Using a Client Certificate when Bridging SSL traffic from ISA Server


1. Introduction


 


One feature that occasionally causes some confusion among ISA Administrators is the option to “Use a certificate to authenticate to the SSL Web server” which is on the Bridging tab of a Web Publishing Rule.  Some people mistakenly believe that this has to be checked for ISA Server to communicate securely with the published resource.   As long as you have the “Redirect requests to SSL port” checked on the Bridging tab of the Publishing Rule you do not need to go the extra step of using a client certificate. The communication between ISA and your Web Server will still be done using SSL Bridging.


 


So why would you want to go to the extra trouble of using a client certificate for communication between ISA and your Web Server?  It may be possible, in some environments, that the published resource requires client certificates to connect to it.  This may have been a decision made by the administrators of the web resource possibly to comply with their Information Security policy.


 



Note: for a quick briefing on how this is accomplished in IIS please see this article by our dear friend, Dr. Tom Shinder.  http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html


 


2. Configuring


 


For this resource to be published in ISA Server you would need the following.


1)    A Client Certificate issued to the ISA Server by a CA that the web server trusts.


2)    The Client Certificate will need to be installed in the Certificate Store for the Microsoft Firewall Service (fwsrv\Personal), see Figure 1.



Figure 1.  Certificates MMC showing the certificate issued to ISA Server installed in the Personal certificate store of the Microsoft Firewall Service



Now this certificate should show up as a choice when you click Select on the Bridging tab, see Figure 2:


 



Figure 2. Certificate issued to ISA Server now shows up as a choice on the Bridging tab of the publishing rule


 


There are some limitations to keep in mind when using this feature. ISA Server will always present the same certificate for all connections to the published resource. This is different than using client certificates for user authentication.


 


3. Conclusion


 


In this article I described a feature in ISA Server that is often misunderstood by ISA Administrators. Although it is not needed for SSL Bridging, using a client certificate on ISA Server may be desirable or required in certain situations.    


 


4. Additional Reference


 


Here some additional references on this subject:


Troubleshooting SSL Certificates in ISA Server Publishing


http://technet.microsoft.com/en-us/library/cc302619.aspx


 


Digital Certificates on ISA Server


http://technet.microsoft.com/en-us/library/cc302649.aspx


 


Author


Keith Abluton


Security Support Engineer – ISA/IAG Team


Microsoft – Charlotte


 


Technical Reviewers
Billy Price


Security Support Engineer – ISA/IAG Team


Microsoft – Charlotte


 


Yuri Diogenes
Security Support Engineer – ISA/IAG Team


Microsoft – Texas

Comments (3)

  1. Anonymous says:

    Hi,

    SCCM IBCM publishing is a good example of when you do need to use a client auth cert from ISA itself:

    http://technet.microsoft.com/en-us/library/cc707697.aspx

    Cheers

    JJ