Ask the Expert

Securing a front-end certificate server

I have set up a front-end server to be the certificate server. How do I set up the back-end server to use this certificate, and make the requests on the main server go to the back-end server? The back-end server's Internet Information Server Exchange site has the red stop sign. What does that mean? It seems to work for HTTP traffic directly, just not from the front-end server, which is configured to require SSL.

    Requires Free Membership to View

You have fallen subject to a common misconception. That is that enabling SSL on a front-end server secures not only client to front-end server communications, but that it also secures front-end to back-end communication. As you have discovered, that is not how it works.

There are a few things that I want to share with you that I think will help you on your way.

  1. The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.

  2. The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.

    As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.

    Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.

  3. Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Learning Guide: A primer on server roles and Exchange hardware
  • Reference Center: Permissions and passwords


  • This was first published in July 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: