Re: SSL Bridging Fun

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 15 Jul 2002 18:59:27 -0700

RE: [isalist] Re: SSL Bridging FunActually, you already have my favorite choice 
in place; the
internal domain name is based on the public domain name.
This allows you to register only one name and still have two different cakes to 
eat.. should get you started on the 
split DNS question.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
Read the books!

----- Original Message -----
From: Tony Lou
To: [ Discussion List]
Sent: Monday, July 15, 2002 5:24 PM
Subject: [isalist] Re: SSL Bridging Fun

Hi Jim,
Thanks for your response.
In answer to your question, sort of.
Our external domain name is "",
Our internal is "".
Also, I do have an entry in the hosts file on the ISA server pointing to the 
internal address of the
web server.  A ping from the command prompt on the ISA server confirms that it 
resolves to the
internal address.
Thinking about it last night, I've come to realise that it may in fact be 
working for the outside
world, but not for us internally because all of our clients point to the ISA 
server for DNS, (which
then forwards external bound to our ISP's DNS servers).
Therefore an internal client will see the "loop" error, whereas the outside 
presumably wouldn't?
This is what I'll be testing in the next hour.
Would appreciate a pointer to information on "split DNS structures".
Particularly as we'll be moving to active directory and Exchange 2000 soon 
which, as I understand
it, will require the use of our external domain name internally as well.
Cheers, and Thanks,
Tony Lou

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, 15 July 2002 11:00 PM
To: [ Discussion List]
Subject: [isalist] Re: SSL Bridging Fun

ISA is resolving the web server name to its own external IP address (thus the 
proxy chain loop msg).
As stated in the article, you'll need to help ISA resolve the name to the 
proper internal IP using
either a hosts file entry or a 'spoof' DNS entry.
This is another argument for a split DNS structure.
You aren't using the same internal domain name as you use externally, are you?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
Read the books!
----- Original Message -----
From: Tony Lou
To: [ Discussion List]
Sent: Sunday, July 14, 2002 11:52 PM
Subject: [isalist] SSL Bridging Fun

Hi all,
Having an issue with SSL bridging which is driving me spare. Would appreciate 
some assistance from
any who have come out winners in this area.
We have a Web server (W2K, IIS) running on our internal network.
Published through ISA on standard ports (ie, HTTP - 80, SSL - 443)
A Verisign Certificate installed on both IIS and ISA.
I have worked through this document;
( to the letter.
The problem seems to relate to this line in the document;
9.15 "On the Rule Action window select "Redirect the request to this internal 
Web server"
9.16 "Make sure you enter the name of the internal web site being published 
(not the IP address or
internal server name). This is the same as the certificate.
NOTE: Make sure the ISA server can resolve this name to the internal Web 
servers IP address.The
external DNS servers will resolve the published Web site name to the external 
IP address of the ISA
server but the ISA server needs to resolve the name to the internal published 
Web server. You may
have to create a HOST file locally on the ISA server to resolve the name to the 
internal Web server
IP address"
If I enter the "Web Site name" I get this error generated by the ISA Server;
"The server has detected a proxy chain loop. This condition
might indicate a configuration problem in proxy server".
If I don't, and instead enter the internal IP address, all works fine except 
that SSL doesn't bridge
and I get this error instead;
"500 Internal Server Error - The target principal name is incorrect. 
Internet Security and Acceleration Server"
Would deeply appreciate any assistance.
Thanks in Advance,
Tony Lou
This message contains privileged and confidential information. If you are not 
the intended recipient
you must not disseminate, copy or take any action in reliance on it, and we 
request that you notify
the FPA immediately. Any views expressed in this message are those of the 
individual sender, except
where they are specifically stated to be the views of the FPA. For information 
about how the FPA
deals with personal information see the FPA Statement of Privacy Policy on

This e-mail message has been scanned for Viruses and Content and cleared by 
MailMarshal - For more
information please visit

You are currently subscribed to this Discussion List as: 
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: