ISA Server 2004's SSL bridging feature can help secure your network from attack when users access SSL-encrypted sites. However, configuring this feature properly on ISA Server 2004 can be tricky. Here's how you do it.
SSL bridging allows firewalls, such as ISA Server 2004, to inspect encrypted SSL packets to make sure they haven't been spoofed or hijacked. It lets firewalls continue to guard the network while allowing SSL to keep the data within the packets secure.
You can use the ISA Server 2004 SSL-to-SSL bridging feature to protect any secure Web site on the corporate network. One of the most popular implementations is to protect Outlook Web Access (OWA) sites, since a significant amount of proprietary information moves between OWA clients and servers. Here's how to configure ISA Server 2004 to make it work.
SSL bridging can be a powerful tool when securing your network. This article only discusses how to implement SSL bridging in ISA 2004. For more information about SSL bridging, see the article "Understanding how SSL bridging works."
Configuring SSL-to-SSL bridging
It's fairly easy to use the SSL-to-SSL bridging feature to allow inbound access from the Internet to a secure Web server on the corporate network, but the process involves a number of tasks. Specifically, configuration includes the following steps:
- Obtain a Web site certificate and bind it to the secure Web site on the corporate network.
- Export the Web site certificate to a file that includes the site's private key.
- Import the Web site certificate with its private key into the machine certificate store on the ISA firewall device.
- Create the Web publishing rule using the Web Publishing Rule Wizard on the ISA firewall.
Obtain a Web site certificate and bind it
The first step is to obtain a Web site certificate and bind it to the Web site you want to make available to users on the Internet. You can use a commercial certificate or generate your own Web site certificate using the Microsoft Certificate Services.
If you use a commercial certificate provider, you should confirm how many servers you can install its certificate on. Some commercial entities limit you to a single server. If that's the case, you should install the commercial certificate on the ISA firewall and then generate your own certificate to bind to the Web site on the corporate network.
The common name on the certificates is critical, because it must match the name used to access the secure Web site. For example, if users will use the URL https://www.domain.com to reach your secure site, the common name on the certificate must be www.domain.com.
You can simplify things quite a bit by using certificates that have the same common name on the ISA firewall and on the secure Web site on the corporate network. Even if you use a commercial certificate on the ISA firewall, you can generate your own certificate with the same common name and bind it to the Web site on the corporate network.
Export the Web site certificate
This step is required only if you generate your own Web site certificate. After the certificate is bound to the secure Web site, you should use the mechanisms available on your Web server to export the certificate with its private key to a file. You must include the private key because it's required for the ISA firewall to impersonate the secure Web site.
If you're using Microsoft Internet Information Server (IIS) as your Web server, you can use the built-in Web Site Certificate Wizard to export the file with its private key. Copy the certificate file to the ISA firewall device after exporting it from the Web site.
Import the Web site certificate
You need to import the Web site certificate with its private key into the machine certificate store on the ISA firewall deviceï¿?not a user certificate store or a service certificate store. Importing the certificate into the wrong store is one of the most common reasons for the failure of SSL-to-SSL bridging configurations.
Once you've imported the certificate into the machine certificate store, it will be available to the ISA Server 2004 Management console.
Create the secure Web publishing rule
Now you're ready to create a Web publishing rule by using the Microsoft Internet Security And Acceleration Server 2004 Management console. Web publishing rules allow you to make Web servers on the corporate network securely available to Internet users by employing the ISA firewall's reverse Web proxy feature.
To create the secure publishing rule, begin by opening the console. Expand the server name and click on the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task pane, and then click the Publish A Secure Web Server link.
On the WelcomeTo The SSL Web Publishing Rule Wizard page, enter a name for the rule in the SSL Web Publishing Rule Name text box. In this example, we'll call it Secure Corporate Web Site. Click Next.
On the Publishing Mode page, shown in Figure A, you have two options: SSL Bridging and SSL Tunneling. Don't select the SSL Tunneling option because this configures the ISA firewall to provide the same low level of protection for SSL connections that you see with simple stateful packet inspection-only firewalls. You want to fully leverage the ISA firewall's ability to perform stateful application layer inspection on end-to-end SSL connections, so select the SSL Bridging option. Click Next.
|Select SSL Bridging on the Publishing Mode page.|
On the Select Rule Action page, choose the Allow option and click Next. On the Bridging Mode page, you have three options:
- Secure Connection To Clients
- Secure Connection To Web Server
- Secure Connection To Clients And Web Server
The first option performs SSL-to-HTTP bridging, in which there's a secure connection between the Internet host and the ISA firewall, and an unencrypted connection between the ISA firewall and the Web server on the corporate network.
