Digital Certificates for ISA Server 2004

Microsoft ISA Server 2004

Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 uses digital certificates for Web publishing rules and server publishing rules. This document describes scenarios in which digital certificates, also called Secure Sockets Layer (SSL) certificates, are required on an ISA Server computer or on published servers behind the ISA Server computer. Procedures for obtaining and installing digital certificates are provided. Information about the use of Certificate Revocation Lists is also provided.

Scenarios
Using Internet Security and Acceleration (ISA) Server 2004, there are two publishing scenarios which may require digital certificate installation: Publishing using Web publishing rules, including publishing Outlook Web Access servers Publishing using server publishing rules

Digital Certificates for ISA Server 2004

Publishing Using Web Publishing Rules

When using Web publishing rules to publish a server, if SSL communication from external clients is required, at a minimum, a server certificate must be installed on the ISA Server computer. In addition, you may install (or have previously installed) a certificate on the Web server. You must configure SSL bridging on the Web publishing rule accordingly. For more information, see SSL Bridging Walk-through later in this document. The following are the general steps to install SSL certificates in a Web publishing scenario. The detailed procedure for each of these steps is provided later in this document. 1. Install a trusted root certificate on computers that will be SSL clients of the server certificate. If you are using a certificate from a commercial certification authority (CA) that is included in the Internet Explorer database of CAs, you do not have to perform this step. 2. Generate a certificate request for the ISA Server computer. 3. Process a certificate request file. 4. Install the certificate on the published Web server. 5. Export the certificate to a file and copy it to the ISA Server computer. 6. Install the certificate on the ISA Server computer. 7. Remove the certificate from the Web server computer.

Note
The preceding steps explain the general steps to install a certificate on the ISA Server computer. The remaining steps explain the general steps to install an additional certificate on the Web server computer.

8. Generate a certificate request file for the Web server computer. 9. Process a certificate request file. 10. Install the certificate.

Publishing Using Server Publishing Rules

When you publish a server using server publishing rules, install a digital certificate on the published server, and not on the ISA Server computer. Select HTTPS Server as the mapped protocol in your server publishing rule.

Solutions

The following are the general steps to install an SSL certificate in a server publishing scenario. The detailed procedure for each of these steps is provided later in this document. 1. Install a trusted root certificate on computers that will be SSL clients of the server certificate. If you are using a certificate from a commercial certification authority (CA) that is included in the Internet Explorer database of CAs, you do not have to perform this step. 2. Generate a certificate request file. 3. Process a certificate request file. 4. Install the certificate.

Certificate Revocation Lists

A certificate can be revoked by the CA that issued it. A Certificate Revocation List (CRL) is a document maintained and published by a CA that lists certificates that have been revoked. CRLs are issued periodically, and expire after a designated time period. ISA Server can check whether a certificate has expired, both in the case of a server certificate on a server published through ISA Server, and for client certificates for client computers that connect to the ISA Server computer, such as clients from the External network that are trying to reach published servers. You can configure ISA Server to not allow a connection if the relevant certificate has been revoked. The procedure for installing a CRL on an ISA Server computer and enabling CRL checking is provided in Digital Certificates Walk-through - Configure ISA Server to Check the Certificate Revocation List in this document.

Solutions
Using Internet Security and Acceleration (ISA) Server 2004, you can follow procedures to: Install digital certificates Configure SSL bridging

Digital Certificates - Walk-through

The following procedures describe in detail how to: Install a root certificate Generate a certificate request file Process a certificate request file Install a certificate Export a certificate from the Web server computer to the ISA Server computer Install a certificate on the ISA Server computer

Digital Certificates for ISA Server 2004

Remove a certificate from the Web server computer Configure ISA Server to check the Certificate Revocation List

Digital Certificates Walk-through - Install a Root Certificate

Establishing SSL connections between a client and a server requires installation of a root CA certificate that will validate the server certificate. Generally, if you are using a certificate from a commercial CA that is included in the computers database of CAs, you do not have to perform this step because the root certificate is already installed. To see a list of installed root certificates, in Internet Explorer, select Tools, and then click Internet Options. Select the Content tab, click Certificates, and then select the Trusted Root Certification Authorities tab. If you choose to install Certificate Services to be the CA in your organization to issue certificates, you will have to install root certificates. A root certificate must be installed on every client that will access a server using SSL. For example, in a scenario in which Server Certificate number 1 is installed on the ISA Server computer, and Server Certificate number 2 is installed on an internal Web server computer (behind the ISA Server computer), you will require the following root certificate installations: External clients will require root certificates validating Server Certificate number 1, because they are clients of the ISA Server computer. The ISA Server computer, as a client of the Web server computer, will require a root certificate validating Server Certificate number 2. In general, we recommend that the certificates installed on the ISA Server computer and the published server in a server publishing scenario be issued by a commercial certification authority, so that they are easily trusted by clients attempting to establish a connection. However, in a Web publishing scenario, the certificate on a Web server or Outlook Web Access server could be issued by an internal CA, because it only has to be trusted by the ISA Server computer when it is trying to establish an SSL connection to the internal Web server.

