Re: ISA2006 (No SP1) Single NIC Workgroup DMZ Client Certificate Auth
- From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Jul 2008 21:04:25 -0700
You can't "proxy" a certificate.
You'll have to use Server Publishing for this site if you insist on cert
auth at the web server itself.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"NTNEWS" <NTNEWS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01A4D978-A3D2-406D-8B49-68541F9B8039@xxxxxxxxxxxxxxxx
I have an ISA2006 workgroup stand alone computer in my DMZ with a single NIC
to the Internet. Another firewall handles all routing to my internal
network
and I am using the proxy server as a reverse web proxy only. I have hosted
Exchange OWA and many other web sites without issues. I am now trying to
publish a web site that uses a Client Certificate for authorization and
that's it. It works seemlessly from the inside and prompts for which cert to
use in your browser. When I try to publish this through the proxy server, I
cannot make it prompt me for a cert, and only get "HTTP Error 403.7 -
Forbidden: SSL client certificate is required. Internet Information Services
(IIS)". I have the private cert installed in my browser and everything works
fine locally. Is there anything special about letting Client Certificate
Auth through a Web Proxy rule? I am NOT trying to have my proxy server
authenticate the client certificate, but rather the destination web site. I
have "No Delegation allow client to authenticate directly" selected.
Additionally on my Web Listener have "No Authentication" set, such that the
receiving web server can authenticate it. I have tried it with SSL Client
Certificate auth with no success, but my understanding of that is that the
proxy server is the one authenticating the client cert which is not what we
want. I have read mixed reveiws on whether or not this is supported and
that
it may be supported in the new SP1 for ISA2006 especially seeing the setting
I just talked about. Any information on this would be appreciated.
Thanks
NTNEWS
.
- Prev by Date: Re: 995 The I/O operation has been aborted because of either a thr
- Next by Date: Re: Firewall Service Stops and ISA Locks Up
- Previous by thread: Re: 995 The I/O operation has been aborted because of either a thr
- Next by thread: What configuration needs to be made on the ISA server to allow BlackBerry to access OWA server
- Index(es):
Relevant Pages
|
