Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web publishing using client certificate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web publishing using client certificate - 29.Sep.2008 4:02:29 PM
|
|
|
pie8ter
Posts: 1
Joined: 29.Sep.2008
Status: offline
|
We have ISA 2004 with the latest service pack running on windows 2003 SP2. LAN is protected by ISA server for all protocols.
We have an internal SSL website only available to users in our network. I've been asked to let one of our external partners to access the site from outside. I would like to know the best ways to accomplish this request. The website is hosting sensitive information. This is the only user who will be accessing the site from WAN.
This is my plan and I would really appreciate if you can give me some advice.
-Use client side certificate for a single user.
-Use SSL bridging in ISA.
-We don't want ISA to authenticate the client. The website has its own authentication mechanism.
I tried to follow this article written for ISA 2000 but I got lost half way through. :
http://www.isaserver.org/tutorials/Publishing_Web_Sites_using_Client_Certificate_Authentication.html
1) Can I use the stand alone CA for this article? or how about openSSL?
2) How many certificates are involved for this setup? One for the internal webserver itself which we already have. I need to create a client certificate and a certificate for the web listener (ISA). So total of three certs involved?
Thanks
|
|
|
|
|
RE: Web publishing using client certificate - 1.Oct.2008 7:46:49 PM
|
|
|
BBooth
Posts: 9
Joined: 22.Nov.2007
Status: offline
|
Hi,
I'm by no means an expert but i'll give it a crack.
There are 2 "nice" options for you to cater for this external person. The first is the certificate option you're trying to accomplish now.
The other is, if the user has a static IP address, you can just limit connections to the website from that IP address.
Since you've asked about the certificate option, I'll try to cover that now.
From my research when setting up my company's OWA with 2-factor authentication. In order to use certificates for authentication, your ISA server needs to be able to authenticate to a domain since there's no other way for ISA to map a certificate to a user, nor can ISA forward on the Certificate (unless it's acting in SSL Tunnel mode). I found that a Microsoft Enterprise CA was easiest to do this with as it was mostly automatic mapping certs to user accounts in AD...
In terms of the number of certificates, you'll need one for each of these:
1) Client authentication cert
2) Web Listener certificate that matches the FQDN the external person will be using to connect to you
3) Web Server certificate for the Web Site you're trying to publish
4) If the Web Listener certificate is generated from your own stand alone CA, it would be best to also send the Root cert to the external party otherwise they'll be prompted each time about it not being trusted.
2 & 3 can be the same certificate if the names all match. This can be tricky, but doable by split DNS or a HOSTS file entry.
4 doesn't need to be sent individually, it can be included as a chain in a pfx file when exporting the client auth certificate (1).
Anyway, as I said i'm no expert and it's a little tricky for me to word it, I'm sure one of the more knowledgable forum members will be along to help soon :-)
I think the other option would be best if the user has a static IP address and easier to set up in my opinion! However it's not as easy to expand in the future should more external people need access.
Cheers,
BB
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
