Configuring SSL Bridging.

Configuring SSL Bridging.

The following are step-by-step instructions to get SSL bridging to work with ISA.

SSL bridged connections actually involve two connections:

1.From the client to the external interface of the ISA server is one SSL session

2.From the internal interface of the ISA server to the internal Web server is another SSL session.

1. Preliminary Steps

1.Install Windows 2000 Server and then install Service Pack
2.Install ISA Server
3.Install IIS and configure your Web site on Windows 2000 server w/SP2

2. Creating the Certificate Request

On the IIS server issue a file to request a certificate for use with SSL

1.Go to Properties of the Web site in IIS
2.Go to the Directory Security tab
3.Select Server Certificate and select Next on the Welcome screen
4.Select Create a new certificate
5.Select Prepare the request now, but send it later
6.Enter the certificate name. The certificate name should match the web site being published. This is the name used in the FQDN the user will type into her browser.
7.Select the Bit Length desired.
8.Enter Organization and Organizational unit
9.Enter the Site’s Common Name. This should be the same as the certificate name in step 6.
10. Enter Geographical Information
11. Enter the certificate name request file (default is fine)
12. Select Next on the Request File Summary
13. Select Finish to Completing the Web Server Certificate Wizard

Then select OK to close the Web Properties

Verisign:

I used Verisign trial certificate as I am testing the ISA. If you are using third party certificate authority, copy the file on the floppy and submit the request on their site.

***For Verisign trial certificate you have to create a certificate root on each Internet client from where you want to access the internal web server. Secondly, add the certificate on the local certificate store under trusted certification authority. To do that, open the certificate MMC for local computer and import the certificate under trusted certification authority ***

1.From the browser in the IIS server point to the Certificate server, select Request a certificate and select Next
2.Select Advanced request
3.Select “Submit a certificate request using a base 64 encoded PKCS #10 file….” Click Next
4.On the Submit A Saved Request either browse to the file created on step 3 (may have to change browser security settings to do this) or paste the contents of the file in step 3 (certreq.txt) into the area. If you paste the information make sure you don’t include the BEGIN and END headers in the request. Select Submit.
Note: If your Certificate server is not configured to “Always issue the certificate” (in Certification Authority/server name/Properties/Policy Module/Configure) you will need to issue the certificate manually then go back to step 4 and select “Check on a pending certificate”. Once the certificate is issued (manually or automatically) then you can download the certificate on the next step.
5. Select Download CA certificate and save the certificate to disk.

3. On the IIS server Install the issued certificate

Go to properties on the Web site and perform the following steps:

1.Go to the Directory Security tab
2. Select Server Certificate and select Next on the Welcome screen
3. Select Process a pending request and install the certificate
4. Select the certificate created and select Next
5. On the Certificate Summary select Next
6. On the Completing the Web Server Certificate Wizard screen select Finish
7. Select OK to close the Web Properties

4. Configure the SSL Port for the Web Site

1.Go to Properties on the Web site
2. On the Web Site Properties enter the SSL port (443 default). You can use a different port if you want. Later you can set ISA to match this port.
3. If you only want to accept SSL connections (only HTTPS not HTTP) to the Web site, select the Directory Security tab
4. Select Edit and check the Require secure channel (SSL) box
5. Click OK twice to close the Web Properties.

5. Make sure the Certificate is OK

1.Open the Certificates for Computer account in the MMC
2. Select Personal/Certificates and double click on the certificate you created.
3. Make sure you have “This certificate is OK” under Certification path.

If you get error “The issuer of this certificate could not be found” you may need to export your CERT servers certificate under Trusted Certification Authorities and import it into the Web servers Trusted Certification Authorities.

At this point make sure you can establish an HTTPS session to the Web site from the ISA server using IE.

6. Export the certificate from the web server.

1.Open the Certificates for Computer account in the MMC
2. Select Personal/Certificates and right click on the certificate you created, then select All Tasks then Export.
3. Select Next on the Welcome wizard
4. Select Yes, export the private key and select Next
5. For the Export File Format leave the defaults and select Next (unless you have older versions if IE)
6. Enter password for the certificate if you want
7. Enter a file name and select Next (this can be called anything you want)
8. Select Finish to complete the wizard.

7. Import the certificate on the ISA server (in this example the CERT server is also on the ISA server)

1.Open the Certificates for Computer account in the MMC
2. Right click on Personal/Certificates select All Tasks then Import
3. Select Next on the Welcome wizard
4. On the File to import screen, browse to the exported certificate and select Next
5. Enter the password if one was created and select Next
6. Leave defaults to place the certificate in the Personal store and select Next
7. Select Finish to complete the wizard

8. Make sure the imported certificate is OK on the ISA server.

1.Open the Certificates for Computer account in the MMC of the ISA server
2. Select Personal/Certificates and double click on the certificate you imported
3. Make sure you have “This certificate is OK” under Certification path.

Again if you get error “The issuer of this certificate could not be found” you may need to export your CERT servers certificate under Trusted Certification Authorities and import it into the Web server’s Trusted Certification Authorities.

9. Configure ISA server to use the imported certificate and create the publishing rule.

If you had the ISA Management console open you may have to close it and open it again to see the certificate.

1. On ISA Management right click on the ISA array and select properties.
2. Select the Incoming Web Request tab and select Add
3. Select the ISA server and the external IP address, Check the “Use a server certificate to authenticate to web clients” and click Select.
4. Select the Imported certificate and click OK. Then select OK
5. Select OK to close the add/edit Listeners window
6. Check to Enable SSL listeners, enter the SSL port (443 default) and click OK.
7. Select Policy Elements/Destination sets, then right click and select New then Set
8. Enter a name for the destination set then click Add and enter the name of the Destination.
9. The name of the Destination needs to be the name of the published web site. It also needs to be the name of the certificate.
10. Click OK and OK again to close the Destination Set window.
11. Select Publishing/Web Publishing Rules, right click and select New Rule
12. Give the rule a name
13. Select Apply this rule to: “Specified destination set” and for Name enter the Destination Set then click Next
14. Select the appropriate Client Type
15. On the Rule Action window select “Redirect the request to this internal Web server”
16. Make sure you enter the name of the internal web site being published (not the IP address or internal server name). This is the same as the certificate.

NOTE: Make sure the ISA server can resolve this name to the internal Web servers IP address.The external DNS servers will resolve the published Web site name to the external IP address of the ISA server but the ISA server needs to resolve the name to the internal published Web server. You may have to create a HOST file locally on the ISA server to resolve the name to the internal Web server IP address
17. Click Finish to Complete the Wizard.

At this point you should be able to HTTPS from an external client to the external interface of the ISA server by name (not by IP)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.