How to securely publish multiple HTTPS websites on a single port via ISA

At last week's PKI TechNet event in Reading several people asked how to get around the challenge of allowing multiple certificates to be used (corresponding to individual HTTPS web sites) in conjunction with ISA's web server publishing feature.

For those of you who many not be familiar with the problem it centres around placing ISA (Internet Security and Acceleration Server) in front (in network terms) of a number of web servers to provide protection from network bound attacks. ISA appears to BE the web server to the client (browser). The client connects by default on port 443 (signifying HTTPS - HTTP over Secure Socket Layer) to the ISA Server believing that it's actually connected to the web server. The ISA Server presents the web server's certificate (and uses it's corresponding private key) to assert it's identity to the client. The difficulty comes when you place multiple HTTPS web servers behind the ISA Server as ISA 2004 doesn't allow multiple web server certificates to be presented for requests on a single port. If you require the client to connect on a different port for each web server then the user experience is less pleasant as they must use a different URL.

ISA Server 2006 will alleviate this limitation - it's currently in Beta - browse here to try ISA 2006 for yourself.

Note: My description cites a single ISA server - in many production environments multiple ISA servers would be used to provide enhanced resilience and performance. ISA Server Enterprise Edition can be used to enable multiple ISA Server instances to co-operate.

Earlier today the ISA product team blog delved into this very subject - browse here to read the details.

If you'd like to learn more about how to securely publish web servers via ISA then please browse to November/December's TechNet Magazine as I published an article on the very subject