==
| X-WBNR-Posting-Host: 204.65.179.12
| From: "=?Utf-8?B?Sm9obg==?=" <John@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: SSL Publishing to WEB Server and Disable Binding
| Date: Mon, 1 Aug 2005 10:39:01 -0700
| Lines: 8
| Message-ID: <F20432D7-B912-4FD4-8F33-F160360732CE@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:140532
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I am researching the various ways to publish an ssl web server an I am
| leaning toward tunneling. Therfore the cert remains on the web server. I
have
| run into an article KB298900 and KB23131 in which I would need to diable
the
| binding, as according to the article IIS cannot be on the same server as
ISA.
| If binding is disabled will the RWW, Exchange, etc... be availble after
using
| ICW? Will running ICW in the future re-enable the binding?
|
| John
|

.

Relevant Pages

  • RE: tsweb, RWW, OWA not working
    ... lan as well "HTTP/1.1 500 Internal Server Error". ... Check the properties of the Default Web Site in IIS. ... > that link to work over the internet you have to edit the HTML code. ... You can change this in the IIS Manager, ...
    (microsoft.public.windows.server.sbs)
  • RE: HELP! Strange Problem with Internet Access after Migration
    ... Server, you cannot access your web site www.tapeandmedia.com, but other ... If you are using ISA 2000, there is a known issue when the internal client ... Since the internet computers can access the published web sites, ...
    (microsoft.public.windows.server.sbs)
  • Re: Joining workstations across VLAN
    ... This issue may occur if you connect to the ConnectComputer server by ... runs under the Internet security zone. ... entire Web site from the Internet" is selected. ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems accessing SSL encrypted webpages in SBS 2003
    ... RWW from Internet via SSL. ... Please open Server Management console, navigate to 'To Do List' and click ... 'Connect to the internet' in the right panel. ... recommended to use the wizard to configure the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: problems publishing owa on sbs2003 with isa2000
    ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... entire Web site from the Internet" is selected. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)