Re: ISA configuration question
From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 09/26/04
- Next message: Jim Harrison [MSFT]: "Re: ISA2004 Simple ?? Config"
- Previous message: SuperGumby [SBS MVP]: "motivation - ISA 2004 FE/BE setup"
- In reply to: Ben Winzenz [Exchange MVP]: "Re: ISA configuration question"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 26 Sep 2004 16:27:28 -0700
Hmmm.
I'd forgotten that part of the help.
I haven't tested this scenario, but it should be something like (not fully UI-validated):
1 - create a certificate that uses either the name or IP of the ISA web proxy listener (depends on how you want the clients to
connect)
2 - install the certificate in the ISA Local Machine "Personal Certificates" store
3 - obtain the CA certificate and install that in the ISA Local Machine "Trusted Root" store (not needed if your AD issued the cert)
4 - configure the web proxy listener to listen for SSL connections and choose the port you want (8443 by default)
5 - select the newly-installed certificate
6 - if the client is not part of the domain, obtain the CA cert and install it in the Local Machine "Trusted Root" store.
7 - configure the browser to use a separate proxy for HTTPS connections and use the same data (name, IP) you used to create the
certificate and use the port that you configured ISA to listen on.
Your mileage may vary, as I haven't tested this and there may be one or two steps missing...
-- Jim Harrison [ISASE] Read the help, books and articles! This posting is provided "AS IS" with no warranties, and confers no rights. "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote in message news:eGFx53xnEHA.648@tk2msftngp13.phx.gbl... Here's the info that I got that lead up to this question. Taken from: http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/cmt_sslauth.mspx In most cases, when an internal client uses HTTPS to request an object from a server on the Internet, the ISA Server uses SSL tunneling to establish the connection. For clients that support secure communication directly with ISA Server, you can configure routing rules to enable SSL bridging, instead. In this case, the client uses HTTP or HTTPS to request an object from an external Web server (on the Internet), connecting to the ISA Server on port 8080 or port 443, respectively (or whichever port is configured to listen for TCP and SSL requests). A routing rule, which applies to the specified destination server, specifies that the request should be redirected as an SSL request. So I guess my question is, how do I configure a client to support secure communication directly with the ISA server? Would I need to set up a certificate on the ISA server? -- Ben Winzenz Exchange MVP "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote in message news:u1aHEYxnEHA.2764@TK2MSFTNGP11.phx.gbl... > Thanks for responding. > > I'm referring to web proxy requests. Internal client requests web content > from an external SSL website. Is there a way to force ISA to bridge web > proxy connections, or is that not possible? I don't want ISA to have the > content available, but I do want to have ISA inspect the contents of the > traffic. From what I understand about ISA tunneling, once ISA initiates > the tunnel, the traffic basically goes directly from the client to the > external web server. I've got a customer that is concerned about certain > file types, and blocks access to those file types for normal web browsing > for certain clients. They would like to be able to block access to those > file types for SSL connections as well. That is the reason for asking. > Again, thanks for responding. > -- > Ben Winzenz > Exchange MVP > > > "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message > news:%23qSpi1SnEHA.3480@TK2MSFTNGP09.phx.gbl... >> Are you talking about web published content (inbound requests to internal >> servers) or web proxy requests (outbound to external >> servers)? >> Web published content is indeed available for ISA perusal, but outbound >> requests are not. >> ISA bridges web published traffic, but it tunnels web proxy SSL >> connections. >> -- >> Jim Harrison [ISASE] >> Read the help, books and articles! >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> >> wrote in message news:OjW97iBnEHA.2948@TK2MSFTNGP11.phx.gbl... >> I've got the following configuration. >> >> ISA server as proxy/firewall. All external content is blocked except for >> sites that I choose. Clients are configured with ISA as >> the proxy in IE. In ISA, I have set up a routing connection and applied >> it to only a specific destination set. The destination set >> is an IP range for an SSL website. Action is set to retrieve the request >> directly from the specified destination. Bridging is set >> up to redirect HTTP requests as SSL requests, and SSL requests and SSL >> requests. It is also set up to require 128-bt SSL (although >> I've tried it unchecked as well). I have also set up a protocol rule to >> allow HTTPS requests from a specific internal client set. >> Some of the resources I have checked indicate that with this setup, ISA >> *should* still be able to inspect the content of the web >> traffic because the client SSL request is being forwarded as a new SSL >> request from the ISA server. In other words, it is not >> tunneling the SSL request, rather bridging it. What I need to find out >> are 2 things. >> >> 1. Does this in fact allow ISA to still inspect the contents of the >> traffic? >> 2. If so, how can I prove that ISA is inspecting the traffic? >> >> If there are ANY other details you need about the ISA config, let me >> know. >> >> -- >> Ben Winzenz >> Exchange MVP >> >> >> > >
- Next message: Jim Harrison [MSFT]: "Re: ISA2004 Simple ?? Config"
- Previous message: SuperGumby [SBS MVP]: "motivation - ISA 2004 FE/BE setup"
- In reply to: Ben Winzenz [Exchange MVP]: "Re: ISA configuration question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
