One of the biggest pains in the neck when trying to deploy User Certificate authentication on the ISA Firewall was the requirement that you map the User Certificate to the User Account in the Active Directory. As you know, there is no quick and easy way to map User Certificates to user accounts in the Active Directory, so if you had a large number of users, you were in for a marathon session of bind these certificates to user accounts. The administrative overhead was enough to prevent ISA firewall admins from even thinking of a User Certificate authentication solution.
Even if you weren't deterred by the prospect of sitting in front of AD Users and Computers for a week to creating the mappings, there was a good chance that the ISA Firewall admin was not a AD admin. This meant that he'd have to deal with trying to convince the AD guys to do the mappings for him.
Another problem was that in some circumstances, the ISA Firewall was not configured as a domain member. Non-domain member ISA Firewalls could not support User Certificate authentication at all.
So, what to do? Get ready to install ISA 2006 SP1. With ISA 2006 SP1, you'll get the following:
- The ISA Firewall will no longer need to be a domain member to support User Certificate Authentication. All you need to do is include the CA certificate of the CA that issued the User Certificates installed in the Trusted Root Certification Authorities machine certificate store on the ISA Firewall
- You will no longer need to map the Certificates to user accounts in the AD. The trust is established by the inclusion of the CA certificate in the ISA Firewall's Trusted Root Certification Authorities machine certificate store.
- You can still map User Certificates to user accounts in the AD if you like
ISA 2006 SP1 will make setting up User Certificate authentication much easier on your ISA 2006 firewalls. This is just one of the many new features that you'll get when SP1 is released and installed on your computer.
By the way, you might be wondering why I'm promoting SP1 now, prior to its release. The reason is that SP1 adds so much to the ISA 2006 firewall that after installing it, it will be like having a new version! In fact, it wouldn't be too much of a stretch to think of an ISA 2006 firewall as ISA 2008 No, they're not going to change the name to ISA 2008, and I won't refer to it as that in the future, but I just want to drive home the point that SP1 adds so much that you'll think you've got an upgrade, and for free!
This week I'm dedicating my blog entries to new and improved features in ISA 2006 SP1, so come back tomorrow and the rest of the week for more info.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP — Microsoft Firewalls (ISA)