IIS 5 & IIS 6
Website secure and unsecure pages
Last post Jun 25, 2009 03:19 PM by pwyatt1
Jun 19, 2009 12:26 PM|pwyatt1|LINK
Note to Forum Admin - I don't know if this is the right forum. Please move if necessary to the appropriate forum. Thanks.
I plan to create secure SSL access to parts of my new website and also offload the SSL certificate and SSL processing to a new load balancer we have purchased. I have set up Port 80 for the usual HTTP and port 443 for the HTTPS.
My problem is my website (which we host on our own servers under IIS 6.0). I only want the shopping cart pages to be accessed by SSL. The rest of the pages I want to be accessed by unsecure anonymous access. How do I set up my website under IIS where the
pages are split into unsecure and secure access?
website secure and unsecure access
Jun 22, 2009 10:21 PM|Leo Tang - MSFT|LINK
To configure the shopping cart pages to be accessed by SSL, you can enable the Require secure channel feature for these specific pages(Right Click the specific folder or page->Click Properties->Edit Secure communications in the Directory Security tab->Select
Require secure channel).
With default settings, the rest page can be accessed through unsecure channel.
Below are some articles about more SSL configuration information, hope helpful for you:
How to implement SSL in IIS
How to load balance a Web server farm by using one SSL certificate in IIS 6.0 and in IIS 5.0
Jun 23, 2009 11:17 AM|pwyatt1|LINK
The SSL certificate is installed into the load balancer and is fine. So we don't need to install any certificates onto the IIS servers.
One more question. Do the hyperlinks from the front-end pages linking to the ssl pages in the shopping cart have to have the "https://" in the hyperlinks or does IIS see the folder attributes of the shopping cart folders and hyperlink with no problem?
Jun 23, 2009 02:25 PM|murtaza_t|LINK
When you say "SSL is installed on the Load Balancer" does that mean that you have a different server in front of your web servers to load balance the traffic and that you are not using the Windows standard NLB opton in the network adoptor..?
The hyperlinks will be needed to be defined in your code with the https prefix or else it will just append to the prefix that is already used, IIS will not redirect any request automatically.
Jun 23, 2009 02:39 PM|pwyatt1|LINK
The load balancer (Kemp 2000 Loadmaster) has the certificate installed and handles all SSL request/responses. i.e. all SSL functions are off-loaded to the load balancer, precluding the need to have one or more IIS servers with the SSL certificate installed.
Of course everything behind the load balancer is unsecure, but that is not a problem as all incoming ttraffic comes through the load balancer.
That was the reason for my "https://" question regarding the shoping cart pages.
Jun 25, 2009 03:02 AM|murtaza_t|LINK
Thanks for the explanation.
To distinguish between secure and non secure pages you will have to code your application in that way. You will not be able to handle this through IIS alone. You can either write a IF Loop to check the browser request or use a third part ISAPI rewrite tool
to redirect request accordingly. In both cases you will need additional coding to achieve this.
Jun 25, 2009 03:19 PM|pwyatt1|LINK