 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2006WSE 3.0, X.509, and ISA Server
I've gotten the X.509 QuickStarts working across different machines within the same LAN but now it's time to try it across an ISA Server and I'm looking for pointers. Any good docs out there? All advice welcome! Thanx, Garth Hi Grath, Welcome to the WSE newsgroup. As for the WSE and X.509 certificate secured message, here are some of my understanding: WSE component or the WS-Security*** protocol provide a Message Level security mechanism, so no matter UsernameToken or X509Certificate token, they all secure the internal content of the SOAP message and won't hit into the underlying transport protocol. For ISA server or any other proxy or firewall, they directly concern with transport protocol like tcp or http, and the webservice SOAP messages are transmited over these protocols, so what we need to do is just ensure the network work environment is setup correctly which can let normal http or tcp request/response passes over the wire (over internet or have ISA server between them). As long as this can work, WSE setting or securing should not worry anything about ISA or other transport layer configuration. #Web Services Security and WS-Addressing Provide End-to-End Message-Level Security http://msdn.microsoft.com/library/en-us/dnwse/html/whywse.asp?frame=true#wh_ topic2 If there're anything unclear or anything else we can help, please feel free to post here. Regards, Steven Cheng Microsoft Online Support  SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Hello again Steven, First, Thanx for the quick response. I've done a fair amount of web searching on this topic and while letting "normal http or tcp request/response pass over the wire" may solve the problem from a WSE standpoint, my understanding of most firewalls is that selectively blocking/restricting that sort of traffic is their primary purpose. Once the decision is made to allow the http traffic, then the decision becomes one of placing the web services box in a DMZ and, if so, then how to safely get traffic into/outof the secure network. There is the additional question of whether to proxy or tunnel the requests using the ISA box. Both of these approaches are demonstrated in the QuickStart but deciding which to use is a complicated issue (at least to me), especially if the web server is on a DMZ and must go back thru the ISA server to get to the internal resources it needs (SQL Server, for example). These are probably non-issues to someone with a lot of networking and WSE experience but, unfortunately, I'm not one of those people and am still trying to figure out how best to implement this. Any help/advice (short of advising me to hire a consultant, that ain't in the budget:-) greatly appreciated. Thanx, Garth > Hi Grath, > [quoted text clipped - 30 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Thanks for your response Garth, IMO, I think the webservice server should be placed on public server in DMZ which is highly available to internet clients. And generally if you're not using any message level security mechanism(like WSE), we'll consider using some secure transport channel like SSL/https. However, since you're using WSE, the client and the webservice server can just commuinicate through normal http channel. Then, the backend datastore or application resource should be deployed on other servers hosted inside internal network behind the firewall(not in DMZ). Thus, you can apply what ever security protections like firewall, proxy or authentication/authorization between the webservice server and backend application/database servers. You can also search for some ASP.NET related security articles in the MSDN center which may introduce some model(maybe use transport layer security since they're not specific to WSE scenario). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht ml/SecNetch06.asp Regards, Steven Cheng Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Sounds good. I'll continue research and test various permutations until I find one that works like we want, probably using a web server on the DMZ and WSE for message security. Thanx again, Garth > Thanks for your response Garth, > [quoted text clipped - 24 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) You're welcome Garth, Good luck! Steven Cheng Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.