Implementing and Troubleshooting Certificate Deployment in ISA Server 2006

If you would like to read the next part in this article series please go to Microsoft ISA Server 2006 – Certificate troubleshooting (Part 2).

Let’s begin

Let’s start with some basics about PKI definitions, digital certificates and certificate authorities.

PKI

In cryptography terms, a public key infrastructure (PKI) is the building block for several other technology aspects with the goal of issuing certificates for users, computers and services from a certificate authority (CA). The PKI role that issues certificates is called the Registration Authority (RA).

Certificates

In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). Source:  http://en.wikipedia.org/wiki/Digital_certificate

Certificate Authority

In cryptography terms, a certification authority (CA) is a server or a set of servers in a CA hierarchy which issues digital certificates for use by users, computers and services. Windows Server 2003 (and older versions) has its own CA implementation.

Certification authorities can be a single server or can be chained into certificate chains where every hierarchy has special tasks like intermediate CA, issuing CA and more. You will see a CA hierarchy in the following picture.


Figure 1: CA Hierarchy

File extensions used in Cryptography

There are several file extension which are used when you work with ISA Server 2006 and certificates. Here are some examples:

Key

Description

PCKS #12

Private Information Exchange

.PFX

Private Information Exchange

.P12

Private Information Exchange

PCKS #7

Cryptographic Message Syntax Standard

.P7B

PCKS #7 certificate

.CER

DER-coded-binary X.509
Base-64-coded-X.509

.PFX

Private Information Exchange PCKS #12

.CRL

Certification Revocation List

.P7C

Digital ID-file

.P7M

PCKS #7 MIME-message

.P7R

PCKS #7 certificate

.P7S

PCKS #7 signature

Table 1: PKI file extensions

Installing a CA

Installing and operating a CA is a relatively easy process. What makes PKI designs complicated are the several applications which use this PKI for several purposes.

This article is not designed to show you the whole installation process; I will only cover some pictures.


Figure 2: Installing a Windows CA

After installing the CA, the Server name and the domain membership should not be changed (If you feel pain: There is a KB article which gives you a chance to move the CA).

There are several types of CA. For this example we select a Enterprise Root CA which integrates into Active Directory.


Figure 3: Select CA type                                                                                                       

Give the CA a name and a lifetime.

                       
Figure 4: CA Name                       

After installing the CA, the CA can be used for issuing certificates                               

Certificate Snap-In

Every modern Windows version has a certificate Snap-In which handles locally installed certificates. If you are logged in as an Administrator, you can manage certificates for your own user account, a service account and a computer account.                        


Figure 5: Manage certificates

A normal user account can only open its own certificate store.

Certificates can be managed in the console (Import, export, request new certificates and certificate deletion).


Figure 6: Manage certificates

There is also a website which can be used to request new certificates or to download CA root certificates.


Figure 7: CA website

Settings in a reverse publishing scenario

If you want to use ISA Server as a reverse publishing proxy to publish services like Outlook Web Access (OWA) or Outlook Anywhere (OA), it is possible to enable SSL Bridging to enhance the security of ISA Server. When SSL Bridging is enabled, ISA Server terminates the SSL connection from the Server to the client; ISA then inspects the traffic and encrypts the traffic to HTTPS again. This is the most secure scenario.

In this scenario, ISA server needs the Root CA certificate from the internal CA that has issued certificates for the server to publish. ISA Server also needs a certificate for the ISA listener which Common Name (CN) has the same entry as the public name which clients enter when they try to establish a connection with the published server.

During the publishing process, ISA Server 2006 has a new certificate assistant that helps you to select the correct certificate. For troubleshooting purposes read the SSL troubleshooting article that is linked at the end of this article.

The certificate must be issued from a trusted CA, the certificate must be valid and keep a closer look at the Common Name of the certificate. The CN must match the public name that clients use to connect to the server.


Figure 8: Certificate assistant

What is the Bridging Tab in ISA Server 2006?

Have you ever tried to use the Bridging feature in the publishing rule? If you try to select the certificate, ISA often says that there is no certificate, right?

To get this working you must issue a user certificate for a normal user. This issued certificate must be imported (with the private key) into the local certificate store of the Microsoft ISA Server Firewall service. After that you can use the certificate to redirect incoming request to the internal server which requires certificate authentication.


Figure 9: SSL Bridging

There are no certificates that are available because there is no certificate installed in the local certificate store of the ISA Server Firewall service.


Figure 10: SSL Bridging – select a certificate

Certificate revocation

Certificate revocation is the process when an application requests the certificate chaining engine to evaluate a certificate, the validation is performed on all certificates in that certificates chain. This includes every certificate from the issuing CA to the issued certificate. As a first step the certificate chain will be evaluated. If the certificate chain is intact, the process checks that:

  • The certificates signature is valid
  • Verify that the current date and time from the certificate falls into the valid time period of the certificate.
  • Verify that each certificate is not corrupt or malformed

A certificate revocation list contains no more valid certificates. A process or Software like ISA Server can check the requested certificate against the certificate revocation list.

It is possible to configure ISA Server for several validation requests. ISA Server can verify that incoming certificates are not in the Certificate Revocation List (CRL).


Figure 11: Certificate revocation

Verify that incoming client certificates are not revoked

You must select this certificate if you want to let ISA Server to perform a check of the incoming certificate against the Certificate revocation List (CRL) to see if the certificate is revoked. If the certificate is revoked, the client request will be denied.

Verify that incoming server certificates are not revoked in a forward scenario

This option is a little different from the scenario above. In this scenario, ISA server checks to see if the incoming Server certificate in an SSL Bridging scenario is revoked. If the certificate is revoked, the request will be denied.

Verify that incoming server certificates are not revoked in a reverse scenario

Select this check box to specify that ISA Server will automatically check the Certificate Revocation List (CRL) to see if server certificates, in a Web publishing scenario, are revoked. If the certificate is revoked, the request will be denied.

Conclusion

In this article I tried to show you all aspects of certificate use in ISA Server 2006 for reverse publishing scenarios for Outlook Web Access (OWA), Outlook Anywhere (OA) and more. I also tried to give you some basics about certificates, certificate authorities and certificate checks.

Related links

If you would like to read the next part in this article series please go to Microsoft ISA Server 2006 – Certificate troubleshooting (Part 2).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top