Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004


Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004

By Thomas W Shinder M.D.


A popular request on the Web Publishing boards here on www.isaserver.org is for more information on how to publish multiple secure Web sites using a single IP address on the external interface of the firewall. Both ISA Server 2000 and ISA Server 2004 have in common the fact that a single certificate can be bound per Web listener. If you have a single IP address bound to the external interface of the ISA Server 2000 or ISA Server 2004 firewall, then you will be able to publish a single secure Web site.



The reason for this is the name of the destination Web site the external user sends in his request must match the name of the site as listed on the certificate. This name listed on the certificate is called the common name. For example, if you want to publish a Web site that users access by going to www.domain.com, then the common name on the Web site certificate must be www.domain.com. If you try to use the same Web listener to publish a secure site for www2.domain.com, it will not work because the common name on the certificate does not match the name in the user request.


Truly secure Web publishing requires that you force SSL between the Internet user and the external interface of the ISA firewall and between the internal interface of the ISA firewall and the Web site on the internal network. The type of end to end security is called SSL to SSL bridging. What sets the ISA firewall apart from any other firewall in its class is that the ISA firewall can actually look inside the SSL stream as it moves through the firewall. Attackers are not able to hide exploits inside an SSL tunnel.


When you perform SSL to SSL bridging, the name on the certificate on the Web site should be the same as the name used to forward the request to the Internal Web server. The figure below shows the path of the requests and the certificates required.



  1. The client sends an HTTPS request to www.internal.net to access an OWA Web site.
  2. The request arrives on the external interface of the ISA Server 2004 firewall and is intercepted by the Web listener for the OWA Web Publishing rule. The Web listener used by the OWA Web Publishing rule has a Web site certificate bound to it. The common name on the certificate is www.internal.net. The name in the request matches the common name on the Web site certificate bound to the Web listener.
  3. The OWA Web Publishing rule is configured to forward the request to the OWA site on the internal network. The Web Publishing rule on the ISA Server 2004 firewall is configured to forward the request to www.internal.net, which is the same name on the Web site certificate bound to the external interface and the name used in the original user request.
  4. The request is forwarded to the OWA site on the internal network. The OWA Web site also has a Web site certificate bound to it. The common name on the certificate is www.internal.net. This matches the name on the original client request, the name on the certificate bound to the Web listener that accepted the request, and the name used in the Web Publishing rule that redirected the request to the OWA Web site on the internal network. All the names match and if the user is authenticated, then the connection request is allowed.


You will see errors if the name in the request doesn’t match the common name on the certificate. For example, if the redirect in the Web Publishing rule configured on the ISA Server 2004 firewall was configured to forward the request to OWASERVER1, then the name in the request received from the ISA Server 2004 firewall by the Web site on the internal network would not match, and a server error 500 would be generated.


Now we can see where problems lie when we try to publish two secure Web sites using a single Web listener, which can only bind a single certificate, on the external interface of the ISA Server 2000 or ISA Server 2004 firewall. The figure below illustrates this configuration.



  1. The client on the Internet sends a request for owa.internal.net.
  2. The Web listener on the external interface of the ISA Server 2004 firewall has a Web site certificate bound to it with the common name owa.internal.net.
  3. The Web Publishing rule on the ISA Server 2004 firewall is configured to redirect the request to owa.internal.net. The name owa.internal.net resolves to the IP address of the OWA Web server on the internal network.
  4. The OWA Web site on the internal network has a certificate bound to it with the common name owa.internal.net. The request will be allowed if the user successfully authenticates.
  5. The Web client sends a request for www.internal.net.
  6. The Web listener on the ISA Server 2004 firewall has a certificate bound to it with the common name of owa.internal.net. The request is denied because the name in the request is not the same as the common name on the certificate bound to the Web listener.

This example demonstrates that you cannot publish two different Web sites with two different names using a single certificate.



Another place where you can run into problems is when the certificate matches correctly, but the redirect is misconfigured. The following figure shows what happens in this situation.



  1. Client on the Internet sends a request for owa.internal.net.
  2. The certificate bound to the Web listener on the ISA Server 2004 firewall has the common name of owa.internal.net.
  3. The Web Publishing rule on the ISA Server 2004 firewall is configured to redirect the request to 192.168.1.5.
  4. The ISA Server 2004 firewall forwards the request to 192.168.1.5, which isn’t the common name on the certificate. The request fails and a 500 internal server error results.


