Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Basic SSL Help on ISA 2004 and websites
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Basic SSL Help on ISA 2004 and websites - 1.Nov.2007 1:13:54 AM
|
|
|
amfony
Posts: 19
Joined: 17.Oct.2005
Status: offline
|
Hi everyone,
As stated i have some very basic SSL Certificate questions if you could indulge me.
I have a need now to equip some of my internal (intranet) sites with SSL to enable https:// (duh!). I have multiple sites accessible via intranet.mycompany.com, alpha.mycompany.com, beta.mycompnay.com, etc.mycompnay.com ...
Now - according to someone i know, he suggested that i can buy a wildcard ssl cert, that can do *.mycompany.com - sounds great and beliveble. She also said that i can place that cert on my ISA 2004 (which is my back end firewall, and web publishes these sites - that sit on a variety of iis 6 and apache servers)
That is great - makes sense. How would i actually go about this? I cant find where on ISA 2004 i can create a certificate request (at all) let alone a request (CSR?) for a *.mycompany.com domain.
What i am trying to achive is client to isa https connection - then isa to web servers http connection.
Can ayone help me with this? I am stuck on the actual procedure to place a wildcard certificate on ISA 2004 so that any site i want to make https is just a matter of setting up a https web listener (or so i assume).
Please help - and school me - i obviously have no SSL expericnce.
Thanks alot everyone.
|
|
|
|
|
RE: Basic SSL Help on ISA 2004 and websites - 1.Nov.2007 5:17:34 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Hi,
You cannot create the CSR on ISA, you will need to do this on IIS and then export the certificate.
A wilcard is a good option for manageability, but it isn't always "popular" with security people as it authenticates the domain as opposed to the individual servers. It also means that all SSL protected websites have a single pirvate key which means if someone gets hold of your private key, they can decrpyt information for ALL websites. At the end of the day, you need to weigh up security vs. manageability and cost really. I think wildcards definitely have a place, it just depends on your security risks...for most people they are a good compromise.
There are some good articles on this site that provide very detailed steps for creating certs and configuring ISA for web publishing which is the term for what you are doing. Have a search around for any articles that talk about "web publishing".
You may also want to consider using SSL certs on your web servers to ensure the encryption exisits between client and server, not just ISA and client. This is recommneded as best practice and in some instances is the on;ly way to get certain web publishing sceanrios to work successfully.
Be aware that ISA 2004 isn't able to web publish a back-end web server that is using a wildcard cert; you need ISA2k6 for that. ISA 2k6 is aslo much better with SSL certs as the GUI ensures the certs are valid and installed into the correct certificate store to ensure ISA will be happy.
It may also be worth having a look at the documents here, as the provide a lot of info to get you going...
http://www.microsoft.com/isaserver/techinfo/guides-articles.mspx
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Basic SSL Help on ISA 2004 and websites - 1.Nov.2007 11:26:28 PM
|
|
|
amfony
Posts: 19
Joined: 17.Oct.2005
Status: offline
|
Hi Jason,
Thank you so much for the reply - it helped alot.
I would just like to reaffirm what i actually understood from your post.
- It is sometime dubious to use wildcard (in a purist security mindframe) certs opposed to single cert per website
- Also dubious to use isa as the end point for ssl connections (use client to server opposed to client to isa)
- Isa2k4 is not able to be the end-point for client to isa connections when publishing multiple webservers behind the isa server WITH a wildcard cert (with multiple single certs this is possible)
- All CSR must be created on the webserver it self (so i have 3 sites i want to ssl i must go to three webserver and do this? I ask because one website is not under my access and would rather work around it then dealing with the third party)
Please correct me if i am wrong anywhere - once again thank you very much.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
