Why doesn’t ISA support defining multiple server certificates on a single IP

Many clients have wondered, why doesn’t ISA support defining multiple server certificates for a single IP. Such feature could have been useful when publishing several sites over SSL using the same public IP. On such configuration published site is using a different external names (e.g. mail.contoso.com, docs.contoso.com, …), where all public names are mapped to a single public IP.

If the listener on ISA is using a server certificate using name of one site (e.g. mail.contoso.com), clients that access docs.contoso.com will get error prompt from the browser. The common solution for avoiding this prompt is by using wildcard certificate (for the name “*.contoso.com”).

The reason such feature is not provided by ISA due to an inherent limitation of the SSL protocol:

When the client sends the "CLIENT HELLO" SSL message, the server is expected to send back a server certificate. However, the "CLIENT-HELLO" does not contain any indication to the name of the server that the client is interested in (this indication appears only in the Host header of the HTTP request, sent only after the SSL handshake have already been established). Server has no choice but to return a single server certificate per the (IP,Port) pair (a.k.a. listener), which is the only thing he "knows" before receiving the HTTP request.

Future versions of SSL protocol may support this. In case they do, ISA will probably leverage this support to allow multiple server certificates assigned to a single IP.


Note on ISA 2006:

The “multiple certificates per listener” feature in ISA 2006 is targeted in completing the 2006’s SSO (Single Sing On) experience. ISA 2006 provides SSO, when administrator uses with a single listener. E.g. administrator can configure two publishing rules for site1.contoso.com and site2.contoso.com assigned to the same web listener (with SSO domain: contoso.com), in a way, that will require user to authenticate only once.

However, since user might probably use SSL, the administrator must be able to return two different server certificates from the same listener. He (the administrator) will still have to use at least two IPs on that listener due to the issue described earlier in this blog entry.



Zvi Avidor, ISA Server Product Team.


Comments (11)

  1. Anonymous says:

    Regular update to the url list is required.

  2. Anonymous says:

    At last week’s PKI TechNet event in Reading several people asked how to get around the challenge of allowing…

  3. Alun Jones says:

    There will be no "future versions of SSL protocol" to support this.

    There are future versions of the TLS protocol that allow the client to specify the server host name in the ClientHello message.  Whether this is to be implemented by Microsoft in a future Windows version of TLS is the only question.

    I have heard that this will be supported in Vista and/or Longhorn, but I haven’t been able to confirm this, or to find whether such ability will be back-ported.

  4. Stefaan Pouseele says:

    Will ISA 2006 support the “server_name” extension as defined in RFC3546?  IE7 seems to support it already (http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx).

  5. ...1 says:

    Luogo molto buon:) Buona fortuna!

  6. ...1 says:

    pagine piuttosto informative, piacevoli =)

  7. ...1 says:

    9 su 10! Ottenerlo! Siete buoni!

  8. ...1 says:

    Stupore! ho una sensibilit molto buona circa il vostro luogo!!!!

  9. ...1 says:

    E grande io ha trovato il vostro luogo! Le info importanti ottenute! ))

Skip to main content