The solution to these problems is simple:



  • Use a wildcard certificate on the Web listener on the firewall
  • Configure the Web Publishing rule correctly.

We will cover over the details of configuring the Web Publishing Rule correctly and how to create a wildcard certificate and use it on the ISA Server 2004 firewall. The figure below shows how the wildcard certificate solves the problem of publishing multiple secure Web sites using a single certificate.


The client sends requests for owa.internal.net and www.internal.net. The certificate bound to the Web listener on the external interface of the ISA Server 2004 firewall has the common name *.internal.net. This means any host name in the internal.net domain can be included in the client request. Since both owa.internal.net and www.internal.net are hosts in the internal.net domain, the requests are consistent with the common name on the Web listener’s certificate.


There are two Web Publishing rules configured on the ISA Server 2004 firewall. One forwards requests for owa.internal.net to the OWA site on the internal network. The second forwards requests for www.internal.net to the www.internal.net site on the internal network.



The basic procedures required to use a wildcard certificate to publish multiple secure Web sites using a single IP address on the external interface of the ISA Server 2004 firewall are:



  • Request a wildcard certificate,
  • Export the wildcard certificate to a file
  • Import the wildcard certificate into the ISA Server 2004 firewall’s machine certificate store
  • Request a new Web site certificate to the first Web site
  • Request a new Web site certificate to the second Web site
  • Create the Web Publishing rule to publish the first Web site
  • Create the Web Publishing rule to publish the second secure Web site
  • Create the HOSTS file entries for the two Web sites

The sample network we use in this article is shown in the figure below.



The www.internal.net Web site is running Windows Server 2003 and the owa.internal.net site is running Windows Server 2003, both are members of the same domain. The Active Directory domain name is msfirewall.org. Note that the Active Directory domain name is immaterial to the publishing scenario. The ISA Server 2004 firewall is also a member of the same domain.


Request a Wildcard Certificate


The first step is to request a wildcard certificate. The easiest way to do this is to use the Web site certificate Wizard included in IIS. Perform the following steps to request a wildcard certificate from the enterprise CA on the Exchange 2003 server machine:



  1. On the Exchange 2003 computer, click Start and then point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager, click on the Default Web Site and then right click on it. Click Properties.
  3. On the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button.
  5. Click Next on the Welcome to the Web Server Certificate Wizard page.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.
  7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option. Click Next.
  8. On the Name and Security Settings page, leave the default settings in the Name text box and the Bit length drop down list. Click Next.
  9. On the Organization Information page, enter the name of your organization in the Organization text box and an organizational unit name in the Organizational Unit text box. Click Next.
  10. On the Your Site’s Common Name page, enter the name that will be included on the wildcard certificate for your domain. In the current example, both of the secure servers we plan to publish are in the internal.net domain. Therefore, we need to create a wildcard certificate for the internal.net domain. We will enter *.internal.net in the Common name text box. Click Next.



  1. On the Geographical Information page, select your Country/Region from the list. Enter a State/province name and a City/locality name. Click Next.
  2. On the SSL Port page, use the default value of 443 and click Next.
  3. On the Choose a Certification Authority page, use the default entry that represents the enterprise CA, and click Next.
  4. Review the information on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.
  6. Leave the Default Web Site Properties dialog box open so that you’ll be ready for the next procedure.

Export the Wildcard Certificate to a File


The next step is to export the wildcard certificate to a file. Perform the following steps on the Exchange 2003 computer to export the certificate with its private key to a file:



  1. On the Default Web Site Properties dialog box, click the Server Certificate button.
  2. Click Next on the Welcome to the Web Server Certificate Wizard page.
  3. On the Modify the Current Certificate Assignment page, select the Export the current certificate to a .pfx file option. Click Next.
  4. On the Export Certificate page, use the default location in the Path and file name text box and click Next.
  5. On the Certificate Password page, enter a password to protect the private key in the Password text box and confirm the password in the Confirm password text box.
  6. Review the settings on the Export Certificate Summary page. Click Next.
  7. Click Finish on the Completing the Web Server Certificate Wizard page.
  8. Click OK on the Default Web Site Properties dialog box.