The second option provides an unencrypted connection from the Internet host to the ISA firewall, and an encrypted connection between the ISA firewall and the secure Web server. To provide the highest level of security, you should enable SSL-to-SSL bridging by selecting the Secure Connection To Clients And Web Server option, as shown in Figure B. Click Next.
|Select Secure Connection To Clients And Web Server on the Bridging Mode page.|
The Define Website To Publish page, shown in Figure C, lets you define the corporate network site that you want to publish; it also lets you specify what content on the site should be available to Internet users. In the Computer Name Or IP Address text box, enter the name of the Web site on the corporate network. It's critical that the name you enter here match the common name on the Web site certificate bound to the secure Web site.
|The name you enter on this page must match the common name on the Web site certificate.|
In this example, the common name is www.domain.com, so we enter that name into the Computer Name Or IP Address text box. When you want the name that's used to access the Web site to be different from the name in the Computer Name Or IP Address text box, select the check box labeled Forward The Original Host Header Instead Of The Actual One (Specified Above).
In the Path text box, enter the path to the folder or files that you want to be available to external users. You can allow access to the entire Web site, or you can limit access to a specific folder or even a specific file on the site. In this example, we'll enter /*, which represents all folders and files on the secure Web site. Click Next.
The Public Name Details page, shown in Figure D, lets you specify the name that Internet users must use when connecting to the secure Web site. Select the option This Domain Name (Type Below) from the Accept Requests For list. You must select this option when publishing a secure Web site.
|Select This Domain Name (Type Below) when publishing a secure Web site.|
In the Public Name text box, enter the name that Internet users will use to access the Web site. This name must match the name on the Web site certificate imported into the machine certificate store on the ISA firewall device. If the names do not match, an error will occur.
In the Path (Optional) text box, you can set the path that remote users can use to access the secure Web site. If you don't enter a path, access to all files and folders on the published secure Web site will be available. Click Next.
You'll create the SSL Web listener on the Select Web Listener page. A Web listener is used by the ISA firewall's Web proxy component to accept incoming connections for the secure Web site. Click the New button to start creating the SSL Web listener.
On the Welcome To The New Web Listener page, enter a name for the Web listener in the Web Listener Name text box. In this example, we'll enter SSL Listener. Click Next.
Figure E shows the IP Addresses page, where you should select the External check box. If you have multiple IP addresses bound to the public interface of the ISA firewall, click the Address button and select a specific address to use for the listener. Click Next.
|Check the External check box on the IP Addresses page.|
Remove the check mark from the Enable HTTP check box on the Port Specification page. This allows you to later create a custom HTTP listener that has different characteristics and settings than the SSL listener. Click the Select button.
In the Select Certificate dialog box, shown in Figure F, select the Web site certificate from the Certificates list and click OK.
|Select the Web site certificate from the list of available certificates.|
The common name on the Web site certificate appears in the Certificate box on the Port Specification page, shown in Figure G. Click Next.
|You can specify the port on which the ISA Server will listen for incoming Web requests.|
Click Finish on the Completing The New Web Listener Wizard page. The details of the SSL Web listener appear on the Select Web Listener page, shown in Figure H. Click Next.
|The Select Web Listener page shows the details of the SSL Web listener.|
Figure I shows the User Sets page, where you can specify which users are allowed to access the secure Web site using your Web publishing rule. When you limit access via the Web publishing rule, the ISA firewall pre-authenticates users before forwarding the connection to the published Web site. This prevents anonymous connections from being forwarded to the secure Web site.
|You can specify which users are allowed to access the secure Web site using this rule.|
If you choose to limit access on a per-user or per-group basis, the ISA firewall must be a member of the Active Directory domain, or you must use RADIUS authentication on a non-domain member ISA firewall to access account information. In this example, we'll allow all users access. Click Next.
Click Finish on the Completing The New SSL Web Publishing Rule Wizard page. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box. At this point, the secure Web site is available via the secure Web publishing rule. Everythingï¿?s done and youï¿?re ready to go.