Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to set up Internet Security and Acceleration Server to host Web sites by using the Secure Sockets Layer protocol


View products that this article applies to.

Summary

This article describes the steps to set up Internet Security and Acceleration (ISA) Server to host Web sites by using the Secure Sockets Layer (SSL) protocol.

Note This article assumes that you have already requested and installed a certificate on your Web server. If you have not performed this task, refer to the Microsoft Internet Information Server (IIS) Help file for information about how to request an SSL certificate from an Internet certification authority (CA).

For efficiency, consider server publishing the SSL site using the HTTPS Server protocol. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
298900 How to Publish SSL Web Sites by Using Server Publishing

↑ Back to the top


More information

The steps to set up ISA Server to host Web sites by using the SSL protocol:
  1. You must export the SSL certificate of the Web site with the associated key. If you do not have this key, ISA server does not enable you to use this certificate for SSL:
    1. Open a blank Microsoft Management Console (MMC).
    2. Add the Certificates snap-in.
    3. When requested, select the options for "Computer Account" and "Local Computer".
    4. Expand Personal, and then expand Certificates. You should observe a certificate with the name of your Web site in the "Issued To" column.
    5. Right-click your certificate, click All Tasks, and then click Export.
    6. On the Export window, click Next.
    7. Click Yes, export the private key, and then click Next.

      NOTE: If you do not have the option to click Yes on the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
    8. Select the option for "Personal Information Exchange", and then click to select the appropriate check boxes for all three sub-options.
    9. Assign a password and confirm it.
    10. Assign a file name and location.
    11. Click Finish. Ensure that you safeguard the file that you just created as your ability to use the SSL protocol depends upon this file.
  2. Copy the file that you created to ISA Server.
  3. On ISA Server, open the MMC:
    1. Add the Certificate snap-in, as previously instructed.
    2. Click the Personal folder.
    3. Right-click All Tasks, and then click Import.
    4. Click Next on the Import Wizard.
    5. Ensure that your file is listed, and then click Next.
    6. Enter the password for this file.
    7. On the sub-option, click to select the Mark the private key as exportable check box.
    8. Leave the import setting on "Automatically", and then click Next.
    9. Click Finish.
    10. Under the Personal folder, when a subfolder called "Certificates" is displayed, click Certificates and verify that there is a certificate with the name of the Web computer.
    11. Right-click the certificate, and then click Properties.
    12. If the "Intended Purposes" field of the certificate is set to "All" rather than a list of specific purposes, the following steps must be followed before the certificate can be recognized by ISA Server: In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all of the items, and then click Apply.
  4. Open the ISA Manager and complete the SSL install:
    1. Right-click the server that is going to accept the incoming connection, and then click Properties.
    2. Click the Incoming Web Requests tab.
    3. Click the Internet Protocol (IP) address entry for the site that you are going to host, or the "all IP addresses" entry if you do not have individual IP addresses set up.
    4. Click Edit.
    5. Click to select the Use a server certificate to authenticate to web users check box.
    6. Click Select.
    7. Select your previously imported certificate.
    8. Click OK.
    9. Click to select the Enable SSL listeners check box.
    10. Expand the "Publishing" folder and click on Web Publishing Rules
    11. Double click on the Web Publishing Rule that will route the SSL traffic.
    12. On the Bridging tab, choose the option to Redirect SSL requests as: "HTTP requests (terminate the secure channel at the proxy)".
    13. Click OK.
    14. Restart ISA Server.
  5. The configuration will not succeed if the Web publishing rule redirects SSL as HTTP, and the Web site requires SSL. Follow these steps to turn off the SSL requirement on the Web site:
    1. Right-click the Web site, and then click Properties.
    2. Click the Directory Security tab.
    3. Under Secure communications, click Edit.
    4. Click to clear the Require secure channel (SSL) check box, and then click OK two times.
    5. Right-click the Web site, and then click Stop.
    6. Right-click the Web site, and then click Start.

↑ Back to the top


Keywords: KB292569, kbhowto, kbenv

↑ Back to the top

Article Info
Article ID : 292569
Revision : 3
Created on : 1/4/2005
Published on : 1/4/2005
Exists online : False
Views : 360