Import the Wildcard Certificate into the ISA Server 2004 Firewall’s Machine Certificate Store


Now we need to copy the certificate file to the ISA Server 2004 firewall computer. After copying the file to the ISA Server 2004 firewall, we will import the wildcard certificate into the machine’s certificate store. Later, we will bind the imported certificate to the ISA Server 2004 firewall’s machine certificate store.


Perform the following steps on the ISA Server 2004 firewall machine:



  1. Copy the wildcard certificate file to the ISA Server 2004 firewall computer.
  2. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
  3. In the Console1 window, click the File menu and then click the Add/Remove Snap-in command.
  4. In the Add/Remove Snap-in dialog box, click the Add button.
  5. In the Add Standalone Snap-in dialog box, click the Certificates entry in the Snap-in list. Click Add.
  6. On the Certificates snap-in page, select the Computer account option and click Next.
  7. On the Select Computer page, select the Local computer option and click Finish.
  8. Click Close on the Add Standalone Snap-in dialog box.
  9. Click OK on the Add/Remove Snap-in dialog box.
  10. Expand the Certificates (Local Computer) node in the left pane of the console. Right click the Personal node, point to All Tasks and click Import.
  11. Click Next on the Welcome to the Certificate Import Wizard page.
  12. On the File to Import page, click the Browse button and locate and select the certificate you copied to the ISA Server 2004 firewall machine. Click Next after the certificate appears in the File name text box.
  13. On the Password page, enter the password you assigned to the certificate file in the Password text box. Put a checkmark in the Mark this key as exportable… checkbox.
  14. Confirm that the Place all certificates in the following store option is select on the Certificate Store page, then click Next.
  15. Click Finish on the Completing the Certificate Import Wizard page.
  16. Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.
  17. Double click on the wildcard certificate that appears in the right pane of the console. Click on the Certification Path tab. You should see the name of the CA that issued the certificate at the top of the list. If you do not, then restart the ISA Server 2004 firewall computer. If the CA name does not appear at the top of the list, it indicates that the CA certificate is not installed in the Trusted Root Certification Authorities node. Because we have installed an enterprise CA and the ISA Server 2004 firewall is a member of the same domain as the enterprise CA, then the CA certificate should be automatically added to the Trusted Root Certification Authorities node.



  1. Expand the Trusted Root Certification Authorities node. In the right pane of the console you should see the name of the CA that issued the wildcard certificate.



  1. Close the mmc console and do not save the changes.

Issue a New Web Site Certificate for the First Web Server


The OWA web site will not use the wildcard certificate to identify itself to other computers. Instead, we will remove the wildcard certificate from the OWA Web site and install a new certificate on the OWA site.


Perform the following steps to remove the current certificate from the OWA Web site and assign a wildcard certificate to the site:



  1. On the first Web server (the OWA server in this example), click the Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager console, expand the Web sites node and click on the Default Web Site. Right click the Default Web Site and click Properties.
  3. In the Default Web Site Properties dialog box, click the Directory Security tab. On the Directory Security tab, click the Server Certificate button.
  4. Click Next on the Welcome to the Web Server Certificate Wizard page.
  5. On the Modify the Current Certificate Assignment page, select the Remove the current Certificate option and click Next.



  1. Click Next on the Remove a Certificate page.
  2. Click Finish on the Completing the Web Certificate Wizard page.
  3. Leave the Default Web Site Properties dialog box open so that you can perform the next procedure.

Now we need to obtain a new certificate for this Web site. Perform the following steps to obtain a new Web site certificate for the first Web server’s (OWA server in this example) Web site:



  1. On the Default Web Site Properties dialog box, click the Directory Security tab.
  2. On the Directory Security tab, click the Server Certificate button.
  3. Click Next on the Welcome to the Web Server Certificate Wizard page.
  4. On the Server Certificate page, select the Create a new certificate option and click Next.
  5. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option. Click Next.
  6. On the Name and Security Settings page, leave the default settings in the Name text box and the Bit length drop down list. Click Next.
  7. On the Organization Information page, enter the name of your organization in the Organization text box and an organizational unit name in the Organizational Unit text box. Click Next.
  8. On the Your Site’s Common Name page, enter the name that will be included on the wildcard certificate for your domain. In the current example, both of the secure servers we plan to publish are in the internal.net domain. Therefore, we need to create a wildcard certificate for the internal.net domain. We will enter owa.internal.net in the Common name text box. Click Next.



