In the last few weeks I’ve heard more than a few people mention that the ISA 2004 firewall’s Service Pack 2 is breaking some of their Web Publishing Rules. I’ve yet to figure out what the specific problems is that these folks are having, but I think I have a pretty good idea. However, I think it’s most likely related to a change in authentication security for Web Publishing Rule included in SP2.
Although I’ve made it a point to stress over and again that you should never pass credentials over an unsecure channel, I suspect that the ISA firewall admins who are having problems with their Web Publishing Rules are doing just that.
For example, if you publish your OWA site and require authentication at the ISA firewall, you are most likely going to use Basic or Forms-based authentication. Basic credentials are Base64 encoded, they are not encrypted and are easily captured on any network trace. The situation is even worse for Forms-based authentication, as the credentials aren’t even encrypted. They’re passed in completely clear text.
That’s why for all Web Publishing Rules where you require authentication, you need to force SSL on the ISA firewall’s Web listener. If you do not, then username and password information for your remote users will be the property of whoever is listening on the source network, destination network, or any network in between. You don’t want that.
From the ISA 2004 Service Pack 2 White Paper:
“When you use HTTP-to-HTTP bridging, ISA Server will not allow traffic on the external HTTP port when the Web listener is configured to request Basic, forms-based, or Remote Authentication Dial-In User Service (RADIUS) authentication. This is a security-related change. These credentials should be encrypted, and not sent in clear text over HTTP.” (Source http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sp2.mspx)
Your solution is to use either SSL to HTTP, or SSL to SSL, bridging (obviously, the SSL to SSL bridging is the much more secure solution).
Thomas W Shinder, M.D.
MVP — ISA Firewalls