Using Reverse Proxy with SSL in Proxy Server 2.0

ID: Q184030

The information in this article applies to:

SUMMARY

The Server Proxy feature is the recommended method for publishing data from a Web server that is placed behind a Microsoft Proxy Server 2.0 computer when SSL encryption is required.

NOTE: Using SSL with the Reverse Proxy feature is not recommended and not supported by Microsoft.


MORE INFORMATION

The Server Proxy method is preferred because forcing an SSL connection for use with Reverse Proxy will also force SSL encryption on outgoing proxy client requests.

Furthermore, in this scenario, only the Internet connection will be encrypted. The connection between the proxy server and the Web server on the private network will not be encrypted.

The Server Proxy method allows an uninteruppted transparent HTTPS connection from the Internet client to the Web server on the private network.

Using Server Proxy with a WWW Server

Set up the internal server to use the Server Proxy feature, which requires the installation of the Winsock Proxy client. This allows port 443 to be bound to the Proxy Server computer's external network interface.

NOTE: Internet Information Server (IIS) is running on the proxy server computer and is bound to ports 80 and 443 on the external interface of the Proxy Server computer. Because only one service can be bound to ports 80 and 443 at a time, either the proxy server's HTTP and HTTPS ports must be changed or the ports that the publishing Web server uses to listen for inbound connections must be changed.

In the example below, the ports on the Proxy Server computer are changed so that the publishing Web server behind the Proxy Server computer is able to use the standard HTTP and HTTPS ports.

How to set up Server Proxy with IIS 3.0 or 4.0:

  1. Change the port used by the WWW service on the proxy server from port 80 to a new port number (for example, 8080).

    NOTE: The Web Proxy service listens for proxy requests on this new port number. Web browsers using the Web Proxy service must be reconfigured to use the new port number.


  2. Install the Winsock Proxy client (usually from \\proxy_computername\mspclnts).


  3. Install an SSL Certificate on the internal Web server. Follow the online documentation for your Web server.


  4. Check the functionality of the Winsock installation by doing the following:

    1. Use chkwsp32 /f. This should return "Client control protocol matches the server control protocol."


    2. Test connectivity with a Winsock 1.1 application (for example, command line ftp).




  5. Create a Wspcfg.ini file and put it in the directory where the Web server's executable is located. (See "Configuring Multiserver Environments" in the Proxy Server 2.0 documentation for more information about setting up Server Proxy.) The following is a sample file that can be used with Internet Information Server. It should be placed in the directory where Inetinfo.exe resides (usually \<System path>\System32\Inetsrv). Other Web servers will need a slightly different version of this file and it will need to be placed in a different location.
    [Inetinfo]
    ServerBindTcpPorts=80,443
    Persistent=1
    KillOldSession=1
    ForceCredentials=1
    For other Server Proxy configurations, see the following Microsoft Knowledge Base article:
    Q177153 Additional Proxy Server 2.0 Configurations


  6. Start the WWW service on the internal Web server. The Web server should now be started and listening on the external network card of the Proxy Server computer.


  7. Test with a Web browser by connecting to the proxy server's external network interface via HTTP (80) and HTTPS (443). The internal Web server should respond to the requests.


Additional Information:

It is also necessary to change the default SSL port on the Proxy Server computer to enable the proxying of SSL from the client computer. To change the default Web site's SSL port, you may have to run adsutil set w3svc/1/SecureBindings 4443 from the WINNT\system32\inetsrv\adminsamples directory.

If you are not using Access Control on the Winsock Proxy service, it is not necessary to include the 'ForceCredentials=1' line in the Wspcfg.ini file.

If you are using Access Control on the Winsock Proxy service, it is necessary to include the 'ForceCredentials=1' AND use Credtool to give the Inetinfo service an account that can be authenticated.


REFERENCES

For more information about configuring Server Proxy, see "Configuring Server Proxy Parameters" in the Proxy Server 2.0 online documentation.

For information about changing the Secure Socket Layer port for Internet Information Server, see either of the following articles in the Microsoft Knowledge Base:

Internet Information Server 3.0

Q165338 IIS Does Not Allow its TCP Port to Be Same as SSL Port
Internet Information Server 4.0
Q171138 Secure TCP Port Not Properly Specified 


Keywords          : prx2faq kbfaq 
Version           : winnt:2.0
Platform          : winnt 
Issue type        : kbhowto

Last Reviewed: August 9, 1999