  1. On the Geographical Information page, select your Country/Region from the list. Enter a State/province name and a City/locality name. Click Next.
  2. On the SSL Port page, use the default value of 443 and click Next.
  3. On the Choose a Certification Authority page, use the default entry that represents the enterprise CA, and click Next.
  4. Review the information on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.
  6. Leave the Default Web Site Properties dialog box open so that you’ll be ready for the next procedure.

Request a New Web Site Certificate for the Second Web Site


The next step is to request a Web site certificate for the second Web site. We can use the IIS Web site certificate Wizard to easily request the certificate because the second Web server is a member of the same domain as the enterprise CA.


Perform the following steps on the second Web server to obtain a Web site certificate:



  1. On the second Web site machine, click Start and then point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager, click on the Default Web Site and then right click on it. Click Properties.
  3. On the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button.
  5. Click Next on the Welcome to the Web Server Certificate Wizard page.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.
  7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option. Click Next.
  8. On the Name and Security Settings page, leave the default settings in the Name text box and the Bit length drop down list. Click Next.
  9. On the Organization Information page, enter the name of your organization in the Organization text box and an organizational unit name in the Organizational Unit text box. Click Next.
  10. On the Your Site’s Common Name page, enter the name that will be included on the wildcard certificate for your domain. In the current example, both of the secure servers we plan to publish are in the internal.net domain. Therefore, we need to create a wildcard certificate for the internal.net domain. We will enter www.internal.net in the Common name text box. Click Next.



  1. On the Geographical Information page, select your Country/Region from the list. Enter a State/province name and a City/locality name. Click Next.
  2. On the SSL Port page, use the default value of 443 and click Next.
  3. On the Choose a Certification Authority page, use the default entry that represents the enterprise CA, and click Next.
  4. Review the information on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.

Leave the Default Web Site Properties dialog box open so that you’ll be ready for the next procedure.


Create the First Web Publishing Rule


In this example the first Web server is an OWA server. We can use the ISA Server 2004 OWA Web Publishing Wizard to publish the first Web site using the wildcard certificate on the ISA Server 2004 machine.


Perform the following steps to publish the OWA Web site on the Exchange 2003 machine:



  1. On the ISA Server 2004 machine, click Start and point to All Programs. Point to Microsoft ISA Server and click on ISA Server Management.
  2. In the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console, expand your server name and then right click on the Firewall Policy node. Point to New and click on Mail Server Publishing Rule.
  3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we’ll call the rule OWA. Click Next.
  4. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA) option and click Next.



  1. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.



  1. On the Specify the Web Mail Server page, enter the name of the mail server on the internal network. This is a critical step! Enter the same fully qualified domain name as the name used on the Web site certificate installed on the OWA site on the internal network. In this case, the common name on the certificate installed on the OWA site is owa.internal.net. Therefore, we will enter owa.internal.net on the Web mail server text box. Later we will create a HOSTS file entry to help the ISA Server 2004 firewall to resolve this name correctly. Click Next.



  1. On the Select Public Domain Name page, select the This domain name (type below) option from the Public domain list. In the Only requests for this public domain name or IP address will be forwarded to the published site text box, enter the value owa.internal.net. This is the name that external users will use to access the OWA site while those users are connected to the Internet. Click Next.



  1. You will need to select a Web listener that accepts requests for the Web Publishing rule. There are no Web listeners configured on this machine, so we will need to create one. Click the New button on the Select Web Listener page.



  1. On the Welcome to the New Web Listener page, enter a name for the listener in the Web listener name text box. In this example we will enter the name Wildcard Cert and click Next.
  2. On the IP Addresses page, put a checkmark in the External entries checkbox in the Network IP addresses list and click Address.



  1. In the External Network Listener IP Selection dialog box, select the Selected IP addresses in this network option. Select an IP address on the external interface of the ISA Server 2004 firewall from the Available IP Addresses list and then click Add. This moves the address to the Selected IP Addresses list. Click OK.



  1. Click Next on the IP Addresses page.
  2. On the Port Selection page, place a checkmark in the Enable SSL checkbox. Click the Select button. On the Select Certificate page, select the wildcard certificate from the list and click OK. Click Next on the Port Specification page.



