Welcome to TechNet Blogs Sign in | Join | Help

Why doesn't ISA support defining multiple server certificates on a single IP

Many clients have wondered, why doesn’t ISA support defining multiple server certificates for a single IP. Such feature could have been useful when publishing several sites over SSL using the same public IP. On such configuration published site is using a different external names (e.g. mail.contoso.com, docs.contoso.com, …), where all public names are mapped to a single public IP.

If the listener on ISA is using a server certificate using name of one site (e.g. mail.contoso.com), clients that access docs.contoso.com will get error prompt from the browser. The common solution for avoiding this prompt is by using wildcard certificate (for the name “*.contoso.com”).

The reason such feature is not provided by ISA due to an inherent limitation of the SSL protocol:

When the client sends the "CLIENT HELLO" SSL message, the server is expected to send back a server certificate. However, the "CLIENT-HELLO" does not contain any indication to the name of the server that the client is interested in (this indication appears only in the Host header of the HTTP request, sent only after the SSL handshake have already been established). Server has no choice but to return a single server certificate per the (IP,Port) pair (a.k.a. listener), which is the only thing he "knows" before receiving the HTTP request.

Future versions of SSL protocol may support this. In case they do, ISA will probably leverage this support to allow multiple server certificates assigned to a single IP.

 

Note on ISA 2006:

The “multiple certificates per listener” feature in ISA 2006 is targeted in completing the 2006’s SSO (Single Sing On) experience. ISA 2006 provides SSO, when administrator uses with a single listener. E.g. administrator can configure two publishing rules for site1.contoso.com and site2.contoso.com assigned to the same web listener (with SSO domain: contoso.com), in a way, that will require user to authenticate only once.


However, since user might probably use SSL, the administrator must be able to return two different server certificates from the same listener. He (the administrator) will still have to use at least two IPs on that listener due to the issue described earlier in this blog entry.

 

 

Zvi Avidor, ISA Server Product Team.

 

Published Saturday, April 01, 2006 7:10 AM by isablog

Comments

# How to securely publish multiple HTTPS websites on a single port via ISA

At last week's PKI TechNet event in Reading several people asked how to get around the challenge of allowing...
Saturday, April 01, 2006 4:22 AM by Steve Lamb's Blog

# re: Why doesn't ISA support defining multiple server certificates on a single IP

There will be no "future versions of SSL protocol" to support this.
There are future versions of the TLS protocol that allow the client to specify the server host name in the ClientHello message.  Whether this is to be implemented by Microsoft in a future Windows version of TLS is the only question.
I have heard that this will be supported in Vista and/or Longhorn, but I haven't been able to confirm this, or to find whether such ability will be back-ported.
Monday, April 03, 2006 11:51 AM by Alun Jones

# re: Why doesn't ISA support defining multiple server certificates on a single IP

Will ISA 2006 support the “server_name” extension as defined in RFC3546?  IE7 seems to support it already (http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx).
Tuesday, April 18, 2006 3:46 PM by Stefaan Pouseele

# Rugby Fan Steve

Rugby players spend a lot of time physical training Compared to other form of sports.I have read the
<a href="http://www.creekrugby.com">Rugby laws</a> mentioned on this site. It's a gripping sport which targets the grip strength and the active mindedness of a player. American football and rugby league are also primarily collision sports, but their tackles tend to terminate much more quickly. For professional rugby, players are often chosen on the basis of their size and apparent strength and they develop the skill and power over the passage of time. In modern rugby considerable attention is given to fitness and aerobic conditioning as well as basic weight training.
Friday, August 25, 2006 10:25 AM by Rugby Fan Steve

# Watch Football

Nowadays, due to the improvements of technology and the development of the Internet everyone can watch live football from a comfortable seat at home, and all this without paying expensive cable or satellite fees.Now you can watch premiership games, champions league soccer, cup matches live, all broadcasted on the Internet, sometimes free and sometimes after paying a small fee. You can enjoy many quality football matches easier then ever.How can you do this? Almost every soccer match that is taking place somewhere in the world is broadcasted through a live football stream that you can access from anywhere and furthermore most of the matches come with an English commentary.So whenever there's a major football event you know that it's certainly broadcasted somewhere on the Internet and you can watch everything and you only pay a few dollars! For more information about <a href="http://www.footy-live.com">watch champions league soccer</a> or <a href="http://www.footy-live.com">watch football</a> we are recommending this link.
Wednesday, August 30, 2006 2:18 AM by Ana

# re: Why doesn

Luogo molto buon:) Buona fortuna!

Wednesday, April 11, 2007 12:08 AM by ...

# re: Why doesn

pagine piuttosto informative, piacevoli =)

Wednesday, April 11, 2007 7:13 AM by ...

# re: Why doesn

9 su 10! Ottenerlo! Siete buoni!

Friday, April 13, 2007 9:34 AM by ...

# re: Why doesn

Stupore! ho una sensibilit molto buona circa il vostro luogo!!!!

Sunday, April 15, 2007 1:40 AM by ...

# re: Why doesn

E grande io ha trovato il vostro luogo! Le info importanti ottenute! ))

Monday, April 16, 2007 4:54 AM by ...
Anonymous comments are disabled
 
Page view tracker