Note
For more information about Certificate Services, see Creating Certificate Hierarchies with MS Certificate Server Version 1.0 (http://go.microsoft.com/fwlink?linkid=12107)

The following steps assume no direct connectivity to the Certificate Services computer. All information exchange must be done using a floppy disk. A CA can also be published using Internet Information Services (IIS) and Active Server Pages. For an example of that approach, see the procedure L2TP Walk-through Procedure 2: Set up the Certification Authority, in the document VPN Roaming Clients in ISA Server 2004.

Step 1. Obtain a Certificate Services root certificate

The first step is to obtain a root certificate.

Solutions

1. 2. 3.

On the Certificate Services computer, open Internet Explorer and type http://localhost/certsrv in the address field. Select Retrieve the CA certificate or certificate revocation list and click Next. Click Download CA certification path and save the file to a floppy disk.

Step 2. Install the Certificate Services root certificate

After you obtain a root certificate, you can install it. 1. 2. 3. 4. 5. 6. 7. 8. 9. Copy the root certificate from the floppy disk to the appropriate computers. On each of the computers, open the Microsoft Management Console (MMC) Certification Authority snap-in. Click Start, click Run, and then click MMC. Click Console, click Add/Remove Snap-in, and then click Add. Select Certificates, click Add, and then select Computer account. Click Next. Select Local Computer, click Finish, click Close, and then click OK. Click the Trusted Root Certification Authorities folder. Right-click All Tasks, and then click Import. In the Import Wizard, click Next. Make sure that your root certificate file is listed and select it. Click Next.

10. Click Next. 11. Click Finish. 12. Under the Trusted Root Certification Authorities, verify that you see the root certificate.

Digital Certificates Walk-through - Generate a Certificate Request File

This procedure details how to generate a certificate request file. Perform this procedure on a computer that has Internet Information Services (IIS) installed. Because IIS is generally not installed on the ISA Server computer, this procedure usually takes place on the published server. Use the following procedure to generate a new certificate request to be sent to a CA for

Note

The certificate request fails if it contains nonalphanumeric characters. Between creating the request file (that is, completing the following steps) and installing the certificate, do not perform any of the following actions: Change the computer name or Web site bindings. Apply service packs or security patches. Change encryption levels (that is, apply the high encryption pack). Delete the pending certificate request. Change any of the Web sites Secure Communications properties.

Digital Certificates for ISA Server 2004

1. 2. 3. 4. 5. 6. 7.

Open the Internet Services Manager (or your custom MMC containing the IIS snapin). Select the default Web site. Right-click and select Properties. Click the Directory Security tab. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard. Click Next. Select the Create a New Certificate option and click Next. (There may be a slight pause before the next screen appears.) Select the Prepare a New Request but Send it later option and click Next.

Note
The Send the request immediately to an online certification authority option is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 or Windows 2003 with the Active Directory directory service.

8. 9.

Choose a friendly name for the site. (This can be any name, for example, the friendly name of the site in the MMC, or the name of the Web site owner.) Select the bit length of the key you want to use and whether you want to use Server Gated Cryptography (SGC), and then click Next.

Note
For more information about bit length and SGC, see IIS Help, which is located on the server at the following address: http://<servername>/iishelp/iis/htm/core/iistesc.htm, where <servername> is the name of your IIS server.

10. Input your Organization and your Organizational Unit. For example, if your company is called Fabrikam, Inc. and you are setting up a Web server for the Sales department, you would enter Fabrikam for the Organization and Sales for your Organizational Unit. Click Next when complete. 11. Input the common name (CN) for your site. This should match the Web address that you want to certify. In the case of server publishing, this would be the name users will input when requesting your Web site. In Web publishing, this should be the fully qualified domain name (FQDN) of the Web server computer. When done, click Next. 12. Input information for your Country/Region, City, and State. It is important that you do not abbreviate the names of the state or city. When done, click Next.

