Is this possible? What we want to do is have ISA check for either a machine or user certificate and only allow authentication to TSG if they have the cert installed.
The ISA server is on the domain and we have a PKI infrastructure set up and working fine.
So far we have not been able to get this to work. Straight SSL with no authentication on the listener, only authentiction at the TSG, works just fine. So the basics are covered. We want to bolster the security from here.
It wouldn't be a good idea to only check the certificates and then give access. SSL cert authentication should be used in conjunction with a another authentication (either on ISA or backend Server). On the weblistener you need to select the SSL client cert Authentication and in advanced > under client certuificate trust list, select the Root CA of your organization which you want to test it against.
Remember ISA should be a part of domain in order to do it. You cannot have a cert authentication if ISA is in workgroup.
I appreciate the assistance. Like I said in my original post, the ISA server is on the domain and we do have our own PKI. The ISA server has the root CA installed. Any more info you need about our configuration?
The plan is to check for the certificates, and if it is present, then offer up authentication from the TS Gateway server.
Also, I followed that link to get TS Gateway and ISA set up initially. That works fine. It's the certificate portion I can't seem to get to work right.
< Message edited by jayshaw91 -- 28.Jan.2009 12:51:14 PM >
As i said earlier you can do it but this is not the most secure way of doing it.
On the weblistener you need to select the SSL client cert Authentication and in advanced > under client certuificate trust list, select the Root CA of your organization which you want to test it against.
Each user should have a user certificate with private and public key in their User personal store.
When they access a published website, they will get a prompt which asked them to select the certificate which they want to use. Then accordingly ISA can check the certificate
On ISA publishing rule select "All Authenticated Users" under the users tab and under Authentication Delegation select "No Delegation, users may authenticate directly"
Users will be prompted one more time as the TS Gateway also requires authentication. For not having them to authenticate the second time you will have to select Kerberos Constraint Delegation under Authentication delegation but you need to have that setup first and that's not the easiest to do (as far as with me)
Interesting. I'm not getting prompted to present a certificate. I did have it set for SSL auth and select my root CA. It just passed me straight through to authenticate against the TS server. What did I miss?
Also, why is this not the most secure way? What do you recommend? It's the best thing we could come up with that's close to two factor authentication. RSA does not work since the users are connecting via RDP and not HTTP. There is no way to prompt for the RSA token this way, which is unfortunate.
So, after checking further it seems SSL client cert authentication is not possible as it's a limitation with RDP client. But the same can be done if you are using the TS Web Access. You can login into the website and create RDP sessions from within the browser