| Web Table 1: SSL and HTTP Proxy Approaches |
|
SSL Approach |
Pros |
Cons |
|
SSL tunneling |
Provides end-to-end SSL |
Introduces a security hole on HTTP proxy and firewall level: The proxy can’t screen for exploit infected content
Doesn't offload SSL processing from the Web server (for all client connections)
Doesn't take advantage of ISA caching |
|
SSL bridging option 1: single SSL tunnel, starting on client and terminating on proxy |
Provides HTTP content inspection on HTTP proxy and firewall level and can take advantage of URLScan 2.5 protection (if ISA Server Feature Pack 1 is installed)
Offloads SSL processing from Web server
Takes advantage of ISA caching |
Doesn't provide end-to-end SSL
Doesn't offload SSL processing from HTTP proxy (for all client connections)
Doesn't secure HTTP traffic between proxy and Web server |
|
SSL bridging option 2: single SSL tunnel, starting on proxy and terminating on Web server |
Provides HTTP content inspection on HTTP proxy and firewall level and can take advantage of URLScan 2.5 protection (if ISA Server Feature Pack 1 is installed)
Reduces SSL processing load on Web server
Encrypts HTTP traffic between proxy and Web server
Takes advantage of ISA caching |
Doesn't provide end-to-end SSL
Doesn't secure HTTP traffic between browser and HTTP proxy |
|
SSL bridging option 3: two SSL tunnels |
Provides HTTP content inspection on HTTP proxy and firewall level and can take advantage of URLScan 2.5 protection (if ISA Server Feature Pack 1 is installed)
Reduces SSL processing load on Web server (only for proxy server)
Offloads SSL processing from Web server
Encrypts HTTP traffic between browser and proxy and between proxy and Web server
Takes advantage of ISA caching |
Doesn't provide end-to-end SSL
Doesn't offload SSL processing from HTTP proxy (for all client connections) |