0

We're running an ISA 2006 and IIS6. Both on Windows 2003 machines. We've published a Website under an SSL connection.

Is it possible to let the ISA server pass down any client certificates to IIS (and the web application)? We need the client certificates to verify that the user may view the site.

A simple ISA rule that blockes anyone that do not have the certificate is not an option, because in that case we redirect to a login page. Ditching the ISA server is also not an option, because the administrators would kill me.

2 Answers2

1

Standard reverse publishing of a site that needs SSL, should have the SSL cert installed on the ISA server.

On IIS6, you can specify that the root site is not required to enforce SSL, and secure pages are placed in a subfolder that has the 'force secure connect' check box turned on. (Its in IIS, Site properties, Security, last button (settings) ). In this way you can enforce 1 or more folders to be SSL.

JoeJoe
  • 193
  • 3
  • 13
  • Yeah, we tried that. The problem is that we're planning to publish multiple sites under the same wildcard (ssl) certificate. Each site will have the same external endpoint on the ISA server. The ISA server will pass requests down to the right IIS server based on the hostheader. If we simply used a reserve publishing, we would need an external IP address per site, which is not an option according to our administrators. I'm starting to think what we want is not possible with ISA 2006 :( –  Sep 10 '09 at 08:31
  • Yep, I discussed it with the ISA experts inside our organization. This is not possible. You can however achieve the same thing with an ISA Tunnel to IIS en use SSL Host Headers (http://support.microsoft.com/?id=187504), available since Windows Server 2003 SP1 –  Sep 17 '09 at 09:02
0

According to the way SSL is designed, you only have one option: have ISA have a copy of the user's certificate, such that it will present it on behalf of the user when establishing the connection with the backend server.

SSL was invented (among other reasons) specifically to prevent man-in-the-middle attacks which is exactly what you are trying to achieve with your configuration (since you need to see the unencrypted request in order to get the "Host:" header from it).

Without access to all the client certificates (and their corresponding private keys) that are ever to be used through that proxy, it is not going to work with neither of MS ISA, BlueCoat, Squid ... or whatever else.

@Dexter

  • Thanks for your clear answer. If I understand you correctly it is not possible to let ISA set up an SSL connection with the backend server and "repackage" the client certificate. But wouldn't it be possible to pass the information inside the certificate down to the backend server. Maybe by adding an other hostheader? Of not I will accept your answer. –  Sep 11 '09 at 15:30