Sign in
Microsoft.com
 
System Center Mobile Device Manager TechCenter
 
 
 
System Center Mobile Device Manager TechCenter > Mobility Forums > System Center Mobile Device Manager > ISA Server and SSL Confogiration
Ask a questionAsk a question
Search Forums:
 

AnswerISA Server and SSL Confogiration

  • Monday, September 29, 2008 5:24 PMJulie Haslett Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi, my company is the process of configuring our MDM which uses ISA server to publish the mobileenroll.domain.com.

    The question I have is, do we terminate the SSL connection at the ISA Server, and pass non-SSL traffic to the Enrollment Server, or do we set the ISA Server to pass-through mode and put the SSL certificate on the Enrollment Server?

    Thanks, Julie

     

Answers

  • Monday, September 29, 2008 6:17 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    The Enrollment server expects SSL-traffic, and I don't recommend trying to reconfigure it. So you may set your ISA server in a pass-through mode, or install a certificate on the ISA and configure an SSL-SSL bridge scenario.
     

All Replies

  • Monday, September 29, 2008 6:17 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    The Enrollment server expects SSL-traffic, and I don't recommend trying to reconfigure it. So you may set your ISA server in a pass-through mode, or install a certificate on the ISA and configure an SSL-SSL bridge scenario.
     
  • Tuesday, September 30, 2008 9:05 AMPatrick SalmonMVP, AnswererUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Julie!

    It's documented in considerable detail right here: http://technet.microsoft.com/en-us/library/cc645153.aspx#Guidance. Just in case the link fubars on you, the entire last section is dedicated to this.

    The thumbnail is that the session terminates at ISA then a new SSL session is established b/w ISA and the ES. This permits you to leverage the DPI (Deep Packet Inspection) capability of ISA, which looks for known exploits, and ensures the end-to-end session is SSL.

    Of course, you can use any reverse proxy to carry out this task. ISA just happens to be an outstandingly good fit - in, I hasten to add, bridged mode. Tunnelling your connection gives you no added value at all since there's no DPI.

    best, Pat.
    Mobility Architect, Enterprise Mobile
     
  • Monday, October 26, 2009 3:56 AMRas11m Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi there Guys,

    We have got an existing ISA 2006 server with single IP address (DMZ subnet), is it possible to utilisie reverse proxy capabilities of this box for enrollment. Please bear in mind that This server is also used as a proxy for internal clients. If so what would be the best way to go about it ?

    I.e can i get the external firewall to forward SSL traffic to ISA and configure the publising rule and open 443 from isa to mdm enrollment server? 

    What i am trying to get to is whether or not we need dual nics on the ISA server?  

    Best Regards,

    Ras