Implementing and Troubleshooting Certificate Deployment in ISA Server 2006
Let's begin
Let's start with some basics about PKI definitions, digital certificates and certificate authorities.
PKI
In cryptography terms, a public key infrastructure (PKI) is the building block for several other technology aspects with the goal of issuing certificates for users, computers and services from a certificate authority (CA). The PKI role that issues certificates is called the Registration Authority (RA).
Certificates
In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). Source: http://en.wikipedia.org/wiki/Digital_certificate
Certificate Authority
In cryptography terms, a certification authority (CA) is a server or a set of servers in a CA hierarchy which issues digital certificates for use by users, computers and services. Windows Server 2003 (and older versions) has its own CA implementation.
Certification authorities can be a single server or can be chained into certificate chains where every hierarchy has special tasks like intermediate CA, issuing CA and more. You will see a CA hierarchy in the following picture.
Figure 1: CA HierarchyFile extensions used in Cryptography
There are several file extension which are used when you work with ISA Server 2006 and certificates. Here are some examples:
| Key | Description |
|---|---|
| PCKS #12 | Private Information Exchange |
| .PFX | Private Information Exchange |
| .P12 | Private Information Exchange |
| PCKS #7 | Cryptographic Message Syntax Standard |
| .P7B | PCKS #7 certificate |
| .CER | DER-coded-binary X.509 Base-64-coded-X.509 |
| .PFX | Private Information Exchange PCKS #12 |
| .CRL | Certification Revocation List |
| .P7C | Digital ID-file |
| .P7M | PCKS #7 MIME-message |
| .P7R | PCKS #7 certificate |
| .P7S | PCKS #7 signature |
Installing a CA
Installing and operating a CA is a relatively easy process. What makes PKI designs complicated are the several applications which use this PKI for several purposes.
This article is not designed to show you the whole installation process; I will only cover some pictures.
Figure 2: Installing a Windows CAAfter installing the CA, the Server name and the domain membership should not be changed (If you feel pain: There is a KB article which gives you a chance to move the CA).
There are several types of CA. For this example we select a Enterprise Root CA which integrates into Active Directory.
Figure 3: Select CA typeGive the CA a name and a lifetime.
Figure 4: CA NameAfter installing the CA, the CA can be used for issuing certificates
Certificate Snap-In
Every modern Windows version has a certificate Snap-In which handles locally installed certificates. If you are logged in as an Administrator, you can manage certificates for your own user account, a service account and a computer account.
Figure 5: Manage certificatesA normal user account can only open its own certificate store.
Certificates can be managed in the console (Import, export, request new certificates and certificate deletion).
Figure 6: Manage certificatesThere is also a website which can be used to request new certificates or to download CA root certificates.
Figure 7: CA websiteSettings in a reverse publishing scenario
If you want to use ISA Server as a reverse publishing proxy to publish services like Outlook Web Access (OWA) or Outlook Anywhere (OA), it is possible to enable SSL Bridging to enhance the security of ISA Server. When SSL Bridging is enabled, ISA Server terminates the SSL connection from the Server to the client; ISA then inspects the traffic and encrypts the traffic to HTTPS again. This is the most secure scenario.
In this scenario, ISA server needs the Root CA certificate from the internal CA that has issued certificates for the server to publish. ISA Server also needs a certificate for the ISA listener which Common Name (CN) has the same entry as the public name which clients enter when they try to establish a connection with the published server.
During the publishing process, ISA Server 2006 has a new certificate assistant that helps you to select the correct certificate. For troubleshooting purposes read the SSL troubleshooting article that is linked at the end of this article.
The certificate must be issued from a trusted CA, the certificate must be valid and keep a closer look at the Common Name of the certificate. The CN must match the public name that clients use to connect to the server.
Figure 8: Certificate assistantWhat is the Bridging Tab in ISA Server 2006?
Have you ever tried to use the Bridging feature in the publishing rule? If you try to select the certificate, ISA often says that there is no certificate, right?
To get this working you must issue a user certificate for a normal user. This issued certificate must be imported (with the private key) into the local certificate store of the Microsoft ISA Server Firewall service. After that you can use the certificate to redirect incoming request to the internal server which requires certificate authentication.
Figure 9: SSL BridgingThere are no certificates that are available because there is no certificate installed in the local certificate store of the ISA Server Firewall service.
Figure 10: SSL Bridging ' select a certificateCertificate revocation
Certificate revocation is the process when an application requests the certificate chaining engine to evaluate a certificate, the validation is performed on all certificates in that certificates chain. This includes every certificate from the issuing CA to the issued certificate. As a first step the certificate chain will be evaluated. If the certificate chain is intact, the process checks that:
- The certificates signature is valid
- Verify that the current date and time from the certificate falls into the valid time period of the certificate.
- Verify that each certificate is not corrupt or malformed
A certificate revocation list contains no more valid certificates. A process or Software like ISA Server can check the requested certificate against the certificate revocation list.
It is possible to configure ISA Server for several validation requests. ISA Server can verify that incoming certificates are not in the Certificate Revocation List (CRL).
Figure 11: Certificate revocationVerify that incoming client certificates are not revoked
You must select this certificate if you want to let ISA Server to perform a check of the incoming certificate against the Certificate revocation List (CRL) to see if the certificate is revoked. If the certificate is revoked, the client request will be denied.
Verify that incoming server certificates are not revoked in a forward scenario
This option is a little different from the scenario above. In this scenario, ISA server checks to see if the incoming Server certificate in an SSL Bridging scenario is revoked. If the certificate is revoked, the request will be denied.
Verify that incoming server certificates are not revoked in a reverse scenario
Select this check box to specify that ISA Server will automatically check the Certificate Revocation List (CRL) to see if server certificates, in a Web publishing scenario, are revoked. If the certificate is revoked, the request will be denied.
Conclusion
In this article I tried to show you all aspects of certificate use in ISA Server 2006 for reverse publishing scenarios for Outlook Web Access (OWA), Outlook Anywhere (OA) and more. I also tried to give you some basics about certificates, certificate authorities and certificate checks.
Related links
Author: Mark Grote
Marc Grote is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. He is working as a freelance IT Trainer and Consultant in the north of Germany and as an part time employee of Invenate GmbH in Hanover (Germany). He is working there as an consultant for Microsoft Server infrastructure. You will find more information about Invenate here http://www.invenate.de. He is specialized in ISA Server, Exchange, Security on Windows 2000 and Windows Server 2003 designs, migrations and implementations and Citrix Metaframe / Cisco implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server. You can visit his homepage on http://www.it-training-grote.de.
Set of free tools making the work of a Microsoft ISA Server administrator easier.
Software for monitoring the efficiency of your company's Internet bandwidth usage.
Using this product you can easily find out who, when, where to, where from and what accessed the Internet.
Works with Microsoft ISA Server and other proxy servers.
Software for monitoring the efficiency of your company's mail server operations.
Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent.
Works with Microsoft Exchange Server and other mail servers.
Software for monitoring your company's printers.
Using this product you can easily find out who, when and how many pages have been printed.
RSS