Professional Documents
Culture Documents
Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 uses digital certificates for Web publishing rules and server publishing rules. This document describes scenarios in which digital certificates, also called Secure Sockets Layer (SSL) certificates, are required on an ISA Server computer or on published servers behind the ISA Server computer. Procedures for obtaining and installing digital certificates are provided. Information about the use of Certificate Revocation Lists is also provided.
Scenarios
Using Internet Security and Acceleration (ISA) Server 2004, there are two publishing scenarios which may require digital certificate installation: Publishing using Web publishing rules, including publishing Outlook Web Access servers Publishing using server publishing rules
Note
The preceding steps explain the general steps to install a certificate on the ISA Server computer. The remaining steps explain the general steps to install an additional certificate on the Web server computer.
8. Generate a certificate request file for the Web server computer. 9. Process a certificate request file. 10. Install the certificate.
Solutions
The following are the general steps to install an SSL certificate in a server publishing scenario. The detailed procedure for each of these steps is provided later in this document. 1. Install a trusted root certificate on computers that will be SSL clients of the server certificate. If you are using a certificate from a commercial certification authority (CA) that is included in the Internet Explorer database of CAs, you do not have to perform this step. 2. Generate a certificate request file. 3. Process a certificate request file. 4. Install the certificate.
Solutions
Using Internet Security and Acceleration (ISA) Server 2004, you can follow procedures to: Install digital certificates Configure SSL bridging
Remove a certificate from the Web server computer Configure ISA Server to check the Certificate Revocation List
Note
For more information about Certificate Services, see Creating Certificate Hierarchies with MS Certificate Server Version 1.0 (http://go.microsoft.com/fwlink?linkid=12107)
The following steps assume no direct connectivity to the Certificate Services computer. All information exchange must be done using a floppy disk. A CA can also be published using Internet Information Services (IIS) and Active Server Pages. For an example of that approach, see the procedure L2TP Walk-through Procedure 2: Set up the Certification Authority, in the document VPN Roaming Clients in ISA Server 2004.
Solutions
1. 2. 3.
On the Certificate Services computer, open Internet Explorer and type http://localhost/certsrv in the address field. Select Retrieve the CA certificate or certificate revocation list and click Next. Click Download CA certification path and save the file to a floppy disk.
10. Click Next. 11. Click Finish. 12. Under the Trusted Root Certification Authorities, verify that you see the root certificate.
Note
The certificate request fails if it contains nonalphanumeric characters. Between creating the request file (that is, completing the following steps) and installing the certificate, do not perform any of the following actions: Change the computer name or Web site bindings. Apply service packs or security patches. Change encryption levels (that is, apply the high encryption pack). Delete the pending certificate request. Change any of the Web sites Secure Communications properties.
1. 2. 3. 4. 5. 6. 7.
Open the Internet Services Manager (or your custom MMC containing the IIS snapin). Select the default Web site. Right-click and select Properties. Click the Directory Security tab. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard. Click Next. Select the Create a New Certificate option and click Next. (There may be a slight pause before the next screen appears.) Select the Prepare a New Request but Send it later option and click Next.
Note
The Send the request immediately to an online certification authority option is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 or Windows 2003 with the Active Directory directory service.
8. 9.
Choose a friendly name for the site. (This can be any name, for example, the friendly name of the site in the MMC, or the name of the Web site owner.) Select the bit length of the key you want to use and whether you want to use Server Gated Cryptography (SGC), and then click Next.
Note
For more information about bit length and SGC, see IIS Help, which is located on the server at the following address: http://<servername>/iishelp/iis/htm/core/iistesc.htm, where <servername> is the name of your IIS server.
10. Input your Organization and your Organizational Unit. For example, if your company is called Fabrikam, Inc. and you are setting up a Web server for the Sales department, you would enter Fabrikam for the Organization and Sales for your Organizational Unit. Click Next when complete. 11. Input the common name (CN) for your site. This should match the Web address that you want to certify. In the case of server publishing, this would be the name users will input when requesting your Web site. In Web publishing, this should be the fully qualified domain name (FQDN) of the Web server computer. When done, click Next. 12. Input information for your Country/Region, City, and State. It is important that you do not abbreviate the names of the state or city. When done, click Next.
Solutions
13. Choose a name for the certificate request file that you are about to create. This file will contain all the information you included in this procedure, as well as your public key for your site. You can also browse for the file name. This creates a .txt file when the steps are completed. The default name for the file is Certreq.txt. When you have finished this step, click Finish. 14. On the summary page, verify that all of the information is correct, and then click Finish.
2. 3. 4. 5. 6. 7. 8. 9.
10. Take the floppy disk to the published server computer and copy the response file to its hard disk, remembering the location.
10. You will see a confirmation screen. After you have read this information, click Next. 11. Click Yes on the Message box warning, and then click Finish.
