Using Server Proxy with SSL in Proxy Server 2.0

This article was previously published under Q184030
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
The Server Proxy feature is the recommended method for publishing datafrom a Web server that is placed behind a Microsoft Proxy Server 2.0computer when SSL encryption is required.

NOTE: Using SSL with the Reverse Proxy feature is not recommended and not supported by Microsoft.
The Server Proxy method is preferred because forcing an SSL connection foruse with Reverse Proxy will also force SSL encryption on outgoing proxyclient requests.

Furthermore, in this scenario, only the Internet connection will beencrypted. The connection between the proxy server and the Web server onthe private network will not be encrypted.

The Server Proxy method allows an uninteruppted transparent HTTPSconnection from the Internet client to the Web server on the privatenetwork.

Using Server Proxy with a WWW Server

Set up the internal server to use the Server Proxy feature, which requiresthe installation of the Winsock Proxy client. This allows port 443 to bebound to the Proxy Server computer's external network interface.

NOTE: Internet Information Server (IIS) is running on the proxy server computer and is bound to ports 80 and 443 on the external interface of the Proxy Server computer. Because only one service can be bound to ports 80 and 443 at a time, either the proxy server's HTTP and HTTPS ports must be changed or the ports that the publishing Web server uses to listen for inbound connections must be changed.

In the example below, the ports on the Proxy Server computer are changed so that the publishing Web server behind the Proxy Server computer is able to use the standard HTTP and HTTPS ports.

How to set up Server Proxy with IIS 3.0 or 4.0:

  1. Change the port used by the WWW service on the proxy server from port 80 to a new port number (for example, 8080).

    NOTE: The Web Proxy service listens for proxy requests on this new port number. Web browsers using the Web Proxy service must be reconfigured to use the new port number.
  2. Install the Winsock Proxy client (usually from \\proxy_computername\mspclnts).
  3. Install an SSL Certificate on the internal Web server. Follow the online documentation for your Web server.
  4. Check the functionality of the Winsock installation by doing the following:
    1. Use chkwsp32 /f. This should return "Client control protocol matches the server control protocol."
    2. Test connectivity with a Winsock 1.1 application (for example,command line ftp).
  5. Create a Wspcfg.ini file and put it in the directory where the Webserver's executable is located. (See "Configuring Multiserver Environments" in the Proxy Server 2.0 documentation for more information about setting up Server Proxy.) The following is a sample file that can be used with Internet Information Server. It should be placed in the directory where Inetinfo.exe resides (usually \System path\System32\Inetsrv). Other Web servers will need a slightly different version of this file and it will need to be placed in a different location.
    For additional information about other Proxy Server configurations, click the article number below to view the article in the Microsoft Knowledge Base:
    177153 Additional ProxyServer 2.0 Configurations
  6. Start the WWW service on the internal Web server. The Web servershould now be started and listening on the external network card of the Proxy Server computer.
  7. Test with a Web browser by connecting to the proxy server's external network interface via HTTP (80) and HTTPS (443). The internal Web server should respond to the requests.
Additional Information:

It is also necessary to change the default SSL port on the Proxy Server computer to enable the proxying of SSL from the client computer. To change the default Web site's SSL port, you may have to run adsutil set w3svc/1/SecureBindings :4443: from the WINNT\system32\inetsrv\adminsamples directory.

NOTE: If you have Proxy 2 installed on Windows 2000, the adsutil.vbs file is located in the root\Inetpub\AdminScripts folder.

If you are not using Access Control on the Winsock Proxy service, it isnot necessary to include the 'ForceCredentials=1' line in the Wspcfg.inifile.

If you are using Access Control on the Winsock Proxy service, it isnecessary to include the 'ForceCredentials=1' and use Credtool to give theInetinfo service an account that can be authenticated.

NOTE: This is only necessary if the SSL certificate is installed on the proxy server itself. This change can affect SSL traffic through the Web Proxy service and should only be made if absolutely necessary.
For more information about configuring Server Proxy, see "ConfiguringServer Proxy Parameters" in the Proxy Server 2.0 online documentation.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
171138 Secure TCP Port Not Properly Specified

Article ID: 184030 - Last Review: 06/27/2006 08:00:38 - Revision: 1.1

Microsoft Proxy Server 2.0 Standard Edition

  • kbfaq kbhowto KB184030