Using a Client Certificate when Bridging SSL traffic from ISA Server

  • Article

1. Introduction

One feature that occasionally causes some confusion among ISA Administrators is the option to “Use a certificate to authenticate to the SSL Web server” which is on the Bridging tab of a Web Publishing Rule. Some people mistakenly believe that this has to be checked for ISA Server to communicate securely with the published resource. As long as you have the “Redirect requests to SSL port” checked on the Bridging tab of the Publishing Rule you do not need to go the extra step of using a client certificate. The communication between ISA and your Web Server will still be done using SSL Bridging.

So why would you want to go to the extra trouble of using a client certificate for communication between ISA and your Web Server? It may be possible, in some environments, that the published resource requires client certificates to connect to it. This may have been a decision made by the administrators of the web resource possibly to comply with their Information Security policy.

Note: for a quick briefing on how this is accomplished in IIS please see this article by our dear friend, Dr. Tom Shinder. http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html

2. Configuring

For this resource to be published in ISA Server you would need the following.

1) A Client Certificate issued to the ISA Server by a CA that the web server trusts.

2) The Client Certificate will need to be installed in the Certificate Store for the Microsoft Firewall Service (fwsrv\Personal), see Figure 1.


Figure 1. Certificates MMC showing the certificate issued to ISA Server installed in the Personal certificate store of the Microsoft Firewall Service

Now this certificate should show up as a choice when you click Select on the Bridging tab, see Figure 2:

Figure 2. Certificate issued to ISA Server now shows up as a choice on the Bridging tab of the publishing rule

There are some limitations to keep in mind when using this feature. ISA Server will always present the same certificate for all connections to the published resource. This is different than using client certificates for user authentication.

 

3. Conclusion

In this article I described a feature in ISA Server that is often misunderstood by ISA Administrators. Although it is not needed for SSL Bridging, using a client certificate on ISA Server may be desirable or required in certain situations.   

4. Additional Reference

Here some additional references on this subject:

Troubleshooting SSL Certificates in ISA Server Publishing

http://technet.microsoft.com/en-us/library/cc302619.aspx

Digital Certificates on ISA Server

http://technet.microsoft.com/en-us/library/cc302649.aspx

Author

Keith Abluton

Security Support Engineer – ISA/IAG Team

Microsoft – Charlotte

 

Technical Reviewers
Billy Price

Security Support Engineer – ISA/IAG Team

Microsoft – Charlotte

 

Yuri Diogenes
Security Support Engineer – ISA/IAG Team

Microsoft – Texas