Partilhar via

How to securely publish multiple HTTPS websites on a single port via ISA

  • Artigo

At last week's PKI TechNet event in Reading several people asked how to get around the challenge of allowing multiple certificates to be used (corresponding to individual HTTPS web sites) in conjunction with ISA's web server publishing feature.

For those of you who many not be familiar with the problem it centres around placing ISA (Internet Security and Acceleration Server) in front (in network terms) of a number of web servers to provide protection from network bound attacks. ISA appears to BE the web server to the client (browser). The client connects by default on port 443 (signifying HTTPS - HTTP over Secure Socket Layer) to the ISA Server believing that it's actually connected to the web server. The ISA Server presents the web server's certificate (and uses it's corresponding private key) to assert it's identity to the client. The difficulty comes when you place multiple HTTPS web servers behind the ISA Server as ISA 2004 doesn't allow multiple web server certificates to be presented for requests on a single port. If you require the client to connect on a different port for each web server then the user experience is less pleasant as they must use a different URL.

ISA Server 2006 will alleviate this limitation - it's currently in Beta - browse here to try ISA 2006 for yourself.

Note: My description cites a single ISA server - in many production environments multiple ISA servers would be used to provide enhanced resilience and performance. ISA Server Enterprise Edition can be used to enable multiple ISA Server instances to co-operate.

Earlier today the ISA product team blog delved into this very subject - browse here to read the details.

If you'd like to learn more about how to securely publish web servers via ISA then please browse to November/December's TechNet Magazine as I published an article on the very subject

Comments

  • Anonymous
    April 01, 2006
    Hi Steve, ISA 2006 still has the same limitation that you cannot bind two certificates to the same socket, which is what most customers are asking for. Those customers usually have only a single IP address and want to publish multiple SSL sites. HTH, Tom tshinder@isaserver.org
  • Anonymous
    April 03, 2006
    Tom> Thankyou for the clarification.
  • Anonymous
    April 03, 2006
    Note that there is a specification - TLS 1.1 - that allows the client to send the server's expected name in the ClientHello message, so that the server can pick between several certificates, and send the one the client wants.
    Whether this will be implemented in Windows any time soon is somewhat up in the air - I have heard rumour that it may be in Vista / Longhorn, but I haven't been able to check for myself.
  • Anonymous
    April 03, 2006
    Hi guys,

    New to ISA here.  Actually, fairly new to routing traffic through other than a standard cable router.

    Will using wildcard SSL to cover three domains served by ISA 2004 work if I'm willing to route those through three different ports... 443 and two others not normally used for SSL?

    Thanks.

    Rob
  • Anonymous
    April 04, 2006
    Alun> I heard the same thing though like you haven't been able to verify whether it's fact, fiction or over enthusiasm