I think it's possible, but not supported by Microsoft :-).
MS does not "support" using "reverse proxy" for SSL connections via MSP2.0,
and suggests using "server proxy" instead. According to MS "As reverse proxy
works at the application layer and SSL is an end-to-end encryption, the only
way to fully achieve encryption between the client and the hosting web
server is to use the server proxy feature...".
What this basically means is that, if reverse proxy is used to make the
internal server visible to the Internet, the SSL connection is formed
between the Internet client and the proxy server, not the Internet client
and the internal server. Typically in this situation, the parameters for the
reverse proxy connection are as follows:
Request Path: https://external_fqdn
Route To: http://internal_fqdn
In this case, the link between the client and the proxy server is done via
SSL, but the link between the proxy server and the internal server is basic
HTTP.
Now, this suggests that it may be possible to tell MSP2.0 to also use an SSL
connection for the connection between the proxy server and the internal
server by setting the following parameters for the reverse proxy connection:
Request Path: https://external_fqdn
Route To: https://internal_fqdn
I reconfigured one of my reverse proxied connections as above on my MSP2.0
server and I was still able to establish a connection to the internal
server. However, as I'm not in the office at the moment, I couldn't check
to see if the internal connection was actually via SSL, or if MSP2.0 was
simply ignoring the config info and using plain http. I will check it again
when I get back into the office.
Note, if a system is going to support two SSL connections like this for each
client, you're going to need a pretty powerful CPU if you plan to support
multiple external clients :-).
Brian Steele
----- Original Message -----
From: "Hague, Alex" <[EMAIL PROTECTED]>
To: "Brian Steele" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, February 15, 2001 11:47 PM
Subject: RE: Reverse proxy
>
> I think that you understood my original statement (but your implementation
> isn't an example of what I meant).
>
> Just to clarify, what I meant was that two separate SSL/TLS sessions
should
> exist, one between the client and the proxy server, and another between
the
> proxy server and the end web server.
>
> Here's an attempt at an ascii art drawing of what I meant
>
>
> Client internet Firewall Proxy Server (RP) DMZ
Web
> Server
> x-----------------------443-----------x
x-------------------x
> (also 443)
>
>
> Machines are on a DMZ because they may be compromised, so this way you can
> assume that even if some machines on your DMZ are compromised, they still
> can't sniff the traffic that is going between the Proxy Server and the Web
> Server. You also have the benefit of the RP enforcing HTTP.
>
> The RP would need to be a powerful box to handle two sets of ssl traffic
per
> connection.... You may decide that just having a switched DMZ is enough,
and
> that the risk / cost trade off doesn't justify a machine capable of
handling
> all that SSL traffic.
>
> As far as I'm aware MS Proxy 2.0 isn't capable of two ssl sessions (as
shown
> above). Does anyone know for sure (or of any products that can) ?
>
> Cheers,
> Alex Hague :-)
>
>
> -----Original Message-----
> From: Brian Steele [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 16 February 2001 16:36
> To: [EMAIL PROTECTED]
> Subject: Re: Reverse proxy
>
>
> I believe MSP2.0 works this way. In the case of our particular
> implementation, an SSL link is created between the client and the proxy
> server, but the link between the proxy server and internal server is via
> basic http.
>
> Or perhaps I'm just misunderstanding your statement :-).
>
> Brian Steele
>
> ----- Original Message -----
> From: "Hague, Alex" <[EMAIL PROTECTED]>
> To: "Peter Bruderer" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, February 15, 2001 8:19 PM
> Subject: RE: Reverse proxy
>
>
> [snip]
>
> > In an ideal world you would have the SSL/TLS session terminating at the
> > reverse proxy and another session being created between it and the web
> > server it's talking to.
>
> [snip]
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
