Recently some of my peers and I were discussing what is best practice for configuring urls for SharePoint when intending to publish through ISA and use SSL. It goes without saying that in most scenarios, when using ISA and corporate credentials you’re going to use SSL for all external access through Threat Management Gateway/Internet Acceleration Server. The question then becomes where to terminate SSL.

From a security perspective, an argument can be made it’s not necessary to enable SSL on the SharePoint servers themselves (leaving internal traffic unencrypted) but you can avoid the security question and focus on usability. While TMG/ISA can do link translation and SharePoint Alternate Access Mappings also assists in ensuring the right protocol is returned for links, the fact is having one, well-known url to access SharePoint helps substantially in the usability department and also eliminates potential support issues.

One thing that may not be necessary (depending on your organization’s existing security practices) is using the public SSL cert on your internal site. We use a self-published cert internally and only use the public cert on the ISA gateway. This helps a little bit on cert management, which may or may not be a big issue for your organization.