ISA 2006 SSL publishing help please

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › ISA 2006 SSL publishing help please

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#70666 28-Oct-2010 13:55

I want to publish RD Gateway, Exchange and SharePoint, all of which require SSL, how do I map incoming traffic correctly? I suspect I need an IIS server between ISA and the rest?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#396936 28-Oct-2010 17:23

Think the solution is to define a all ssl traffic rule first for traffic to the Remote Desktop Gateway, then publish SharePoint and Exchange as addition rules with URL path redirects, therefore OWA and SharePoint traffic should (assuming mobile devices use \OWA paths) be picked up and directed to the appropriate server, while all others will terminate at the RD Gateway.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#397069 28-Oct-2010 22:33

your easiest option is to terminate the SSL on the ISA server and then run over plain http tunnels to the internal servers. if you do ssl end to end, you can run into a bunch of problems as SSL isnt meant to be intercepted, decrypted and then re-encrypted before reaching its final destination.

you will also want to run either seperate virtual directories for each app, a wildcard ssl certificate on a single public IP, or three separate public IP addresses each with their own ssl cert. ssl is a bit more tricky than http when you are publishing

your best site for ISA articles is http://www.isaserver.org/
publishing articles here: http://www.isaserver.org/articles_tutorials/publishing/
probably might find this one useful: http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.html

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#397180 29-Oct-2010 09:31

excellent, thanks. I have been trying to use the MS white paper on OWA/SharePoint publishing as my basis, but that is Server 2003 and RD Gateway did not exist then.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#398141 31-Oct-2010 17:46

hmmm, can I not use self-signed certificates when publishing via an ISA 2006 server? If not, can I do so with ForeFront?

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#398476 1-Nov-2010 12:17

you can use self-signed certs, as long as everyone trusts them. i find that for only $50 or so for a public issued ssl from www.certificatesforexchange.com that you might as well save the hassle of client configuration and just buy a legit one.

i'd still recommend terminating the SSL at the isa server and running over http internally, it will save you a few grey hairs :)

BTW: forefront is very much like isa 2006 for publishing, but will only run on 64bit platform

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#398510 1-Nov-2010 13:12

SSL termination at ISA is what I'm planning to do, but in the interim I need to pass my existing traffic to the existing OWA server. My suspicion is that I have attempted to import a client side certificate (if this is even a real term), so I'm going to try to re-export it.

My new domain will indeed have a public issued certificate, but I need to get this working as a interim while I'm undergoing transition (which will be for a few months, as I have quite a few things I'm trying to implement, including physical infrastructre changes).

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#398515 1-Nov-2010 13:21

OK, there is definitely a difference between the certificate SBS supplies for client use as opposed to an exported certificate. ISA accepted the exported cartificate/key as valid, so that's a start, I'll not attempt to apply the firewall change until later.

Interim solution looks like this.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#399100 2-Nov-2010 13:50

always make sure you export the private key if you are exporting a certificate using the mmc. If the web server does not have the private key, it cannot decode the data streams that have been encoded using the public key

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#399102 2-Nov-2010 13:51

and looking at your diagram, if the "firewall" is not ISA, then you're probably going to have problems splitting a single external IP down two separate paths for HTTPS/SSL traffic

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#399123 2-Nov-2010 14:19

oh no, I wanted to avoid installing everything on one host. Frontside firewall is basic aDSL router, backside firewall is ISA. So far it appears to be working for the redirect but the client is not getting back what it was seeking, I'll look at it some more when I get home. I can move the existing host onto the internal segment if you think that would help?

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#399400 2-Nov-2010 23:43

your problem is going to be in splitting off requests coming in to tcp/443 (ssl/https) to two different locations. unless you have an advanced firewall - such as isa - handling all the initial requests then you have no way to do it.

there is nothing wrong with using ISA as your only firewall - its actually quite secure.

in your position, i would either ditch the nDSL modem and grab a pci nDSL card to stick directly in the isa server, or use half-bridge mode or such to get the external IP directly on to the ISA Server.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#399450 3-Nov-2010 07:49

I'm passing the 443 traffic directly to ISA and it appears to be reading the header correctly and redirecting the OWA traffic back to the DMZ and passing the remaining traiffic to the (internal) RD gateway, so that aspect seems to work, but there is one last piece missing. I went out on the booze last night so didn't work on it, I'll do some work on it tonight.