This forum has been moved here:
Helicon Tech Community Forum

  Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
Common Questions (Forum Locked Forum Locked)
 Helicon Tech : Common Questions
Subject Topic: Forwarding SSL to internal site (Topic Closed Topic Closed)
Author
Message |
Mr B
Newbie


Joined: 07 February 2008
Location: United Kingdom
Posts: 3
Posted: 07 February 2008 at 8:22am  

Hi,

I have the following problem and I am not sure whether ISAPI Rewrite has the answer. We have an ebXML Message Handler (although not really relevent) which receives HTTP posts at a certain address internally using Tomcat. We wish an external supplier to POST HTTP requests to this location so we have created a Web listener on our ISA 2006 server to redirect calls from our external URL, e.g. https://www.ebXMLMessages.com to our internal URL, e.g. <server>:19998/ebxml/Inbound. To add further complications to this, we are hosting our site on behalf of many companies who are communicating with our supplier and as such our supplier insists on create a Certificate for each company. Everytime they call the external URL they are expecting our server to present the correct certificate for the company they are sending messages to. To get around this, our theory is that we can use the main URL, i.e. https://www.ebXMLMessages.com and simply tell the supplier to add the comany name on the end of the URL, e.g. https://www.ebXMLMessages.com/CompanyA for Company A, https://www.ebXMLMessages.com/CompanyB for Company B. We have set up an SSL tunnelling rule on the ISA server to forward requests to our local server which has IIS installed. We then set up a seperate web site on the IIS for each company each with their own certificate, e.g. on IIS there is a CompanyA and a CompanyB web site. What I want to be able to do is to set up a rule for each of these sites so that the HTTP POSts are then forwarded to our internal site, i.e. :19998/ebxml/Inbound">http://<server>:19998/ebxml/Inbound. The overall effect being that the supplier sends an HTTP POST to url https://www.ebXMLMessages.com/CompanyA, they get presented with the certificate for Company A and then get a 200 OK but without knowing that the request has been sent internally to a different server and location i.e. with no 301 redirects. a redirect/forward rule can be used but the certificate has to be presented at the forwarded URL then this is not a problem, but the port number used in the forwarding address will need to be different for each company, e.g. for Company A, the forwarding address could be :8443/ebxml/Inbound">http://<server>:8443/ebxml/Inbound and for Company B, the forwarding address could be :9443/ebxml/Inbound">http://<server>:9443/ebxml/Inbound as Tomcat can present a different certificate for each port.

If ISAPI Rewrite is the answer, which version should we get and what should the script be for allowing us to do this? My theory is that we would need the rewriteproxy method

thanks in advance

Paul

 

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 08 February 2008 at 6:52am  

I'm not sure I understand your exact trquirements, but it seems to me you are trying to forward requests with certificates. I don't think it is possible with ISAPI_Rewrite. ISAPI_Rewrite can proxy requests, it can even proxy https requests, but it cannot do certificate tunelling.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Mr B
Newbie


Joined: 07 February 2008
Location: United Kingdom
Posts: 3
Posted: 11 February 2008 at 4:30am  

Hi Yaroslav,

I am not sure what you mean by certificate tunnelling. However, its probably better if I simplify the problem in order that I can understand how ISAPI_Rewrite works. I have set up our ISA server to forward requests to the main URL https://www.MYSite.com to an internal server hosting IIS using SSL tunelling. I have created a Web Site called CompanyA which has a certificate installed on it. I then want this Web SIte to forward requests to an internal site http://mylocalserver/hello.html  so that when the user visits the URL https://www.MySite/CompanyA, the client browser will be presented with the certificate and will show the HelloWorld web page without the URL in the client browser changing. I can put the HelloWorld.HTM under the CompanyA web site and it works fine by calling https://www.MySite/CompanyA/hello.html however I want the IIS to forward requests to the internal server.

Is this a better explanation and if so can ISAPI_Rewrite do this?

thanks again,

 

Paul

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 12 February 2008 at 7:48am  

This is absolutely doable. But from your initial post I understand you need to secure somehow connection between frontend and http://mylocalserver/hello.html and somehow send client certificate to the backend server - this is not possible with ISAPI_Rewrite. Connection between backend and frontend will be unsecure.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Mr B
Newbie


Joined: 07 February 2008
Location: United Kingdom
Posts: 3
Posted: 12 February 2008 at 7:55am  

Hi Yaroslav,

Thanks for your time, I'm afraid you are right. We are going to to have to register a number of IP Addresses and create a rule on our ISA server for each of our customers.

Thanks again

Paul

Back to Top
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum