Firewalls and Internet Based Client Management: Part 1

Let's jump right in to one of the most complicated, and frankly, confusing aspects about Internet Based Client Management (IBCM), and that's how to use it with firewalls. I'm going to focus on its use with ISA server, because that's what I have the most experience using. Because IBCM requires native mode, and this requires SSL, it presents some interesting challenges and configurations required for firewalls.

When creating the necessary server rules for IBCM using ISA, there's two options: SSL bridging (sometimes called SSL termination or server publishing), or SSL tunneling. Both have their own strengths and weaknesses.

SSL Tunneling: tunneling is the most simple means of getting traffic through a firewall to your management point and distribution point from the Internet. In essence, it's simply brokering traffic from point A to point B. It is very fast as it's just passing bits around. However, you cannot perform any traffic inspection or use any advanced firewall features because all it's doing is shifting encrypted blobs around. It doesn't know or care about what's in the data, it just wants to move data.

SSL Bridging: bridging is the most complicated, but also the most secure means of getting traffic through a firewall to your management point and distribution point from the Internet. It requires a certificate on its end, and the client actually uses the SSL bridge as its "management point". The SSL bridge decrypts the traffic, performs any inspection on it, and then re-encrypts it with its own certificate, and passes it to the actual management point. This obviously can have a very large performance penalty as you're doubling the encryption and decryption required. This is also very complicated to set up since you have to double your certificates.

For comparison, here's a couple pictures I made a while back for a presentation that showed the comparitive differences between the two:

SSL tunneling:

SSL tunneling 

SSL bridging:

SSL bridging

Those images put into perspective what the different modes are doing and what they mean to IBCM.

In Part 2, I will discuss the finer points of actually configuring ISA for use with Configuration Manager with some sample configurations.

Comments (2)

  1. In case you are doing Internet Based Client Management (IBCM), Adam has a great article on configuring

  2. Gabe Brown says:

    If you have read the blog entries and still have questions on setup, you can request documentation from the ISA Server team for how to configure ISA with Internet-based site systems in Configuration Manager 2007, send an email jointly to and

Skip to main content