In theory you could do both as IIS allows you to have HTTP & HTTPS running at the same time; however, I have seen that if SSL isnt enforced in IIS the clients running over HTTPS will receive HTTP locations, which will probably not work for them as your firewall will no doubt only accept HTTPS traffic..