SSL Tunneling vs SSL Bridging

  • Article

With Windows Mobile architecture we have the option of SSL Bridging or SSL Tunneling. Some Reverse Proxy servers like ISA allow for SSL Bridging.

Taken from: https://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html (Modified)

SSL tunneling

This is when the target website is tunneled to by you through ISA. The key word here is through. The ISA client communicates with the target web server directly after the initial connection has been established by ISA, by means of communication within the SSL tunnel that has been created after SSL negotiation has taken place.

  1. An ISA client request a web object from a web site
  2. ISA forwards the request onto the web server
  3. ISA connects to the web server on the SSL port 443 or 563 depending on the configuration.
  4. ISA informs the client that the connection has been established and hands the connection over to the client.

The client communicates with the web server directly without any intervention from ISA through the SSL tunnel that has been established.

SSL bridging

This is the termination or initiation of an SSL connection by ISA. An example of this is when an ISA client requests an HTTP object. ISA acts on the clients behalf and encrypts the request then forwards it to the target Web server. The encrypted object to ISA and the object gets decrypted by ISA and then sent to the client that requested the HTTP object. SSL bridging enables ISA to encrypt or decrypt client requests when passing the request to a target Web server. ISA will intercept the client request as it gets sent to the web server. ISA will then act on behalf or proxy the request to the web server and return to the request result to the client. In this way the client does not deal with the web server directly, increasing security.  In addition with SSL Bridging the ISA server can do packet based inspection which adds yet another level of security.

Note: With Certificate Based User Authentication for Exchange Activesync you cannot use SSL Bridging

Tag this article:

Del.icio.us Logo del.icio.us  Digg Logo digg   reddit Logo reddit   Furl Logo Furl   Blinklist Logo Blinklist  Technorati Logo Technorati