LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 2)

Export the MSFIREWALL.ORG OWA Web Site Certificate to a File – Including the Site’s Private Key

The ISA Firewall impersonates the OWA Web site when the OWA client establishes the first SSL link between itself and the ISA Firewall. In order for the ISA Firewall to do this, you must export the Web site certificate and import that certificate into the ISA Firewall’s machine certificate store.

It is important that you export the Web site’s private key when you export the certificate to a file. If the private key is not included in the file, you will not be able to bind the certificate to a Web Listener on the ISA Firewall and the Web Publishing Rules will not work.

Perform the following steps to export the Web site certificate with its private key to a file:

1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.
2. In the Default Web Site Properties dialog box, click the Directory Security tab.
3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.
4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.

Figure 1

5. Click Next on the Welcome to the Certificate Export Wizard page.
6. On the Export Private Key page, select the Yes, export the private key option and click Next.

Figure 2

7. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) checkbox. Click Next.

Figure 3

8. On the Password page, enter a Password and then enter it again in the Confirm Password field. Click Next.
9. On the File to Export page, enter c:\OWAsiteCert in the File name text box. Click Next.
10. Click Finish on the Completing the Certificate Export Wizard page.
11. Click OK in the Certificate dialog box.
12. Click OK in the Default Web Site Properties dialog box.
13. Copy the OWAsiteCert.pfx file to the root of the C:\ drive on the ISA Firewall machine.

Now we need to repeat the procedures on the Exchange Server in the pixkiller.net domain:

1. At the dc.pixkiller.net machine, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
2. In the left pane of the Internet Information Services (IIS) Manager console, expand the Web Sites node and click the Default Web Site. Right click Default Web Site and click Properties.
3. On the Default Web Site Properties dialog box, click the Directory Security tab.
4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.

Figure 4

5. On the Welcome to the Web Server Certificate Wizard page, click Next.
6. On the Server Certificate page, select the Create a new certificate option and click Next.

Figure 5

7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option and click Next.

Figure 6

8. On the Name and Security Settings page, accept the default settings and click Next.
9. On the Organization Information page, enter your organization’s name in the Organization text box and your Organizational Unit’s name in the Organizational Unit text box. Click Next.

Figure 7

10. On the Your Site’s Common Name page, enter the common name of the site. The common name is the name that external and internal users will use to access the site. For example, if users enter https://owa.pixkiller.net into the browser to access the OWA site, you would make the common name owa.msfirewall.org. In our current example, we will enter owa.pixkiller.net into the Common name text box. This is a critical setting. If you do not enter the correct common name, you will see errors when attempting to connect to the secure OWA site. Click Next.

Figure 8

11. On the Geographical Information page, enter your Country/Region, State/province and City/locality in the text boxes. Click Next.
12. On the SSL Port page, accept the default value, 443, in the SSL port this web site should use text box. Click Next.
13. On the Choose a Certification Authority page, accept the default selection in the Certification authorities list and click Next.

Figure 9

14. Review the settings on the Certificate Request Submission page and click Next.
15. Click Finish on the Completing the Web Server Certificate Wizard page.
16. Notice that the View Certificate button is now available. This indicates that the Web site certificate has been bound to the OWA Web site and can be used to enforce secure SSL connections to the Web site.

Figure 10

17. Click OK in the Default Web Site Properties dialog box.

Export the PIXKILLER.NET OWA Web Site Certificate to a File – Including the Site’s Private Key

The ISA Firewall impersonates the OWA Web site when the OWA client establishes the first SSL link between itself and the ISA Firewall. In order for the ISA Firewall to do this, you must export the Web site certificate and import that certificate into the ISA Firewall’s machine certificate store.

It is important that you export the Web site’s private key when you export the certificate to a file. If the private key is not included in the file, you will not be able to bind the certificate to a Web Listener on the ISA Firewall and the Web Publishing Rules will not work.

Perform the following steps to export the Web site certificate with its private key to a file:

1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.
2. In the Default Web Site Properties dialog box, click the Directory Security tab.
3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.
4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.

Figure 11

5. Click Next on the Welcome to the Certificate Export Wizard page.
6. On the Export Private Key page, select the Yes, export the private key option and click Next.

Figure 12

7. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) checkbox. Click Next.

Figure 13

8. On the Password page, enter a Password and then enter it again in the Confirm Password field. Click Next.
9. On the File to Export page, enter c:\OWAcertPIXkiller in the File name text box. Click Next.
10. Click Finish on the Completing the Certificate Export Wizard page.
11. Click OK in the Certificate dialog box.
12. Click OK in the Default Web Site Properties dialog box.
13. Copy the OWAcertPIXkiller.pfx file to the root of the C:\ drive on the ISA Firewall machine.

