Welcome to ISAserver.org

Publish ISA using ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Web Publishing >> Publish ISA using ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

Publish ISA using ISA - 6.Feb.2003 9:09:00 AM

SKruese

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline

Hi,

I want to publish a web site that doesn't support client certificates. Therefore i want to use ISA server, because i want to authenticate before the traffic comes in to the internal network. This works fine using a enterprise CA and mapping client certificates to users in the AD. But my ISA server is located in the DMZ. The ISA server uses a incoming listener which is only accessible to a certain group of users. This group is an AD group and therefore the ISA must be a member of the AD. The problem is that i must allow not-so-secure Windows networking through the firewall from the DMZ to the internal AD servers.

Is it possible to use a double ISA publishing setup. Clients connect using SSL to the frontend ISA. The frontend ISA forwards (without authentication) the request to the backend ISA on a private DMZ which performs client authentication using certificates. On this segment which is more secure than the public DMZ i feel more safe to allow Windows AD traffic.

If the WWW server would be able to authenticate using client certificates and is not placed in the internal network this wouldn't be a big problem.

I am very interested in your ideas on where to place an ISA server and where to let the authentication take place.

Thanks in advance and regards,

Sander

Post #: 1

Featured Links*

RE: Publish ISA using ISA - 6.Feb.2003 5:30:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Sander,

Remember the basic law of ISA Server: do not extend the internal security zone into an untrusted network, like the DMZ.

Put the ISA Server on the edge of the network, and use client certificate mapping.

Now, there might be a way to do client certificate mapping on the IIS server, as I know you can do that. I just have played with that option yet, so if you figure it out, let us know what happens. I'll put it on my list of things to figure out [Wink]

HTH,
Tom

(in reply to SKruese)

Post #: 2

RE: Publish ISA using ISA - 6.Feb.2003 6:05:00 PM

SKruese

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline

Tom,

I agree not to extend the security zone into an untrusted network, but what are my options. If i want to authenticate before network traffic enters the trusted network i have three options.
1) Use ISA web publishing in the DMZ and let the ISA server do the authentication, or
2) Use ISA to bridge my SSL connection to the IIS server. I don't know if the client certificate can be transported over this SSL tunnel.
3) Use no ISA and let the SSL connection end at the IIS and also let the IIS do the authentication.

Both option 2 and 3 insists that the IIS must do the authentication. I have more faith in ISA than IIS when it comes to secure platforms. So i still prefer option 1. Only than the ISA must be placed on a isolated DMZ, so no spoofing is possible. Also i must tweak the AD connection so if the ISA is compromised the damage is minimal.

Do you agree?

Regards,

Sander

(in reply to SKruese)

Post #: 3