Digital Certificates Walk-through - Export a Certificate from the Web Server Computer to the ISA Server Computer
Use the following procedure to export a certificate from the Web server computer to the ISA Server computer. 1. 2. 3. 4. 5. 6. 7. 8. Click Start, and then click Run. In Open, type MMC, and then click OK. Click Console, click Add/Remove Snap-in, and then click Add. Select Certificates, click Add, select Computer account, and then click Next. Select Local Computer, click Finish, click Close, and then click OK. Expand the Personal folder, and then expand Certificates. A certificate with the name of your Web site appears in the Issued To column in the right pane. Right-click your certificate, click All Tasks, and then click Export. In the Export window, click Next. Click Yes, export the private key, and then click Next.
Solutions
Note
If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on the ISA Server computer. You must request a new certificate for ISA Server for this site.
9.
Select Personal Information Exchange. Maintain the default setting for all three check boxes.
10. Assign a password to protect the exported file, and confirm it. 11. Assign a file name and location. 12. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file. 13. Copy the file that you created to the ISA Server computer.
10. Click to select the Mark the private key as exportable check box. 11. Click Next. 12. Click Finish. 13. In the Personal folder, in a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the Web site address, for example, news.adatum.com.
10
Digital Certificates Walk-through - Remove a Certificate from the Web Server Computer
Use the following procedure to remove a certificate from the Web server computer. 1. 2. 3. 4. 5. 6. 7. On the Web server computer, open Internet Services Manager. Expand the server node and select the Default Web Site node. Click Properties. Click the Directory security tab. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard. Click Next. Select remove the current certificate and click Next. Click Next, and then click Finish. Close Internet Services Manager.
Digital Certificates Walk-through - Configure ISA Server to Check the Certificate Revocation List
You can configure ISA Server to check the Certificate Revocation List (CRL). There are two steps required: Obtain the CRL file and copy it to the correct location on the ISA Server computer. Configure ISA Server to check the CRL. This cannot be configured through ISA Server Management. You must write a script or program that uses the ISA Server administration COM objects to make this configuration change. Use the following procedure to configure ISA Server to check the CRL. 1. 2. 3. 4. Obtain the CRL from the certification authority as an *.crl file. Copy the *.crl file to a known location on the ISA Server computer. In Microsoft Management Console (MMC), expand the Certificates (Local Computer) node. Right-click Intermediate Certification Authorities, select All tasks, select Import
Important
To manage certificates in MMC: 1. Click Start, click Run, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. Under Snap-in, double-click Certificates, click Computer account, and then click Next. 4. Do one of the following: To manage certificates for the local computer, click Local computer, and then click Finish. To manage certificates for a remote computer, click Another computer and type the name of the computer, or click Browse to select the computer name, and then click Finish.
5. Click Close. Certificates (Computer Name) appears on the list of selected snap-ins for the new console. 6. If you have no more snap-ins to add to the console, click OK. 7. To save the console, on the File menu, click Save.
Solutions
11
5. 6. 7.
On the File to Import page, specify the *.crl file. On the Certificate Store page, select Place all certificates in the following store. The Certificate store should be Intermediate Certification. Click Next. On the Summary page, review the configuration and click Finish. If you expand the Intermediate Certification Authorities node, you should see the new CRL file listed. (You may have to refresh the page.) Now configure ISA Server to validate the client or server certificate by creating and running a script or program that sets the FPCWebProxy.ValidateClientCertificateCRL or FPCWebProxy.ValidateServerCertificateCRL, respectively, to True. For information about scripting and programming using the ISA Server Administration objects, see ISA Server 2004 Software Development Kit Help (Isasdk.chm), on the ISA Server 2004 CD.
8.
Note
If the CRL has expired, or was not imported properly, setting the ValidateClientCertificateCRL or ValidateServerCertificateCRL to True has no effect, and validation will not take place.
12
2. 3.
Ensure that Web server is selected. Select redirection to HTTP port or SSL port: If you are using the ISA Server SSL certificate to handle SSL requests (no SSL certificate installed on the Web server), select Redirect requests to HTTP port, and then click OK. If you want to continue to use an existing SSL certificate on the Web server (as well as the certificate on the ISA Server computer), select Redirect requests to SSL port, ensure that the default port number 443 is appropriate to your network, and then click OK.
4.
Note
The option Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.
A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule Action tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page. This problem can be resolved using one of the following approaches: Obtain a new certificate that matches the name on the server. Change the server name on the Web publishing rule Action tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server. Change the server name on the Web publishing rule Action tab to match the name on the certificate. On the ISA Server computer, in the file WINNT\system32\drivers\etc\hosts, add a mapping from the certificate/Action tabname to the IP address of the internal Web server. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
Solutions
13
recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2003
Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions. Do you have comments about this document? Send feedback.