Re: Certificates/SSL Connections From Behind ISA

I found "Configuring Internal Client Access To Web Sites Over SSL" which
is
obviously exactly what I want to do:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx

And it's simple enough, but I can't seem to get the certificate from the
external website properly installed on the isa server.

You know what, I am just revisiting your other thread and I don't think that
this is what you need.

First of all that section of the article talks about web chaining by
redirecting http requests from your clients as https requests to the
destination site. You should not need to do this with your setup.

Second, for web chaining to work that way you don't install a (web) server
certificate on the ISA computer (which is what you seem to be doing), you
actually install a client certificate used for authentication to the
destination site. Again not what you want, that Checkpoint site is not using
certificate-based authentication, or is it?

(Please note that there is a difference between authentication and data
encryption; traffic would be SSL-encrypted using certificates but that does
not necessarily mean the initial authentication part is handled via
certificates too).

Here's a thought for you. What Java Virtual Machine are you using on your
client(s)? Did you install Sun's JVM, thus replacing the Microsoft VM? There
is a known issue with Sun's JVM and NTLM pass-through authentication, which
can only be solved by enabling "basic authentication" on the ISA web proxy
listener, in addition to "integrated". You will still get one extra
authentication prompt though.

A way to confirm whether this is your problem is to allow anonymous http(s)
connections from that particular client, by creating an "allow" rule that
does not require authentication for that IP (allows access to "All Users"
not some specific users/groups). Also uou have to make sure that the option
"Require all users to authenticate" is not enabled on the web proxy
listener. If after you make these changes you get through, then you can be
100% sure the problem lies with the Sun JVM.

Virgil


.

Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: PEAP-TLS vs EAP-TLS
    ... It covers the deployment of PEAP with digital certificates (what you are ... PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally ... Of course user certificate authentication used in PEAP-TLS ...
    (microsoft.public.windows.server.security)
  • Re: Need help configuring Wireless Connection profile
    ... Just go there and do a search for 'WPA2'. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Need help configuring Wireless Connection profile
    ... Just go there and do a search for 'WPA2'. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Need help configuring Wireless Connection profile
    ... Well there is an update on the microsoft site for WPA2 encryption but I ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)