SSL, WCF service hosted on internal domain, consuming app resides in DMZ

Question

Background info:

I have some WCF services that are hosted on an internal server on a specific port. A hole was "punched" in the firewall to make the services on this port accessible from the DMZ. The consuming web app is hosted in the DMZ.

The internal server DOES NOT have an SSL cert.

The DMZ server DOES have an SSL cert.

The problem:

From all that I have read about WCF, my understanding is that I need an SSL cert on the server that hosts the WCF services. Is this correct?

At this time I have been told that we don't know when the internal server will have an SSL cert installed and that I need to come up with a Plan B.

I started looking into going back to ASMX/WSE and it looks like that is going to be a problem since WSE is no longer supported, it does not integrate with VS2008 and it is not compatible with x64 machines.

[rock]Me[hardplace]

The data will contain PII, so I'm quite considered about security...even if others are less concerned.

Are there any options I've overlooked? Have I misunderstood WCF security? Advice?

This post seems somewhat similar.

---

UPDATE

Thanks to mikey's answer and comments I made some changes to my configuration. It took some trial and error and additional Googling...but it seems to be working now (I haven't performed any extensive testing yet). However, I don't know if this is sufficiently secure... Adding my solution to the original post so I can mark mikey's answer as the answer.

My changes

Services:

<behaviors>
    <serviceBehaviors>
        <behavior name="serviceBehavior">
            <dataContractSerializer maxItemsInObjectGraph="6553600" />
            <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
            <serviceMetadata httpsGetEnabled="false" />
            <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
            <serviceDebug includeExceptionDetailInFaults="false" />
        </behavior>
    </serviceBehaviors>
</behaviors>
<bindings>
    <wsHttpBinding>
        <binding name="customBinding">
            <reliableSession enabled="true" />
            <security mode="None" />
        </binding>
    </wsHttpBinding>
</bindings>
<services>
    <service behaviorConfiguration="serviceBehavior" name="MyApp.WcfServices.MyService">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="customBinding" contract="MyApp.WcfServices.IMyService">
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
</services>

Web App:

<bindings>
    <wsHttpBinding>
        <binding name="customBinding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"         allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferPoolSize="1048576" maxReceivedMessageSize="1048576"
                messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="true" />
            <security mode="None">
                <transport clientCredentialType="None" />
                <message clientCredentialType="None" negotiateServiceCredential="false" establishSecurityContext="false" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>
<client>
    <endpoint address="http://[Ip Address]:8943/MyAppWcfServices/Hosts/MyService.svc"
            binding="wsHttpBinding" bindingConfiguration="customBinding"
            contract="MyService.IMyService" name="customBinding" behaviorConfiguration="clientBehavior">
    </endpoint>
</client>

Answer 1

Here are some options:

• You don't need SSL for WCF. You can set security to "None" http://msdn.microsoft.com/en-us/library/ms731172.aspx or http://social.msdn.microsoft.com/forums/en-US/wcf/thread/271b1816-173c-4c76-a4c4-fd9fda4b5e91/ -- then you won't need an SSL cert. Since the traffic is only going between your web server and your app/wcf server the only folks who will be able to sniff it should be internal folks... At some point you have to trust your network is working as intended. I often use only HTTP (not SSL) for web services between app and web servers on the same network especially when speed is an issue.

• use a self-signed certificate on the app server. Ensure that the web server in the DMZ is configured to trust the certificate (and/or its CA) and you should be good to go.