Microsoft KB Archive/184030

= Using Server Proxy with SSL in Proxy Server 2.0 =

Article ID: 184030

Article Last Modified on 6/27/2006

-

APPLIES TO


 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q184030



SUMMARY
The Server Proxy feature is the recommended method for publishing data from a Web server that is placed behind a Microsoft Proxy Server 2.0 computer when SSL encryption is required.

NOTE: Using SSL with the Reverse Proxy feature is not recommended and not supported by Microsoft.



MORE INFORMATION
The Server Proxy method is preferred because forcing an SSL connection for use with Reverse Proxy will also force SSL encryption on outgoing proxy client requests.

Furthermore, in this scenario, only the Internet connection will be encrypted. The connection between the proxy server and the Web server on the private network will not be encrypted.

The Server Proxy method allows an uninteruppted transparent HTTPS connection from the Internet client to the Web server on the private network.

Using Server Proxy with a WWW Server
Set up the internal server to use the Server Proxy feature, which requires the installation of the Winsock Proxy client. This allows port 443 to be bound to the Proxy Server computer's external network interface.

NOTE: Internet Information Server (IIS) is running on the proxy server computer and is bound to ports 80 and 443 on the external interface of the Proxy Server computer. Because only one service can be bound to ports 80 and 443 at a time, either the proxy server's HTTP and HTTPS ports must be changed or the ports that the publishing Web server uses to listen for inbound connections must be changed.

In the example below, the ports on the Proxy Server computer are changed so that the publishing Web server behind the Proxy Server computer is able to use the standard HTTP and HTTPS ports.

How to set up Server Proxy with IIS 3.0 or 4.0:

 Change the port used by the WWW service on the proxy server from port 80 to a new port number (for example, 8080).

NOTE: The Web Proxy service listens for proxy requests on this new port number. Web browsers using the Web Proxy service must be reconfigured to use the new port number. Install the Winsock Proxy client (usually from \\proxy_computername\mspclnts). Install an SSL Certificate on the internal Web server. Follow the online documentation for your Web server. Check the functionality of the Winsock installation by doing the following:  Use chkwsp32 /f. This should return "Client control protocol matches the server control protocol." Test connectivity with a Winsock 1.1 application (for example, command line ftp).</ol> </li> Create a Wspcfg.ini file and put it in the directory where the Web server's executable is located. (See "Configuring Multiserver Environments" in the Proxy Server 2.0 documentation for more information about setting up Server Proxy.) The following is a sample file that can be used with Internet Information Server. It should be placed in the directory where Inetinfo.exe resides (usually \ \System32\Inetsrv). Other Web servers will need a slightly different version of this file and it will need to be placed in a different location.

[Inetinfo]

ServerBindTcpPorts=80,443

Persistent=1

KillOldSession=1

ForceCredentials=1

For additional information about other Proxy Server configurations, click the article number below to view the article in the Microsoft Knowledge Base:

177153 Additional Proxy Server 2.0 Configurations

</li> Start the WWW service on the internal Web server. The Web server should now be started and listening on the external network card of the Proxy Server computer.</li> Test with a Web browser by connecting to the proxy server's external network interface via HTTP (80) and HTTPS (443). The internal Web server should respond to the requests.</li></ol>

Additional Information:

It is also necessary to change the default SSL port on the Proxy Server computer to enable the proxying of SSL from the client computer. To change the default Web site's SSL port, you may have to run adsutil set w3svc/1/SecureBindings :4443: from the WINNT\system32\inetsrv\adminsamples directory.

NOTE: If you have Proxy 2 installed on Windows 2000, the adsutil.vbs file is located in the \Inetpub\AdminScripts folder.

If you are not using Access Control on the Winsock Proxy service, it is not necessary to include the 'ForceCredentials=1' line in the Wspcfg.ini file.

If you are using Access Control on the Winsock Proxy service, it is necessary to include the 'ForceCredentials=1' and use Credtool to give the Inetinfo service an account that can be authenticated.

NOTE: This is only necessary if the SSL certificate is installed on the proxy server itself. This change can affect SSL traffic through the Web Proxy service and should only be made if absolutely necessary.

<div class="references_section">