Increasing OWA Security by Configuring the ISA Server to Present a Client Certificate to an OWA Web site
The connection between the OWA client and server† is protected from end to end when you use SSL to SSL bridging. The OWA client creates an SSL link with the external interface of the ISA Server and then the ISA Server creates a second SSL protected link with the OWA site on the internal network. This is a unique feature of ISA Server firewalls and ISA Server Web Proxies and provides one of the most compelling reasons to use ISA Server in an OWA publishing environment.
You can further enhance security by requiring that hosts present a client certificate before they can connect to the OWA site directories. The client certificate is required even before any credentials are passed to the OWA site. Only after the client certificate is accepted by the OWA site does the site then allow the user credentials to be proxied by the ISA Server.
You do not want to force client certificate authentication with this setup. You only want to require that the machine present a client certificate to the OWA site before the user credentials are forwarded to the OWA server. Basic authentication credentials protected by SSL identify the user and allow access to the appropriate mailbox.
This setup is especially helpful in environments where the ISA Server is configured as a unihomed (single NIC) caching-only server on a DMZ segment. While you have a high level of application layer security protecting your internal OWA site if you have an ISA Server firewall at the internal network edge, this is not necessarily true if a non-ISA Server firewall is used to protect the internal network.
In most circumstances a simple packet filtering device is used at the internal network edge. Either a packet filter is configured to allow inbound TCP 443 to the OWA site on the internal network, or a reverse NAT rule is configured to forward inbound TCP 443 to the internal network OWA site. In both these cases, the non-ISA firewall forwards packets based only on port number and does not provide the intelligent application layer inspection provided by an ISA Server firewall.
You can protect the OWA site on the internal network from inappropriate connection attempts by requiring the client certificate. You can distribute client certificates to all internal network clients that require OWA access, and you can provide a client certificate to the Web Proxy service on the ISA Server firewall, which it can use to connect to the OWA site.
You perform the following procedures to allow the ISA Server to present a client certificate to the OWA site:
∑ Obtain a client certificate for the Web Proxy service
∑ Export the Web Proxy serviceís client certificate
∑ Import the client certificate into the Web Proxy service certificate store
∑ Bind the client certificate to the Web Publishing Rule
∑ Force client certificate authentication on the OWA Web site folders
The ISA Server and the OWA site must trust each otherís certificates. Confirm that your Root CA is listed in the Trusted Root Certification Authorities node in the machine certificate stores on both computers. For more information on confirming that the Root CA is in the appropriate location and how to place a Root CA certificate in the Trusted Root Certification Authorities node if it is not there.
The remainder of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document discusses these procedures in detail.
Obtain a Client Certificate for the Web Proxy Service
The first step is to obtain a client certificate for the Web Proxy service. The Web Proxy service will present this certificate to the OWA site when it attempts to connect to one of the OWA folders. You can obtain the client certificate from the ISA Server computer itself, or you can obtain it from another machine on the internal network, export it and then copy the exported client certificate to a file.
In this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we will go through the procedures required to obtain a client certificate from a machine that is not the ISA Server computer.
Click the Request a Certificate Link.
In the Type of Certificate Needed drop down list, select the Client Authentication Certificate option.
Return to the Welcome page for the Web enrollment site after the request has been approved. You can reach the Welcome page from the Certificate Pending page by click on the Home link on the upper right corner of the page.
The machine now has a user certificate for the ISA Serverís Web Proxy service installed on it. The next step is to export this certificate so that you can copy it to the ISA Server machine.
Export the Web Proxy Clientís Certificate
The user certificate is stored in the user certificate store on this computer. Because the certificate is stored in the user certificate store, you can access the certificate from Internet Explorer.
Perform the following steps to export the Web Proxy serviceís user certificate:
1. Open Internet Explorer and click the Tools menu. On the Tools menu, click the Internet Options command (figure 13)
2. In the Internet Options dialog box (figure 14), click the Content tab. Click the Certificates button in the Certificates frame.
3. In the Certificates dialog box, confirm that the Intended purpose drop down list has the <All> option selected (figure 15). Select the webproxyservice certificate and click the Export button.
4. Click Next on the Welcome to the Certificate Export Wizard page (figure 16).
5. On the Export Private Key page (figure 17), select the Yes, export the private key option and click Next.
6. On the Export File Format page (figure 18), select the Personal Information Exchange 00 PKCS #12 (.PFX) option. Place a checkmark in the Include all certificates in the certification path if possible checkbox and remove all other checkmarks. Click Next.
7. On the Password page (figure 19), type in a password and confirm the password. This password protects the certificate from being stolen in the event that an unauthorized person is able to access this certificate file. Click Next.
