AspectIT -> SSL Site Bridging on alternate Port with Client Cerrtificates (20.Oct.2009 6:34:53 AM)
After Many time using these forumes to solve issues i now fin myself as one of the posters. Great Site here guys, helped me out no end and hopefully agin with this crazy one.
This is the setup.
Windows SBS2003 Premium SP2 with ISA 2004 SP2 two Nics
Internal Card 10.0.0.1
External Card 10.0.10.1 – Connected to Router (All ports added to Rules on router)
This is what we are trying to achieve:
We are trying to setup PDAs to communicate with a website on the SBS Server which uses SSL Secure channel communications over an alternative SSL port of 2121. Along with this is the need to used client certificates, the SSL certs have are from a 3rd party and the server has their root CA installed and the Certificate for the secure communications installed on the ISA Computer store and on the website itself.
We have setup a Secure Web publishing rule using Bridging HTTPS to HTTPS using port 2121 and created a new listener to listen on SSL port 2121, HTTP disabled, and added the Server certificate for the SSL communications onto the listener, and without the client certificates authentication we have the secure communications working fine no problems.
The problem were having is with Client certificate authentication, we have enabled the Website on IIS6 on the SBS box to require Client Certificates and added a Trust list using the ROOT CA from the 3rd Party, they have also given us a PFX Cert with Public Key to import on remote users Devices and also for anywhere else needed such as the ISA Rules.
We have added the client certificate to the Personal Store of the Microsoft Firewall Service so it appears in the Bridging tab in ISA2004, and we have selected Use a certificate to authenticate to the SSL Web Server, and selected the Client Cert which is on the remote users device and what they will be prompted to use. Then we proceeded to edit the listener and take of Integrated Auth and add SSL Certificate Only and select Always Authenticate.
Basically ISA doesn’t seem to be forwarding the Client Certificates to the website in the way it should and is giving a 401 error to the end user in IE. Upon inspection of the IIS logs the Website is receiving a 403.7 error which is Client Cert required. The user is getting the Client Certificate Prompt when connecting but then they get this error:
Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)
Looking at the ISA logs we get the following:
Denied Connection LTE-SBS01 20/10/2009 11:07:04
Log type: Web Proxy (Reverse)
Status: 12229 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
Source: ( X.X.X.X:0)
Destination: ( 10.0.10.1:2121)
Request: GET http://pda.XXXXXX.com/
Filter information: Req ID: 1ea71f6f
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; AskTB5.5)
Object source: Processing time: 63
Cache info: 0x0 MIME type:
We have tried the Website internally and the Client certificates worked as they should, proving it isn’t the certificates, it looks like ISA isn’t forwarding the Client certificates on. Also on the ISA logs it says the destination is 10.0.10.1 which is the external card, shouldn’t this be 10.0.0.1 which is the internal Card ?
Can you help, if you need any more info regarding the setup please let me know.