Do I Need SSL? 2

[prworld]

Hi

I have set up an Extranet for my business, staff connect via the web and input client details into the server. I have a static IP and use IIS to host my site. I cannot restrict access via client IP address due to flexibility requirements, however login/access requires user ID and password. I wonder if I need SSL to give better protection?

 

[damber]

Yes. Plain HTTP doesn't encrypt the content during transport, so any data POSTed to the site is visible to 'would-be-listeners' - who are most likely to abuse the information they see. One exception would be if they used a VPN to connect to the site - which would be (a bit) more secure.

If you have a registered domain name you can buy a ssl certificate from an online vendor, like GoDaddy, Thawte, Verisign etc there are different types, so read up on which you need.

here's a couple of sites that list a few vendors:

http://www.whichssl.com/ssl/enterprise.html

http://www.bitpipe.com/olist/SSL.html

If you're not bothered about the site certificate being fully signed by an approved body (i.e. your users trust the site, and don't need to be reassured etc) then you can self sign using IIS to make the request to an internal certificate authority (if you haven't already got this you can easily install it as part of windows server's additional components).

A smile is worth a thousand kind words. So smile, it's easy!

 

[prworld]

Thanks Damber, that's very useful.

I haven't set up SSL before so I am new to it. I actually run several seperate 'extranets' on my server. Each independant site has it's own users. The users connect via the IP_Noort which my firewall/proxy points to the approporiate 'site' on the IIS server.

It is essential that each extranet remains 'seperate' from each other and I do this via obscure port numbers (eg. service 1 > IPnumber:4574, service 2 > IPnumber:7693, etc.).

I am now attempting to set a certificate up in IIS but it looks like I will need to install the component to 'self sign'.

In the meantime;

I presently host 5 seperate 'Extranets' on my server for different companies. As explained above these are accessed via IP_numberort.

Would I need a seperate SSL certificate creating for each 'server/site'?

At present my IIS serves up the site via specified TCP port number and the SSL port is 'greyed out' (in IIS properties). When I have the certificate, will I be able to specify the SSL port number the way I do now?

At present my client users connect via: http:123.45.67.89:1234

When SSL is set-up am I correct in assuming that they will connect as per: https:123.45.67.89:1234 ?

Thanks again and any advice is greatly appreciated.

 

[lgarner]

You might want to move this to the IIS forum, since there's more specific expertise there.

You can configure the address and port for each virtual server. If the certificate does not match what the user types for the URL, they will get a warning. Also, if the certificate is not signed by a recognized authority, the user sees a warning. So, you can install only one certificate for all sites, or install 5 different ones.

To avoid all popup warnings, you will need 5 certificates, each matching the URL that the user types. I don't know if a CA will issue a cert for an IP address, but I suspect not.