Article ID: 184030 - View products that this article applies to.
This article was previously published under Q184030
The Server Proxy feature is the recommended method for publishing data from a Web server that is placed behind a Microsoft Proxy Server 2.0 computer when SSL encryption is required.
NOTE: Using SSL with the Reverse Proxy feature is not recommended and not supported by Microsoft.
The Server Proxy method is preferred because forcing an SSL connection for use with Reverse Proxy will also force SSL encryption on outgoing proxy client requests.
Furthermore, in this scenario, only the Internet connection will be encrypted. The connection between the proxy server and the Web server on the private network will not be encrypted.
The Server Proxy method allows an uninteruppted transparent HTTPS connection from the Internet client to the Web server on the private network.
Using Server Proxy with a WWW ServerSet up the internal server to use the Server Proxy feature, which requires the installation of the Winsock Proxy client. This allows port 443 to be bound to the Proxy Server computer's external network interface.
NOTE: Internet Information Server (IIS) is running on the proxy server computer and is bound to ports 80 and 443 on the external interface of the Proxy Server computer. Because only one service can be bound to ports 80 and 443 at a time, either the proxy server's HTTP and HTTPS ports must be changed or the ports that the publishing Web server uses to listen for inbound connections must be changed.
In the example below, the ports on the Proxy Server computer are changed so that the publishing Web server behind the Proxy Server computer is able to use the standard HTTP and HTTPS ports.
How to set up Server Proxy with IIS 3.0 or 4.0:
It is also necessary to change the default SSL port on the Proxy Server computer to enable the proxying of SSL from the client computer. To change the default Web site's SSL port, you may have to run adsutil set w3svc/1/SecureBindings :4443: from the WINNT\system32\inetsrv\adminsamples directory.
NOTE: If you have Proxy 2 installed on Windows 2000, the adsutil.vbs file is located in the root\Inetpub\AdminScripts folder.
If you are not using Access Control on the Winsock Proxy service, it is not necessary to include the 'ForceCredentials=1' line in the Wspcfg.ini file.
If you are using Access Control on the Winsock Proxy service, it is necessary to include the 'ForceCredentials=1' and use Credtool to give the Inetinfo service an account that can be authenticated.
NOTE: This is only necessary if the SSL certificate is installed on the proxy server itself. This change can affect SSL traffic through the Web Proxy service and should only be made if absolutely necessary.
For more information about configuring Server Proxy, see "Configuring Server Proxy Parameters" in the Proxy Server 2.0 online documentation.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/171138/ )Secure TCP Port Not Properly Specified
Article ID: 184030 - Last Review: June 27, 2006 - Revision: 1.1