Using Reverse Proxy with SSL in Proxy Server 2.0
ID: Q184030
|
The information in this article applies to:
-
Microsoft Proxy Server version 2.0
SUMMARY
The Server Proxy feature is the recommended method for publishing data
from a Web server that is placed behind a Microsoft Proxy Server 2.0
computer when SSL encryption is required.
NOTE: Using SSL with the Reverse Proxy feature is not recommended and not
supported by Microsoft.
MORE INFORMATION
The Server Proxy method is preferred because forcing an SSL connection for
use with Reverse Proxy will also force SSL encryption on outgoing proxy
client requests.
Furthermore, in this scenario, only the Internet connection will be
encrypted. The connection between the proxy server and the Web server on
the private network will not be encrypted.
The Server Proxy method allows an uninteruppted transparent HTTPS
connection from the Internet client to the Web server on the private
network.
Using Server Proxy with a WWW Server
Set up the internal server to use the Server Proxy feature, which requires
the installation of the Winsock Proxy client. This allows port 443 to be
bound to the Proxy Server computer's external network interface.
NOTE: Internet Information Server (IIS) is running on the proxy server computer and
is bound to ports 80 and 443 on the external interface of the
Proxy
Server computer. Because only one service can be bound to ports 80 and 443
at a time, either the proxy server's HTTP and HTTPS ports must be changed
or the ports that the publishing Web server uses to listen for inbound
connections must be changed.
In the example below, the ports on the Proxy Server computer are changed so that
the publishing Web server behind the Proxy Server computer is able to use the
standard HTTP and HTTPS ports.
How to set up Server Proxy with IIS 3.0 or 4.0:
- Change the port used by the WWW service on the
proxy server from port
80 to a new port number (for example, 8080).
NOTE: The Web Proxy service listens for proxy requests on this new port
number. Web browsers using the Web Proxy service must be reconfigured to
use the new port number.
- Install the Winsock Proxy client (usually from \\proxy_computername\mspclnts).
- Install an SSL Certificate on the internal Web server. Follow
the online documentation for your Web server.
- Check the functionality of the Winsock
installation by doing the following:
- Use chkwsp32 /f. This should return "Client control protocol matches
the server control protocol."
- Test connectivity with a Winsock 1.1 application (for example,
command line ftp).
- Create a Wspcfg.ini file and put it in the directory where the Web
server's executable is located. (See "Configuring Multiserver
Environments" in the Proxy Server 2.0 documentation for more
information about setting up Server Proxy.)
The following is a sample file that can be used with Internet Information
Server. It should be placed in the directory where Inetinfo.exe resides
(usually \<System path>\System32\Inetsrv). Other Web servers will
need
a slightly different version of this file and it will need to be placed
in a different location.
[Inetinfo]
ServerBindTcpPorts=80,443
Persistent=1
KillOldSession=1
ForceCredentials=1
For other Server Proxy configurations, see the following Microsoft Knowledge Base article:
Q177153 Additional Proxy
Server 2.0 Configurations
- Start the WWW service on the internal Web server. The Web server
should
now be started and listening on the external network card of the Proxy
Server computer.
- Test with a Web browser by connecting to the proxy server's external
network interface via HTTP (80) and HTTPS (443). The internal
Web server should respond to the requests.
Additional Information:
It is also necessary to change the default SSL port on the Proxy Server computer to enable the proxying of SSL from the client computer. To change the default Web site's SSL port, you may have to run adsutil set w3svc/1/SecureBindings 4443 from the WINNT\system32\inetsrv\adminsamples directory.
If you are not using Access Control on the Winsock Proxy service, it is
not necessary to include the 'ForceCredentials=1' line in the Wspcfg.ini
file.
If you are using Access Control on the Winsock Proxy service, it is
necessary to include the 'ForceCredentials=1' AND use Credtool to give the
Inetinfo service an account that can be authenticated.
REFERENCES
For more information about configuring Server Proxy, see "Configuring
Server Proxy Parameters" in the Proxy Server 2.0 online documentation.
For information about changing the Secure Socket Layer port for Internet
Information Server, see either of the following articles in the Microsoft
Knowledge Base:
Internet Information Server 3.0
Q165338 IIS Does Not Allow its TCP Port to Be Same as SSL Port
Internet Information Server 4.0
Q171138 Secure TCP Port Not Properly Specified
Keywords : prx2faq kbfaq
Version : winnt:2.0
Platform : winnt
Issue type : kbhowto
Last Reviewed: August 9, 1999