Background info:

I have some WCF services that are hosted on an internal server on a specific port. A hole was “punched” in the firewall to make the services on this port accessible from the DMZ. The consuming web app is hosted in the DMZ.

The internal server DOES NOT have an SSL cert.

The DMZ server DOES have an SSL cert.

The problem:

From all that I have read about WCF, my understanding is that I need an SSL cert on the server that hosts the WCF services. Is this correct?

At this time I have been told that we don’t know when the internal server will have an SSL cert installed and that I need to come up with a Plan B.

I started looking into going back to ASMX/WSE and it looks like that is going to be a problem since WSE is no longer supported, it does not integrate with VS2008 and it is not compatible with x64 machines.

[rock]Me[hardplace]

The data will contain PII, so I’m quite considered about security…even if others are less concerned.

Are there any options I’ve overlooked? Have I misunderstood WCF security?
Advice?

This post seems somewhat similar.

UPDATE

Thanks to mikey’s answer and comments I made some changes to my configuration. It took some trial and error and additional Googling…but it seems to be working now (I haven’t performed any extensive testing yet). However, I don’t know if this is sufficiently secure…
Adding my solution to the original post so I can mark mikey’s answer as the answer.

My changes

Services:

<behaviors>
    <serviceBehaviors>
        <behavior name="serviceBehavior">
            <dataContractSerializer maxItemsInObjectGraph="6553600" />
            <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
            <serviceMetadata httpsGetEnabled="false" />
            <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
            <serviceDebug includeExceptionDetailInFaults="false" />
        </behavior>
    </serviceBehaviors>
</behaviors>
<bindings>
    <wsHttpBinding>
        <binding name="customBinding">
            <reliableSession enabled="true" />
            <security mode="None" />
        </binding>
    </wsHttpBinding>
</bindings>
<services>
    <service behaviorConfiguration="serviceBehavior" name="MyApp.WcfServices.MyService">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="customBinding" contract="MyApp.WcfServices.IMyService">
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
</services>

Web App:

<bindings>
    <wsHttpBinding>
        <binding name="customBinding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"         allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferPoolSize="1048576" maxReceivedMessageSize="1048576"
                messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="true" />
            <security mode="None">
                <transport clientCredentialType="None" />
                <message clientCredentialType="None" negotiateServiceCredential="false" establishSecurityContext="false" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>
<client>
    <endpoint address="http://[Ip Address]:8943/MyAppWcfServices/Hosts/MyService.svc"
            binding="wsHttpBinding" bindingConfiguration="customBinding"
            contract="MyService.IMyService" name="customBinding" behaviorConfiguration="clientBehavior">
    </endpoint>
</client>