How do I secure transport for .Net 2.0 client to 3.5 standalone WCF webservice?

We sell point of sale systems which normally entail a single back of store server and multiple terminals.

We are developing a new product that requires the terminals to communicate with the back of house machine via a web service. The back of house is implemented as standalone Windows service with WCF. The terminal software is a c++ app that calls our .Net DLL via unmanaged/managed bridge.

The real issue we're having is that, because of resource constraints on the terminals, we cannot go above .Net 2.0 ( and thus cannot use WCF ). This is not a problem in terms of getting the two to talk to each other via BasicHttpBinding. However, adding encryption has been a major headache.

I have been able to get a basic self-signed cert working (Since the server goes to customers, CAs are out of the questions.) The problem is the steps I had to go through to do this are not practical for our deliverable product.

OK, long preamble - bottom line ... WCF standalone web service, .Net 2 client, running on intranet, just need transport encryption. And we need to be able to have the complete installation automatable. Also, we're not married to SSL, but it seemed to be the only viable solution given the constraints we have. Any help or advice would be appreciated.

Here is a similar question I asked some time ago:

How to configure security when calling WCF Service from .Net 2.0 Client

What I ended up doing is the following which has worked well - using BasicHttpBinding:

1. Secured the transport with SSL
2. Clients first login to the web service by calling a Login method on the web service. If the login succeeds, it returns an encrypted FormsAuthenticationTicket to the client.
3. Clients must then supply the forms authentication ticket with each web service call. Each method checks if the ticket is valid and if so it does its work. If the ticket has expired or is invalid, clients must re-authenticate.

This doesn't get you away from SSL, but might get you closer to what you need. One option might be to encrypt the data/objects you are sending through to the back of store server manually to avoid SSL.