PageGuard: SSL-HTTP switching
- SSL protects login forms, sensitive data
- Switches to plain HTTP after login
- Save processing power and stay secure!
Traffic overhead issues:
- ISA 2006 and TMG can upgrade connections to HTTPS when authentication is required, but they do not support downgrading from HTTPS to HTTP after an authenticated session has been securely established.
- Using HTTPS for all parts of your published infrastructure may cause unacceptably high CPU usage on your server, or require the purchase of several certificates.
- There is no easy way to use link translation to force certain links from HTTP to HTTPS (or vice versa).
Best Solution: Use HTTPS
Since wide adoption of HTTP version 1.1 by clients, SSL overhead for site publishing is no longer as high as it used to be. The most secure solution is to always publish files with HTTPS. This protects against session hijacking from eavesdropping e.g. over open wireless connections.
For low-sensitivity sites: Use PageGuard
PageGuard from Collective Software augments the capabilities of ISA 2006 and TMG to allow HTTP site publishing with HTTPS authentication. PageGuard integrates into ISA/TMG to seamlessly solve protocol redirection, without resorting to scripts or other changes on your web servers.
Please be aware that due to the design of HTTP, providing part of the authenticated site without encryption can enable an eavesdropper (e.g. on an open wifi network) to gain access to the logged-in session. This does not compromise login information, but the attacker could impersonate the logged in user to see sensitive data or perform any operations as the logged-in user.
To prevent inadvertently decreasing the security of our customers' published sites, Collective will only sell PageGuard by request.
You can still evaluate PageGuard for free, below.
- PageGuard can protect the authentication dialog on a dual HTTP/HTTPS listener and require login over HTTPS, without requiring all parts of the site to use HTTPS.
- PageGuard can specify certain publishing rules, URLs, and/or file extensions that should always be served over HTTPS. This flexibility allows you to protect certain content or pages such as:
- Sensitive documents
- Secondary login forms of your internal servers that should be served over HTTPS when being transmitted over the Internet.
- PageGuard can specify certain publishing rules, URLs, and/or file extensions that should always be served over HTTP. This allows you to “force” connections to go to HTTP after authentication is completed, or after an HTTPS page has been viewed.