The blog is still in a state of slight flux although the layout is pretty close to where I want it. The main part is the gallery which still needs some over hauling work. I expect to finish work on the CSS for the main portion of the gallery this week (its been slow going with work and traveling). After that its time to work over the gallery templates (remember smarty?) I did get the upgrade done to the gallery and it resolved all of the problems I was experiencing. I also cleaned up the directory structure internal to the site and did some other maintanence. I also installed and setup a nice instance of awstats (more on that later).
I ran into this problem a few times over the past few years in relation to SSL to SSL bridging. If you do not understand this concept:
This is where you intercept a SSL connection at the firewall and then pass it as an SSL connection to the web server.
You have a few other options; you could pass the connection straight through the firewall (tunneling), or you could accept it at the firewall level and then pass it as a normal unencrypted connection to the web server (SSL to HTTP).
It is my personal opinion that if you advertise SSL or an encrypted connection you really should pass the connection through the firewall and keep it secure all the way to the server. You are cheating if you don’t. Allowing the connection to tunnel straight through your firewall is great, but then why use a firewall at all (okay there are still plenty of reasons, but that is a subject for a whole different post and perhaps different site). I can give you a few:
Reasons to Bridge SSL -> SSL over Tunneling
- You might want or need to inspect the traffic headed to the server before it arrives.
- You might want to catch traffic and redirect it for the end user.
- You may be performing validation before entrance to you system at the perimeter level.
- Etc.
I had a very difficult time getting my ISA 2004 to web server bridge set up correctly (I’m going to put up a separate post related to the routing table and issue I experienced there). The primary issues I experienced was very frustrating and confounded by the fact that dredging up a good answer on the internet seemed impossible. So how do you actually get a certificate installed on the ISA 2004 server to allow SSL -> SSL bridging?
Here are my assumptions:
- You are generating certificates internally (I was).
- You are starting at the IIS server and you are able to correctly request and install a certificate at this level.
- You have the capability to create web publishing rules using ISA 2004.
* I don’t have access to or use in my production environment CA generated certificates for a variety of reasons; the largest being cost. There are definite advantages of using CA generated certificates as they install onto the client computer without intrusion and are far less confusing to the client. This inconvenience has not outweighed the cost involved in doing this for me at this point. I don’t have practical experience to offer specifically related to CA certificates although I would imagine the process is very similar.
Step 1: Export the valid and functioning certificate to a password protected pfx file.
- Open IIS Manager
- Expand the websites and right click your web site.
- Select properties to bring up the Website Properties modal dialog.
- Click the Directory Security Tab
- Click Server Certificate… button under Secure communications
- Select Export the current certificate to a .pfx file (this will not be an option if you don’t have a certificate installed. For information go to: HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003)
- Browse to or enter an path were you want to store your file. I would use a directory shared on the ISA 2004 server if possible.
- Use a password (this prevents the certificate from being used or digested later)
Step 2: Move the .pfx file to the ISA 2004 Server if you haven’t already saved it there
Step 3: Open the Certificate Management Console on the ISA 2004 Server
- Click Start -> Run
- Type mmc and hit enter or click ok
- Click File -> Add/Remove Snap-in…
- Click Add (I would leave the drown down labeled Snap-ins added to: set to Console Root)
- Select Certificates (not certificate authority) and click ok or double click certificates
- Click Ok to return to the MMC Console (you’ll have a single entry for Certificates)
- If you would like to save this for ease of use later try File -> Save As
Step 4: Install the certificate from the .pfx file
- You will want to install this certificate into the Personal Store (it seemed counter intuitive to me to do this)
- Since you have the Certificate Console open (see above step 3) right click the personal folder
- Under All Tasks in the context menu choose Import
- In the Welcome to Certificate Import Wizard click next
- Click browse and navigate to where you saved your .pfx file. (you will need to change the file extension filter to Personal Information Exchange (*.pfx, *.p12) to see your file.)
- Click next
- Type in the password to allow the certificate to be installed (if you used one in step 1). I don’t mark these as exportable because I only ever export from the web server not from the ISA Server.
- Make sure you have the option: Place all certificates in the following store selected and it has Personal as the certificate store.
- If you don’t click browse and select the personal folder -> ok
- Click Next
- Click Finish
At this point you have correctly installed the certificate and you should be able to see it when you enable or use SSL in your web listeners.
Happy hunting!
More information
You may or may not have noticed, but I am working on the layout for my blog. I decided to modify the CSS and header graphics from the Classic Word Press theme which you see now. I’ve added to skip links for accessibility as I think that is important. Skip links help people move straight to the content of the post. I’ll be looking at adding more features to make the site accessible as time goes on. Word Press already has pretty good support for accessibility. They use the correct type of navigation (list based) and tag their links. I included a nice header replacement I got from somewhere at A List Apart (I can’t find the exact link, but it looks like this:
#masthead, #masthead span{
width: 640px;
height: 70px;
cursor: pointer;
cursor: hand;
background: #B6965A url(images/masthead.jpg) no-repeat right top;
}
.replace{
position: relative;
margin: 0px;
padding: 0px;
/* hide overflow:hidden from IE5/Mac */
/* */
overflow: hidden;
/* */
}
.replace span{
display:block;
position:absolute;
top:0px;
left:0px;
z-index:1; /*for Opera 5 and 6*/
}
The replace and replace span causes the text title to be squished to nothing, but still visible to a text based reader. This degrades very nicely. If I credited the wrong source, hopefully someone will let me know and I will fix the link and cite the proper author.
Please excuse the construction and feel free to leave any comments you have about the redesign. The gallery is next on the hit list. I really like the
carbon theme so I am considering basing my modifications on that theme instead of what I am currently using (
Word Press Gallery 2 Embedded standard theme).
My current setup is
Word Press with
Gallery 2. There are currently some problems with the gallery install (hopefully not apparent to the end users!). These will likely be fixed with an upgrade to the Gallery 2 installation over the next few weeks.
There will be an update related to this before Friday! Thanks for reading.
If you were not already aware: Microsoft Word® 2007 includes a feature that I really like. You can set it up to post directly to you blog. It has a few different providers. I use Word Press (surprised?). You can find the Blog Post template when you create a New Document with Word®. It is a very easy setup. I am / was very impressed. Took me a few minutes to type in my user name and password and I am now in business.
I haven’t worked on the picture provider yet since I have Gallery 2 embedded (poorly at the moment) in the background, but I suspect there may be a way to integrate it into Word somehow. We’ll see later.
Happy blogging. I know my life is easier now!
Have you ever thought of why so many people have diabetes more than ever before?…High fructose corn syrup. HFCS also turns off pectin in your body which tells your brain when you are full, so you over eat! BAD BAD BAD! Our society is so caught up with saving money that it has greatly affected our health!