Solutions

13. Choose a name for the certificate request file that you are about to create. This file will contain all the information you included in this procedure, as well as your public key for your site. You can also browse for the file name. This creates a .txt file when the steps are completed. The default name for the file is Certreq.txt. When you have finished this step, click Finish. 14. On the summary page, verify that all of the information is correct, and then click Finish.

Digital Certificates Walk-through - Process a Certificate Request File

For the certificate to be used on the Internet, submit the request file to a CA (online authority). The CA will generate a certificate response file, which contains your public key and which is digitally signed by the commercial CA. For internal use purposes, such as deploying a certificate on the internal Web server computer in a Web publishing scenario, you may want to install your own private CA using Certificate Services. The following steps assume no direct connectivity to the Certificate Services computer. All information exchange will be done using a floppy disk. 1. Copy the certificate request file to a floppy disk, take the disk to the Certificate Services computer, and copy the file from the floppy disk to the hard disk of the Certificate Services computer, remembering its location. Alternatively, you can work from the floppy disk itself. On the Certificate Services computer, open Internet Explorer and type http://localhost/certsrv. Click Request a Certificate and click Next. Click Advanced Request and click Next. Select the second option, Submit a certificate request using a base64 encoded PKCS #10 file, and click Next. Under the certificate template heading, select Web server. Using Notepad, open the certificate request file and copy all of its contents to the Clipboard by typing CTRL+A and CTRL+C. Paste the contents of the file into the Saved Request edit box in the browser page and click Submit. Click the Download CA certificate link to save the response file to the floppy disk.

2. 3. 4. 5. 6. 7. 8. 9.

10. Take the floppy disk to the published server computer and copy the response file to its hard disk, remembering the location.

Digital Certificates for ISA Server 2004

Digital Certificates Walk-through - Install a Certificate

After you receive your response file from the CA, you install it on the Web server. A certificate that will be exported to the ISA Server computer must first be installed on the Web server for which the certificate was requested. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open Internet Services Manager. Expand Internet Information Services. Select the Default Web site that has a pending certificate request. Right-click the Default Web Site, and then click Properties. Click the Directory Security tab. In Secure Communications, click Server Certificate. On the Web Site Certificate Wizard, click Next. Select Process the Pending Request and Install the Certificate. Click Next. Type the location of the certificate response file (you may also browse to the file), and then click Next. Read the summary screen to be sure that you are processing the correct certificate, and then click Next.

10. You will see a confirmation screen. After you have read this information, click Next. 11. Click Yes on the Message box warning, and then click Finish.

Digital Certificates Walk-through - Export a Certificate from the Web Server Computer to the ISA Server Computer
Use the following procedure to export a certificate from the Web server computer to the ISA Server computer. 1. 2. 3. 4. 5. 6. 7. 8. Click Start, and then click Run. In Open, type MMC, and then click OK. Click Console, click Add/Remove Snap-in, and then click Add. Select Certificates, click Add, select Computer account, and then click Next. Select Local Computer, click Finish, click Close, and then click OK. Expand the Personal folder, and then expand Certificates. A certificate with the name of your Web site appears in the Issued To column in the right pane. Right-click your certificate, click All Tasks, and then click Export. In the Export window, click Next. Click Yes, export the private key, and then click Next.

Solutions

Note
If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on the ISA Server computer. You must request a new certificate for ISA Server for this site.

9.

Select Personal Information Exchange. Maintain the default setting for all three check boxes.

10. Assign a password to protect the exported file, and confirm it. 11. Assign a file name and location. 12. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file. 13. Copy the file that you created to the ISA Server computer.

Digital Certificates Walk-through - Install a Certificate on the ISA Server Computer

Use the following procedure to install a certificate on the ISA Server computer. 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, and then click Run. In Open, type MMC, and then click OK. Click Console, click Add/Remove Snap-in, and then click Add. Select Certificates, click Add, select Computer account, and then click Next. Select Local Computer, click Finish, click Close, and then click OK. Click the Personal folder. Right-click All Tasks, and then click Import. In the Import Wizard, click Next. Make sure that your file is listed, and then click Next. Type the password for this file.

10. Click to select the Mark the private key as exportable check box. 11. Click Next. 12. Click Finish. 13. In the Personal folder, in a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the Web site address, for example, news.adatum.com.