  1. Click Finish on the Completing the New Web Listener Wizard page.
  2. The Select Web Listener page now has the details of the Web listener you created. However, we’re not done yet with this listener. Click the Edit button.



  1. In the Wildcard cert Properties dialog box, click the Authentication button. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box informing you about the effects of your selection on authentication. Put a checkmark in the Basic checkbox. Click Yes in the ISA Server Configuration dialog box informing you that basic authentication moves credentials in the clear unless you use SSL. We’re using SSL, so this will not be a problem. Click OK in the Authentication dialog box. Click Apply and then click OK in the Wildcard cert Properties dialog box.



  1. Click Next on the Select Web Listener page.
  2. Accept the default setting on the User Sets page and click Next.
  3. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

Create the Web Publishing Rule for the Second Web Site


The next step is to create a Web Publishing rule for the second Web site. The second Web site will answer to requests for www.internal.net. The good thing about creating this second rule is that we won’t have to create another Web Listener, we can use the Web listener we created when configuring the first Web Publishing rule.


Perform the following steps to create the second Web Publishing Rule:



  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, right click the Firewall Policy node, point to New and click Web Publishing Rule.
  2. On the Welcome to the New Web Publishing Rule Wizard page, enter a name for the rule in the Web publishing rule name text box. In this example, we’ll name the rule Second Web Site and click Next.
  3. On the Select Rule Action page, select the Allow option and click Next.
  4. On the New Web Publishing Rule Wizard page, enter the name of the internal Web site in the Computer name or IP address text box. In this example, the name of the site must be the same as the name used on the certificate bound to the second Web site. The Web site certificate on the second Web site has the common name www.internal.net, so we will enter that name in the Computer name or IP address text box. In the Folder text box, enter /* in the Folder text box. This allows users to access all folders on the Web site. Click Next.



  1. On the Select Public Domain Name page, select the This domain name (type below) option. In the Only requests for this public name or IP will be forwarded to the published site text box, enter the name external, Internet based users will use to access the site. In this example external users will use the name www.internal.net to connect to the second Web site. We will enter this name into the text box. Click Next.



  1. On the Select Web Listener page, select the Wildcard cert entry from the Web Listener list. Click Next.



  1. Accept the default entry of All Users on the User Sets page and click Next.
  2. Click Finish on the Completing the New Web Publishing Rule Wizard page.
  3. Right click on the Second Web Site Web Publishing Rule and click Properties.
  4. In the Second Web Site Properties dialog box, place a checkmark in the Notify HTTP users to use HTTPS instead checkbox, and place a checkmark in the Require 128-bit encryption for HTTPS traffic checkbox. Click Apply and then click OK.



  1. Click Apply to save the changes and update the firewall policy.


Create the HOSTS File Entries on the ISA Server 2004 Firewall


The last step is to create the HOSTS file entries for the two Web sites. The ISA Server 2004 firewall needs to be able to resolve the fully qualified domain names used in the common name on the Web site certificates to the IP addresses the sites use on the internal network. In our current example, the owa.internal.net site is on 10.0.1.2 and the www.internal.net site is at 10.0.1.3. The HOSTS file requires two entries, as listed below:


10.0.1.2 owa.internal.net


10.0.1.3 www.internal.net


This HOSTS file entry in our example appears in the figure below:



The HOSTS file is located at:


%SystemRoot\system32\drivers\etc


Users will now be able to connect to the Web sites. Make sure your public DNS is configured so that the names of the Web sites resolve to the IP address on the external interface of the ISA Server 2004 firewall resolve to the address you used in the Web listener.


In the figure below you can see the successful connections using the OWA and the Second Web Site publishing rules in the ISA Server 2004 firewall’s Logging display. I’ve configured the log to filter the entries to show only those entries for the OWA and Second Web Site rules.



Summary


In this article we went over the procedures required to publish multiple secure Web site using a wildcard certificate on the ISA Server 2004 firewall computer. We began by discussing the problem and proposing potential solutions. The remainder of the document detailed step by step procedures you can carry out to publish multiple SSL sites using a single certificate.


Acknowledgements


Many thanks to Tony Bailey from the Microsoft Security Business Unit for his assistance in developing the content of this article. Thanks also go to Kai Wilke, Microsoft ISA Server 2000 MVP, for coming up with the idea of using a wildcard certificate to solve the problem of publishing multiple secure Web sites with a single Web listener.


I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002394 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top