ISA Server 2004: Safer Services, Continued

[November 22, 2004]
ISA Server 2004: Safer Services, Continued
Wrapping up our sample configuration
By: Thomas W. Shinder
Feature
InstantDoc #44412
Web Exclusive from Windows IT Pro

"Rev Up Security with ISA Server 2004," November 2004, InstantDoc ID 44068, introduces an example that shows you how you can use Microsoft Internet and Security Acceleration (ISA) Server 2004 to increase security for Internet-facing applications and services such as Microsoft Exchange Server. In that article, I began walking you through a configuration that uses an ISA Server firewall (which I refer to as the ISA firewall) to enhance the security of a front-end/back-end Exchange setup in which the front-end Exchange server publishes a Microsoft Outlook Web Access (OWA) site that remote users can access across the Internet. "Rev Up Security with ISA Server 2004" includes a detailed description of the sample setup and the first five steps in publishing the OWA site. Let's continue with the remaining steps (6 through 13).

6. Create a User Account for the ISA Firewall
You need to create a user account for the ISA Server firewall service so that you can request a client certificate for that service. The ISA firewall presents this certificate to the front-end Exchange server's OWA Web site. The account has no special requirements, and you don't need to create an Exchange mailbox for the account.

Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and create the user account. For this example, I created the domain account webproxy.

7. Request a Client Certificate for the ISA Firewall's Web Proxy
Next, you need to request the client certificate and install it in the ISA Server's machine certificate store. Later, you'll move the certificate to the firewall service's personal certificate store.

Before you can request the certificate, you need to change the ISA firewall's system policy so that the firewall can use HTTP to connect to the Certification Authority (CA). You can leave this rule enabled or you can disable the rule after obtaining the certificate. If you leave the rule enabled, the ISA firewall can check certificate revocation lists (CRLs).

Open the ISA Server Management console (under All Programs, Microsoft ISA Server). Expand the ISA Server system's node and click Firewall Policy in the left-hand pane. Go to the Tasks tab and click Show System Policy Rules to expose the firewall's system policy rules. Scroll through the list of revealed system policy rules and double-click rule 26, Allow HTTP from ISA Server to all networks for CRL downloads. On the To tab, select the CA's network. Select the Enable check box on the rule's General tab. Click OK, then click Apply to save the changes to the system policy.

Open Microsoft Internet Explorer (IE) and enter the URL for the enterprise CA Web enrollment site, using the format http://CA_IP_address/certsrv. Enter the firewall service account name and password in the logon dialog box. These credentials will be used to generate the client certificate.

Click Request a certificate on the Web enrollment site's Welcome page, then click Advanced Certificate Req-uest on the Request a Certificate page. Click Create and submit a request to this CA on the Advanced Certificate Request page. On the same page, select User from the Certificate Template drop-down list, as Figure 1 shows. Select the Store certificate in the local computer certificate store check box. Leave all other options at their defaults and click Submit.

Click Yes in the dialog box that informs you that a certificate request is being made, then click Install this certificate on the Certificate Issued page. Click Yes in the dialog box that asks whether you want to add the certificate to the ISA firewall's machine store. Close the browser after you see the Certificate Installed page. Hide the system policy by clicking Hide System Policy Rules on the Tasks tab.

8. Import the Web Site Certificate
Now you can place the Web site certificate and the firewall service's client certificate into the appropriate locations (i.e., the ISA firewall's machine certificate store and the firewall service's personal certificate store, respectively). First, copy to the ISA firewall the Web site certificate file that you generated on the OWA server. You can copy the file to the ISA firewall's local hard disk or insert the removable media that holds the file into the ISA server, then import the file from that location. The latter option is more secure.

Open an empty MMC console and add a standalone Certificates snap-in. On the Certificates snap-in page, select the Computer account option; on the Select Computer page, select the Local computer option.

Add another Certificates snap-in, but this time on the Certificates snap-in page, select the Service account option. Select the Local computer option on the Select Computer page, then select the Microsoft Firewall service account on the Service Ac-count page. Two snap-ins will now be visible in the console's left-hand pane, as Figure 2 shows.

Expand the Certificates (Local Computer) node, then expand the Personal node. Right-click the Certificates node (under Personal), then select All Tasks, Import from the context menu to open the Certificate Import Wizard. This wizard walks you through the process of importing the Web site certificate from the certificate file you created on the OWA Web server machine.

When you get to the Password page, enter the password you assigned to the certificate file. Don't mark the private key as exportable or an intruder who manages to access the ISA firewall (remotely or physically) could steal the OWA Web site's private key.

After completing the wizard, you'll see the CA certificate, the OWA Web site certificate, and the machine certificate in the console's right-hand pane. You can remove the CA certificate if it's already included in the ISA firewall's Trusted Root Certification Authorities certificate store. In our example, we don't need to copy the CA certificate because we're using an enterprise CA belonging to the same domain as the ISA firewall.

9. Import the Client Certificate
You need to move the ISA firewall's client certificate from the ISA Server's machine certificate store to the ISA firewall service's personal certificate store. Right-click the firewall service's client certificate and select Cut from the context menu. Expand the Certificates - Service (Microsoft Firewall) on Local Computer node and right-click the fwsrv\Personal node. Click Paste. (If the Paste command isn't available, repeat the cutting process.) The ISA firewall service's client certificate will appear in the fwsrv\Personal folder.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard: Fast, easy real-time performance monitoring.

FEATURED LINKS

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard

FEATURED LINKS

Coming in December –SQL Live Event Series