Wednesday, February 8, 2012

ISA: How to redirect HTTPS to HTTP, How to set SSL Certificate

One of the task while building SharePoint farm ( in my case 2010) is to set Load Balancing. The common approach for this is to make use of ISA.

My prod SharePoint portal needs to use SSL connection. Plus, I love simplicity. So, I have decided to use ISA
to set SSL connection for users.

Traffic between users and ISA are HTTPS, but traffic between ISA and SharePoint portal is HTTP. 
The beautiful name for such connection is off-box SSL termination.

 To implement it, we need to have:
1. SSL certificate issued for the portal host name;
2. ISA

That's it)

How to do it:

1. Setup a  SSL certificate that been issued for your portal host name on ISA
Simple concept: How to add SSL certificate

2. Create a Server Farm object in ISA , create Firewall Policy with this object.

Set Internal site name that been send to WFE, In the farm object add WFE server IPs

Server Farm is TO where the requested will be redirected

3.Create a Listener
Listener is FROM where the requested will be redirected
The specified IPs are IPs of ISA that been used specifically for redirection users. DNS server administrator should create a DNS entry with public DNS host (ex. portal2010.local) that is been pointed to the IP on ISA.

In the connection tab check HTTP and HTTPS. This way you allow a user to type HTTP, but eventually his request will be converted into HTTPS (that is achieved through other option which will be shown in a few sec)

4. Add certificate to the listener
Simple concept: How to add SSL certificate

5. Add to the rule on the tab "Public name" , the public name of the portal

6. And this is the crucial, juicy and last step.
Bridging - How the request will be redirected

Notice that "Redirect" goes to HTTP, not to SSL.
This way you don't have to install SSL certificate on WFE itself, just on ISA. But the user still get HTTPS connection between him and ISA.

Test Rule shows you HTTP connection, because it shows the communication between ISA and WFE.
The user will see a different picture. he will see HTTPS since he's been served by ISA.

Remember to configure AAM appropriatelly. Also, my advice is to configure WFE the way you can test the sites without load- balancing on the box itself:

SharePoint Load balancing:local settings for a web server