Configuring ISA Server for SSL/TLS

[March 17, 2003]
Configuring ISA Server for SSL/TLS
Learn to configure ISA Server for SSL/TLS-based Web connections
By: Jan De Clercq
Feature
InstantDoc #38099
Web Exclusive from Windows IT Pro

Of these approaches, only SSL bridging options 1 and 3 are truly secure. From a security standpoint, SSL bridging option 2, which doesn't secure traffic between the client and the HTTP proxy (i.e., traffic that typically flows across a public network), doesn't make sense. This option secures traffic only between the HTTP proxy and the Web server (i.e., traffic that typically flows across a trusted network or DMZ).

Let's take a closer look at how to configure ISA Server to support SSL bridging and SSL tunneling. Of these two options, SSL bridging is the most commonly used approach, so most of the discussion focuses on that option.

Obtaining an SSL Certificate for the ISA Server
Before you can configure ISA Server for SSL bridging option 1 or 3, you must install an SSL server certificate on the computer running ISA Server. In my test environment, I set up a Win2K enterprise Certificate Authority (CA) in a trusted security zone (i.e., the intranet) to generate SSL server certificates. In environments lacking internal CAs, you must obtain SSL server certificates from a public CA such as VeriSign.

In the following discussion, I explain only how to obtain an SSL certificate from ISA Server—describing how to make sure that the ISA/OWA users trust the SSL certificates of the issuing CA is beyond the scope of this article. The ISA Server Feature Pack 1 documentation explains these instructions.

To request an SSL server certificate for ISA Server, start the Microsoft Management Console (MMC) Internet Services Manager (ISM) snap-in on the CA server, then open the default Web site properties. From the Directory Security tab, click Server Certificate to open the Certificate Request Wizard. Select the Create a new certificate option. In this example, you can also select Send the request immediately to an online certification authority option because the CA is an enterprise CA that's published in Active Directory (AD) and thus visible to the Web server. Make sure you complete the DNS name (e.g., OWA.mycorp.com) for your OWA front-end Web server in the Common Name field. After you successfully create the SSL server certificate, you must export the certificate and the corresponding private key from the CA server and import them on the ISA Server system.

The main reason the Web server provides ISA Server's SSL certificate is ease of configuration—IIS comes with an SSL certificate request wizard. You can also launch the SSL certificate request from ISA Server, in which case ISA Server's private key never leaves the machine, but the certificate request procedure is more complex.

To export the SSL server certificate and the corresponding private key from the Web server, open the default Web site properties and go once more to the Directory Security tab. This time, click View Certificate. In the Details tab, click Copy to File to open the Certificate Export Wizard. Select the Yes, export the private key option. In the Public Key Cryptography Standard #12 (PKCS#12) export file format options, select the Enable strong protection option (so that the wizard will prompt you to enter a password) and the Delete the private key if export is successful option. Save the PKCS#12 formatted file, then copy the file to the ISA Server system.

To import the SSL server certificate and corresponding private key into ISA Server's certificate and private key store, double-click the PKCS#12 file from Windows Explorer to open the Certificate Import Wizard. Leave all the defaults set in the wizard and make sure you enter the correct password. The wizard will automatically store the certificate in ISA Server's local machine certificate store.

Next, you must configure ISA Server to use the SSL server certificate. Start the MMC ISA Management snap-in, locate your ISA Server object, right-click the object, then select Properties. Select the Incoming Web Requests tab. Select Use the same listener configuration for all IP addresses or Configure listeners individually per IP address, depending on your ISA Server configuration and which connections you want to secure with SSL. Highlight the appropriate server from the list, then click Edit to open the Add/Edit Listeners dialog box. Select the Use a server certificate to authenticate to web clients check box. Click Select, then select the correct certificate (in this example, the one issued to OWA.mycorp.com).

Configuring ISA Server for SSL Bridging
After you create the SSL certificate, you're ready to configure SSL bridging. The first step is to ensure that ISA Server accepts incoming SSL requests. To verify that ISA Server's SSL listener is enabled, select the Enable SSL listeners check box on the Incoming Web Requests tab of the ISA Server object's Properties dialog box. By default, ISA Server's listener is disabled; however, when enabled, ISA Server listens on port 443 for incoming SSL requests.

Next, you must create an ISA Server destination set and Web-publishing rule for OWA. A destination set is a group of servers for which ISA Server will perform specific actions. In our example, we want ISA Server to perform SSL bridging when an HTTP Secure (HTTPS) request comes in for the OWA Web pages. To create a destination set for OWA, expand the Policy Elements container in the ISA Management snap-in, right-click the Destination Sets container, then select New, Set to open the New Destination Set dialog box. Give the set a name (e.g., OWA), then click Add to start adding OWA destinations. In this example, the OWA front-end Web server's DNS name, which is published to OWA users, is OWA.mycorp.com. Because OWA requires a destination set for three Web paths (/exchweb/*, /public/*, /exchange/*), you'll need to add these paths. For each path, complete the destination DNS name (in this case, OWA.mycorp.com) and the path.

To redirect all HTTP requests for OWA.mycorp.com to the OWA front-end Web server with IP address 10.0.0.45, you need to create an OWA Web-publishing rule. To create the rule, expand the Publishing container in the ISA Management snap-in, right-click the Web Publishing Rules container, then select New, Rule to open the New Web Publishing Wizard. Give the rule a name (e.g., OWA), then apply the rule to the OWA destination set you just created. Apply the rule to any request, and tell the rule to redirect the request to the OWA front-end Web server (e.g., the OWA front-end Web server's IP address—10.0.0.45). Also, make sure that you select the Send the original host header to the publishing server instead of the actual one (specified above) check box.

Prev. page 1 [2] 3 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard: Fast, easy real-time performance monitoring.

FEATURED LINKS

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard

FEATURED LINKS

Coming in December –SQL Live Event Series