Re: Hardware SSL (BIG-IP) / IIS Detection

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/07/04 

Date: Sat, 7 Aug 2004 00:32:52 -0700

1. No. Your configuration sends SSL and HTTP as unencrypted to IIS, so IIS
treats it as unencrypted -- and so server variables all say "unencrypted".
If BIG-IP would set some custom headers for the SSL traffic it decrypted,
then your pages can programmatically detect this again. This would be the
best solution because since BIG-IP is the one responsible for decrypting SSL
into HTTP -- so it should send a custom header as a hint for downstream
servers that BIG-IP did this transformation.

2. I do not understand the question. A server must have a server cert to be
able to serve SSL requests, and SSL has its own fixed cost. You can't
exactly escape the CPU cost unless you go to hardware SSL acceleration... 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"gf" <noreply@comcast.net> wrote in message
news:%23$2rnMyeEHA.140@TK2MSFTNGP12.phx.gbl...
We run BIG-IP from F5 Networks for traffic management and install our SSL
certs on this device.  When the page is decrypted
on the BIG-IP and forwarded on to IIS in clear text, there is no way to
programatically detect whether the page requested was
secure or unsecure (looking at HTTP info).  This is often useful to switch
between HTTP and HTTPS (in the same domain) instead of hardcoding the
protocol in website links.
So my question is:
1) Is there a way to setup this environment so that IIS knows that the
incoming request was actually decrypted by the BIP-IP?  Even though it was
requested over port 80.
2) If SSL traffic is routed from the BIP-IP to port 443 on IIS, is there a
way to install a certificate on IIS that doesn't tax the CPU like it would
normally when a cert is installed on IIS?
In #2, we can route all the requests to port 443 on the IIS server, but in
order for IIS to serve a request on this port, IIS has to have a cert
installed.
Hope my question make sense.
Thanks.

Relevant Pages

  • Re: OWA - changing passwords
    ... Install and configure Secure Socket Layer (SSL) on the server. ... Set Up an HTTPS Service in IIS ...
    (microsoft.public.exchange.admin)
  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    ... > take two days to rebuild their server and return everything to normal. ... > Before 'Code Red' IIS was considered reasonably secure. ... >> over HTTP via SSL for OUTLOOK-EXCHANGE links to users operating in the ...
    (microsoft.public.windows.server.sbs)
  • Re: Web service deployment security
    ... The problem is that the IIS server machine which I use for tests is not from ... the Windows "server" family so I don't have the Certificate Server. ... Is there another way to get a certificate to test SSL connection? ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SBS 2003 SP1 Exchange 2003 SP2 cant ActiveSync
    ... First you need to make sure that the directory structure in IIS has the ... correct permissions for OMA, OWA, and Activesync. ... I have tried without SSL and still no ... >> server, and Sprints EVDO data service uses a proxy to ...
    (microsoft.public.pocketpc.activesync)
  • Re: OWA works internally but not externally?
    ... I feel the problem is with SSL. ... 500 Internal Server Error - The network logon failed. ... I also noticed these errors in the event log of the server that host IIS & ... > 60> Microsoft Online Support Engineer ...
    (microsoft.public.exchange2000.general)