Copy the Web site Certificates and the CA certificates to the ISA Firewall and install these certificates in the ISA Firewall’s machine Certificate Store

The Web site certificates must be imported into the ISA Firewall’s machine certificate store before they can be bound to the Web Listener. Only after the Web site certificates (along with their private keys) are imported into the firewall’s machine certificate store will the certificate be available for binding.

Perform the following steps to import the msfirewall.org OWA server’s Web site certificate into the ISA Server’s machine certificate store (you will repeat the procedure with the pixkiller.net Web site certificate after importing the msfirewall.org certificate):

1. At the ISA Firewall, click Start and click on the Run command. Enter mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.
2. Click the Add button in the Add/Remove Snap-in dialog box.
3. Click the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.
4. Select the Computer account option on the Certificates snap-in page. Click Next.
5. On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.
6. Click Close on the Add Standalone Snap-in page.
7. Click OK in the Add/Remove Snap-in dialog box.
8. Right click the Personal node in the left pane of the console, point to All Tasks and click Import.
9. Click Next on the Welcome to the Certificate Import Wizard.
10. Click the Browse button and locate the C:\OWAsiteCert.pfx certificate file. Click Next after the file path and name appear in the File name text box.

Figure 14

11. On the Password page, enter the password for the file. Do not put a checkmark in the checkbox labeled Mark this key as exportable. This will allow you to back up or transport you keys at a late time. You should not use this option because this machine is a bastion host with an interface in a perimeter network or on the Internet and may be compromised. The compromiser might be able to steal the private key from this machine if it is marked as exportable. Click Next.
12. On the Certificate Store page, confirm that the Place all certificate in the follow store option is selected and that it says Personal in the Certificate store box. Click Next.
13. Review the settings on the Completing the Certificate Import page and click Finish.
14. Click OK on the Certificate Import Wizard dialog box informing you the import was successful.
15. You will see the Web site certificate and the CA certificate in the right pane of the console. The Web site certificate has the FQDN assigned to the Web site. This is the name external users use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it. Double click the Web site certificate in the right pane of the console.
16. Expand the Trusted Root Certification Authorities node in the left pane of the console and click the Certificates node. You need to copy the enterprise CA’s certificate into the Trusted Root Certification Authorities\Certificates node. This can be done by right clicking on the CA certificate and then clicking the Cut command. Then you would click on the \Trusted Root Certification Authorities\Certificates node and click on the Paste button in the mmc’s button bar.

Figure 15

17. Repeat the procedure to import the pixkiller.net Web site certificate into the ISA Firewall’s machine certificate store. We need both the msfirewall.org and the pixkiller.net Web site certificates imported before we can proceed. Make sure that you paste the pixkiller.net CA certificate in the Trusted Root Certification Authorities\Certificates node. This will be critical later when we configure LDAPS authentication between the ISA Firewall and the DCs.

Configure HOSTS File Entries on the ISA Firewall

The ISA Firewall will need to be able to resolve the names of the Exchange Servers in order to perform LDAPS authentication. As you’ll see later when we configure the LDAP Servers in the ISA Firewall console, we need the ISA Firewall to be able to use certificate authentication when communicating with the DCs using LDAPS. The ISA Firewall must be able to resolve the FQDNs of the DCs to their actual IP addresses.

There are a number of ways you can do this, such as configuring the ISA Firewall’s internal interface to use a DNS server that is able to resolve names for both domains. However, if you don’t want to do that, you can always use the poor man’s solution and create HOSTS file entries on the ISA Firewall to resolve these names.

NOTE:
In the past we needed to create HOSTS file entries for the common/subject names on the certificates so that they would resolve to the actual IP addresses of the OWA Web sites on the internal network. The ISA 2006 Firewall is improved in that they have dissociated the name used in the CONNECT from the name/addresses used to forward the CONNECT. For this reason, you no longer need to create HOSTS file entries for the common/subject names on the OWA Web site certificates.

The HOSTS file is located at \Windows\System32\drivers\etc. Open the HOSTS file and place the entries for the Exchange Servers in it. In our example, we enter the following HOSTS file entries:

Exchange2003be.msfirewall.org           10.0.0.2
dc.pixkiller.net                                     10.0.0.3

You can see these entries in the figure below.

Figure 16

You can test the effectiveness of your HOSTS file entries by pinging the names from the ISA firewall using the command prompt, as seen in the figure below.

Figure 17

Discuss this article

Summary

In this article we continued our series on how to configure LDAP authentication on the ISA Firewall. We have deployed the certificates and configured the HOSTS file on the ISA Firewall so that name resolution is consistent with the certificate naming conventions. In the next article we’ll configure the LDAP server settings on the ISA Firewall. See you then! –Tom.