Note
SSL termination with authentication using bridging technology is recommended, although SSL tunneling is also supported if your proxy Web server cannot support bridging with authentication. For more information, see the Microsoft Internet Security and Acceleration Server documentation about the differences between bridging and tunneling (http://go.microsoft.com/fwlink/?LinkId=80311).

• SSL bridging to SSL:
  
  The recommended configuration when using proxy Web servers with Configuration Manager 2007 Internet-based client management is SSL bridging to SSL, using termination with authentication. Client computers must be authenticated using machine authentication, and client mobile devices are authenticated using user authentication.
  
  The benefit of SSL termination at the proxy Web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy Web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy Web server, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy Web server to be the client. Bridging is not supported in Configuration Manager 2007 with HTTP to HTTPS, or from HTTPS to HTTP.
  
  
• Tunneling:
  
  If your proxy Web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. When using SSL tunneling, there are no certificate requirements for the proxy Web server.
  
  

• Web server certificate for server authentication and SSL if you are using bridging:
  
  
  • The certificate must chain to a root authority that is trusted by client computers.
    
    
  • The certificate must contain the Internet fully qualified domain names (FQDNs) of all the Internet-based site systems in the Subject Alternative Name field.
    
    
• Client machine certificate for authentication if you are using bridging for client computers:
  
  
  • The certificate must chain to a root certification authority that is trusted by the site system servers.
    
    
  • The certificate must have a unique value in the Subject field or the Subject Alternative Name field.
    
    
• Client user certificate for authentication if you are using bridging for client mobile devices:
  
  
  • The certificate must chain to a root certification authority that is trusted by the site system servers.
    
    
  • The certificate must have a unique value in the Subject field or the Subject Alternative Name field.
    
    

• Support for HTTP:
  
  
  • If you are using an Internet-based fallback status point, the proxy Web server must accept HTTP traffic.
    
    

• The Internet-based site systems must be configured with an Internet FQDN in Configuration Manager 2007, which is also registered on public Internet DNS servers with the IP address of your proxy Web server.
  
  
• The Internet-based site systems must be published on the proxy Web server with the Internet FQDN they are configured to use in Configuration Manager 2007.
  
  

If the Proxy Web server performs application level inspection, it must allow the following communication between Configuration Manager clients and Internet-based site systems:

• HTPP version 1.1
  
  
• HTTP content type of multipart MIME attachment
  
  
• Required verbs and HTTP headers
  
  

For more information, see the external dependencies listed in Prerequisites for Internet-Based Client Management

Concepts