8. Type in a file name and path for where you want to save the certificate on the File to Export page (figure 20). Remember where you saved the certificate because you will need to copy it to the ISA Server computer. Click Next.
9. Review your settings on the Completing the Certificate Export Wizard page and click Finish (figure 21).
10. Click OK on the Certificate Export Wizard dialog box (figure 22).
11. If you want to keep a backup copy of the Web Proxy serviceís certificate, you can leave it on this machine. However, you can use the Remove button to remove the certificate from this machine if the machine is not secure and not under your administrative control (figure 23). Click Close.
12. Click OK in the Internet Options dialog box (figure 24).
Copy the certificate to removable media such as a floppy disk or CD-ROM. Then copy the certificate from the removable media to the ISA Server computer.
Import the Client Certificate into the Web Proxy Service Certificate Store
Youíre ready to import the certificate into the Web Proxy serviceís certificate store now that the certificate is copied to the ISA Server machine.
Perform the following steps to import the Web Proxy serviceís user certificate:
1. Click Start and then click the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 25).
2. Click Add on the Add/Remove Snap-in dialog box (figure 26).
3. On the Add Standalone Snap-in dialog box (figure 27), select the Certificates entry from the Available Standalone Snap-ins list and click Add.
4. On the Certificates snap-in page, select the Service account option (figure 28) and click Next.
5. On the Select Computer page (figure 29), select the Local Computer (the computer this console option and click Next.
6. On the Certificates snap-in page (figure 30), select the Microsoft Web Proxy option from the Service account list. Click Finish.
7. Click Close on the Add Standalone Snap-in dialog box (figure 31).
8. Click OK in the Add/Remove Snap-in dialog box (figure 32).
9. Click on the W3Proxy\Personal node in the left pane of the console. Right click on an empty area in the right pane of the console, point to All Tasks and click on Import (figure 33).
10. Click Next on the Welcome to the Certificate Import Wizard page (figure 34).
11. Use the Browse button to locate the certificate (figure 35), then click Next.
12. Type in the password you created for the certificate on the Password page (figure 36). Click Next.
13. Leave the default selection on the Certificate Store page (figure 37). Click Next.
14. Review your selections on the Completing the Certificate Import Wizard page (figure 38) and click Finish.
15. Click OK on the Certificate Import Wizard dialog box (figure 39).
The Web Proxy service can now present this certificate to any entity requesting a client certificate and it can do this without any explicit user intervention. The Web Proxy client will send this client certificate to any server requesting client certificate authentication.
Bind the Client Certificate to the Web Publishing Rule
The Web Proxy service needs to be informed that it has a certificate it can present to the OWA server. This setting is found in the OWA Web Publishing Rule.
Perform the following steps to bind the client certificate to the OWA Web Publishing Rule:
1. Open the ISA Management console and expand the Servers and Arrays node. Expand your server name and then expand the Publishing node. Click on the Web Publishing Rules node. Right click on the OWA Web Publishing Rule in the right pane of the console and click the Properties command (figure 40).
2. Click on the Bridging tab (figure 41). Put a checkmark in the Use a certificate to authenticate to the SSL Web server checkbox.
3. Click the Select button (figure 42). Select the Web Proxy serviceís client certificate in the Select Certificate dialog box and click OK.
4. The certificate appears in the text box at the bottom of the dialog box (figure 43). Click Apply and then click OK.
The Web Proxy service is now able to present a client certificate to the OWA server on the internal network whenever it forwards messages for the OWA clients on the external network.
Force Client Certificate Authentication on the OWA Web Site Folders
At this point the ISA Server is able to forward a client when one is requested. The next step is to configure the OWA Web site directories to request a client certificate before it allows a connection.
Perform the following steps to force the OWA Web site to request a client certificate from the ISA Server before allowing a connection:
1. Click Start, point to Administrative Tools and click on Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager console, expand your server name and then expand the Web Sites node in the left pane of the console. Expand the Default Web Site node and click on the Exchange node. Right click an empty area in the right pane and click the Properties command (figure 44).
2. On the Exchange Properties dialog box (figure 45), click the Edit button in the Secure communications frame.
3. In the Secure Communications dialog box (figure 46), select the Require client certificate in the Client certificates frame. Click OK.
4. Click OK in the Exchange Properties dialog box (figure 47). Repeat this procedure for the Exchweb and Public folders.
5. Restart the virtual Web server after you have configured the Exchange, Exchweb and Public folders to require a client certificate. Right click on your server name, point to All Tasks and click on Restart IIS (figure 48).
6. In the Stop/Start/Restart dialog box (figure 49), select the Restart Internet Services on option and click OK.
7. The IIS services on restart (figure 50).
8. Close the Internet Information Services (IIS) Manager console (figure 51).