10

Digital Certificates for ISA Server 2004

Digital Certificates Walk-through - Remove a Certificate from the Web Server Computer
Use the following procedure to remove a certificate from the Web server computer. 1. 2. 3. 4. 5. 6. 7. On the Web server computer, open Internet Services Manager. Expand the server node and select the Default Web Site node. Click Properties. Click the Directory security tab. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard. Click Next. Select remove the current certificate and click Next. Click Next, and then click Finish. Close Internet Services Manager.

Digital Certificates Walk-through - Configure ISA Server to Check the Certificate Revocation List
You can configure ISA Server to check the Certificate Revocation List (CRL). There are two steps required: Obtain the CRL file and copy it to the correct location on the ISA Server computer. Configure ISA Server to check the CRL. This cannot be configured through ISA Server Management. You must write a script or program that uses the ISA Server administration COM objects to make this configuration change. Use the following procedure to configure ISA Server to check the CRL. 1. 2. 3. 4. Obtain the CRL from the certification authority as an *.crl file. Copy the *.crl file to a known location on the ISA Server computer. In Microsoft Management Console (MMC), expand the Certificates (Local Computer) node. Right-click Intermediate Certification Authorities, select All tasks, select Import

Important

To manage certificates in MMC: 1. Click Start, click Run, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. Under Snap-in, double-click Certificates, click Computer account, and then click Next. 4. Do one of the following: To manage certificates for the local computer, click Local computer, and then click Finish. To manage certificates for a remote computer, click Another computer and type the name of the computer, or click Browse to select the computer name, and then click Finish.

5. Click Close. Certificates (Computer Name) appears on the list of selected snap-ins for the new console. 6. If you have no more snap-ins to add to the console, click OK. 7. To save the console, on the File menu, click Save.

Solutions

11

5. 6. 7.

On the File to Import page, specify the *.crl file. On the Certificate Store page, select Place all certificates in the following store. The Certificate store should be Intermediate Certification. Click Next. On the Summary page, review the configuration and click Finish. If you expand the Intermediate Certification Authorities node, you should see the new CRL file listed. (You may have to refresh the page.) Now configure ISA Server to validate the client or server certificate by creating and running a script or program that sets the FPCWebProxy.ValidateClientCertificateCRL or FPCWebProxy.ValidateServerCertificateCRL, respectively, to True. For information about scripting and programming using the ISA Server Administration objects, see ISA Server 2004 Software Development Kit Help (Isasdk.chm), on the ISA Server 2004 CD.

8.

Note
If the CRL has expired, or was not imported properly, setting the ValidateClientCertificateCRL or ValidateServerCertificateCRL to True has no effect, and validation will not take place.

SSL Bridging Walk-through

If you are publishing a server that requires Secure Sockets Layer (SSL) communication, you must have a digital certificate installed on your ISA Server computer. In addition, you may have a digital certificate installed on the Web server or Outlook Web Access server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you must configure SSL bridging accordingly. SSL bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as Hypertext Transfer Protocol (HTTP) requests, as follows: If there is no digital certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP. If there is a digital certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the client-ISA and on the ISAWeb server levels. If your Web server has a digital certificate, and you want ISA Server to listen for SSL requests without purchasing an additional certificate, you have to export the certificate from the Web server and import it to the ISA Server computer. Use the following steps to modify the SSL bridging configuration. 1. In the Properties dialog box of the Web publishing rule, select the Bridging tab.

12

Digital Certificates for ISA Server 2004

2. 3.

Ensure that Web server is selected. Select redirection to HTTP port or SSL port: If you are using the ISA Server SSL certificate to handle SSL requests (no SSL certificate installed on the Web server), select Redirect requests to HTTP port, and then click OK. If you want to continue to use an existing SSL certificate on the Web server (as well as the certificate on the ISA Server computer), select Redirect requests to SSL port, ensure that the default port number 443 is appropriate to your network, and then click OK.

4.

Click OK to close the Web publishing rule Properties dialog box.

Note
The option Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.

A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule Action tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page. This problem can be resolved using one of the following approaches: Obtain a new certificate that matches the name on the server. Change the server name on the Web publishing rule Action tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server. Change the server name on the Web publishing rule Action tab to match the name on the certificate. On the ISA Server computer, in the file WINNT\system32\drivers\etc\hosts, add a mapping from the certificate/Action tabname to the IP address of the internal Web server. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,

Solutions

13

recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2003

Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions. Do you have comments about this document? Send feedback.