How to Configure ISA SSL Bridging for the Internet-Based Software Update Point

In response to customers on the forums, we've been looking into ISA configuration for the Internet-based software update point. The following steps detail how Adam got this working on ISA 2006, and we will request that the ISA documentation How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management is updated with this information. In summary:

· When you are using the WSUS Administration custom Web site rather than the default Web site, make sure you change the port number from 443 in the Web listener and the Web publishing rule. The default port number for the WSUS Administration custom Web site is 8531.

· WSUS does not use client authentication, so No Authentication should be configured in the Web listener. This is a different configuration from the other Internet-based site systems, and so will require a new HTTPS Web listener.

When you have followed the instructions in the ISA guide, use the instructions below to configure a new Web listener for the Internet-based software update point.

Update June 18th 2009: With the help and confirmation from Jason Jones (MVP Forefont), we have revised these instructions to no longer select a security group when creating the Web publishing rule.

 - Carol

 

This posting is provided AS IS with no warranties and confers no rights.

 

 

To Create the Web Listener for the Internet-based Software Update Point:

  1. On the ISA Server computer, load the ISA Server management console.
  2. Select Firewall Policy by using the method that applies to your edition of ISA Server:
    • For Standard Edition: In the left pane, expand <Array Name> , and then select Firewall Policy.
    • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name> , where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.
  3. In the task pane, click the Toolbox tab.
  4. Click Network Objects, click New, and then click Web Listener.
  5. On the Welcome to the New Web Listener Wizard page, type a name for the new Web listener, such as ConfigMgr Web Listener for Software Update Point, and then click Next.
  6. On the Client Connection Security page, ensure that Require SSL secured connections with clients is selected, and then click Next.
  7. On the Web Listener IP Addresses page, select the networks where you want this Web listener to operate.
    Note: If your ISA Server is using a single network adapter template (unihomed), you must choose the Internal network.

a. If you want the Web listener to operate on a specific IP address within the selected network (recommended), perform the following actions:
Select the required network, and then click Select IP Address.

b. On the <Network Name> Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.

c. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this Web listener.

8. Click OK, and then click Next.

9. On the Listener SSL Certificates page, select Use a single certificate for this web listener, and then click Select Certificate.

10. On the Select Certificate dialog box, select the ISA Server Web listener certificate, click Select, and then click Next.

11. On the Authentication Settings page, select No Authentication from the Select how clients will provide credentials to ISA Server list.

12. Click Next, click Next, and then click Finish.

13. If you are prompted to enable the system policy that allows CRL downloads, click Yes.

 To Modify the Web Listener for the Internet-based Software Update Point:

  1. In the ISA Server management console right pane, click the Toolbox tab.
  2. Click Network Objects, and then expand Web Listeners.
  3. Double-click the new Web Listener.
  4. Click the Connections tab. If you are not using the default Web site for WSUS, but using the WSUS Administration custom Web site, change the port number for Enable SSL (HTTPS) connections on port to the WSUS SSL server port number. The default port number for the WSUS Administration custom Web site is 8531. To verify the port number, check the SSL port number setting on the Internet-Based tab In the Software Update Point Component Properties.
  5. Click OK, and then click OK to close the Web listener properties.

To Create the Web Publishing Rule for the Internet-based Software Update Point:

  1. In the ISA Server management console middle pane, click the rule that you want to be ordered immediately after the new Web publishing rule. Alternatively, you can reorder the new Web publishing rule after it is created.
  2. In the left pane, right-click Firewall Policy, click New, and then click Web Site Publishing Rule.
  3. On the Welcome to the New Web Publishing Rule Wizard page, type a name for the Web publishing rule, such as ConfigMgr Publishing for Software Update Point, and then click Next.
  4. On the Select Rule Action page, ensure that Allow is selected, and then click Next.
  5. On the Publishing Type page, ensure that Publish a single Web site or load balancer is selected, and then click Next.
  6. On the Server Connection Security page, ensure that Use SSL to connect to the published web server or server farm is selected, and then click Next.
  7. On the Internal Publishing Details page, specify the following, and then click Next:
    1. Type the Internet FQDN in the Subject name of the certificate that is being used by the Internet-based software update point site system server.
    2. Click Use a computer name or IP address to connect to the published server.
    3. Specify the Configuration Manager Internet-based site system server by typing in the IP address.
  8. On the second Internal Publishing Details page, type /* in the Path (optional) box, and then click Next.
  9. On the Public Name Details page, specify the following, and then click Next:
    1. Ensure that This domain name (type below) is selected.
    2. Type the Internet FQDN of the Internet-based site system server in the Public name box.
    3. Ensure that /* is displayed in the Path (optional) box.
  10. On the Select Web Listener page, select the Web listener created for Internet-based clients, and then click Next.
  11. On the Authentication Delegation page, ensure that No delegation, but client may authenticate directly is selected, and then click Next.
  12. On the Users Sets page, click Next.
  13. On the Completing the New Web Publishing Rule Wizard page, click Finish.

To Modify the Web Publishing Rule Port for the Internet-based Software Update Point:

  1. In the ISA Server management console middle pane, double-click the new Web Publishing rule.
  2. On the <Web Publishing Rule Name> Properties dialog box, click the Bridging tab.
  3. Change the port specified for Redirect request to SSL port to the WSUS SSL server port number. The default port for the WSUS Administration custom Web site is 8531.
  4. On <Web Publishing Rule Name> Properties dialog box, click OK.

To Save the Web Publishing Changes to ISA Policies for the Internet-based Software Update Point:

  1. Click Apply when it displays in the middle pane of the ISA Server management console.
  2. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.