Well I've asked a ton of questions but now it's time to contribute.
We are fronting Alarmpoint with IIS 7.5 on Windows 2008 servers. Our security folks around here like to dig into everything and one of the things I know they want to see is secure cookies. The manual states:
Note: If you want to use a fronting server and you need to secure cookies, it is strongly
recommended that you use Apache httpd 2.2 (or higher) with xMatters (there is currently no
solution on IIS).
However with IIS 7.5 and the URL Rewrite module from http://www.iis.net/download/urlrewrite which is a Microsoft site it is possible to mark your cookies as secure.
When you create rewrite rules a files is created in the root of your site (i.e. C:\wwwroot\inetpub). If there isn't one, you can create it however I found it easier to create a dummy rule to get the file created. Then you can open the file with your favorite editor and add the outboundRules section below. You will need everything beginningas <outboundRules> and ending at </outboundRules>
<rewrite>
<rules>
.
.
.
</rules>
<outboundRules>
<rule name="Secure Cookie" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="(JSESSIONID.*)" />
<conditions />
<action type="Rewrite" value="{R:1};Secure" />
</rule>
</outboundRules>
</rewrite>
This will mark your cookies as secure and keep your security folks happy. Remember this only works if you are using https. If you aren't using https then you can't and shouldn't try to mark your cookies as secure.