Blog du Tristank

Migrating to . And still so terrific that 3 of 4 readers rated it "soporific"

ISA 2000: Web Publishing a .Net Web Service

There’s no real trick to it, apart from the good old Web Publishing authentication part.


Short version: Treat the published website exactly as you would a real web server, don’t try to treat it like a proxy (submitting proxy authentication credentials is not the right way to authenticate when you’re outside).


Longer but not exhaustive version:


The Client
From a Web Service client programming perspective (that’s a client connecting via the Internet (or more accurately, an ISA Server non-LAT network) to a web service published through an ISA Server), there’s absolutely nothing special you need to do. Just point yourself at the ASMX and you’re away.


You treat ISA Server as if it were a Web Server, because from the client’s perspective, it is a web server, not a proxy (so don’t try to submit proxy authentication credentials to it!). If the Web Service requires Web authentication (eg, you haven’t baked some custom token scheme into it), you program against it as if it were an IIS server requiring authentication.


Of course, if your client is behind a proxy server as well, you’ll need to treat that proxy as a proxy, if you need to do anything special to begin with (but that would apply to all web services, even those not behind an ISA Server).


The Server
Server authentication is where it can get mildly confusing – you potentially have multiple layers of authentication. ISA 2000 with Feature Pack 1 supports a feature called “Basic Credential Delegation”, which means that Basic credentials passed to ISA can then be forwarded to the back-end server (so ISA can pre-authenticate the user and allow/deny access to the Web Server before the user even sees the back-end server).


Preauthentication isn’t possible with the other authentication types, because the credentials aren’t submitted to the ISA Server (only a hash or verifier), so the ISA Server can’t forward the credentials to the back-end server. So, NTLM (Integrated) and Digest are out, leaving Basic. Basic transmits credentials in the clear, so you should SSL-encrypt the front-end connection if security of the user credentials is even vaguely important to you, as you can verify the target server is actually the server you want to give your credentials to, and the actual credential transfer is encrypted.


If you’re using Basic Delegation, I’d also strongly suggest using SSL bridging to encrypt the back-end as well, to protect the credential transfer between ISA and the internal Web Server. IPSec could also be used for this.