Increasing OWA Security by Configuring the ISA Server to Present a Client Certificate to an OWA Web site

 

The connection between the OWA client and serveris protected from end to end when you use SSL to SSL bridging. The OWA client creates an SSL link with the external interface of the ISA Server and then the ISA Server creates a second SSL protected link with the OWA site on the internal network. This is a unique feature of ISA Server firewalls and ISA Server Web Proxies and provides one of the most compelling reasons to use ISA Server in an OWA publishing environment.

 

You can further enhance security by requiring that hosts present a client certificate before they can connect to the OWA site directories. The client certificate is required even before any credentials are passed to the OWA site. Only after the client certificate is accepted by the OWA site does the site then allow the user credentials to be proxied by the ISA Server.

 

Note:
You do not want to force client certificate authentication with this setup. You only want to require that the machine present a client certificate to the OWA site before the user credentials are forwarded to the OWA server. Basic authentication credentials protected by SSL identify the user and allow access to the appropriate mailbox.

 

This setup is especially helpful in environments where the ISA Server is configured as a unihomed (single NIC) caching-only server on a DMZ segment. While you have a high level of application layer security protecting your internal OWA site if you have an ISA Server firewall at the internal network edge, this is not necessarily true if a non-ISA Server firewall is used to protect the internal network.

 

In most circumstances a simple packet filtering device is used at the internal network edge. Either a packet filter is configured to allow inbound TCP 443 to the OWA site on the internal network, or a reverse NAT rule is configured to forward inbound TCP 443 to the internal network OWA site. In both these cases, the non-ISA firewall forwards packets based only on port number and does not provide the intelligent application layer inspection provided by an ISA Server firewall.

 

You can protect the OWA site on the internal network from inappropriate connection attempts by requiring the client certificate. You can distribute client certificates to all internal network clients that require OWA access, and you can provide a client certificate to the Web Proxy service on the ISA Server firewall, which it can use to connect to the OWA site.

 

You perform the following procedures to allow the ISA Server to present a client certificate to the OWA site:

 

         Obtain a client certificate for the Web Proxy service

         Export the Web Proxy serviceís client certificate

         Import the client certificate into the Web Proxy service certificate store

         Bind the client certificate to the Web Publishing Rule

         Force client certificate authentication on the OWA Web site folders

 

Note:
The ISA Server and the OWA site must trust each otherís certificates. Confirm that your Root CA is listed in the Trusted Root Certification Authorities node in the machine certificate stores on both computers. For more information on confirming that the Root CA is in the appropriate location and how to place a Root CA certificate in the Trusted Root Certification Authorities node if it is not there.

 

The remainder of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document discusses these procedures in detail.

 

 

 

Obtain a Client Certificate for the Web Proxy Service

 

The first step is to obtain a client certificate for the Web Proxy service. The Web Proxy service will present this certificate to the OWA site when it attempts to connect to one of the OWA folders. You can obtain the client certificate from the ISA Server computer itself, or you can obtain it from another machine on the internal network, export it and then copy the exported client certificate to a file.

 

In this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we will go through the procedures required to obtain a client certificate from a machine that is not the ISA Server computer.

 

  1. From a client on the internal network, open Internet Explorer and go to the name or the IP address of the Web enrollment site: http://<ip_address>/certsrv or http://name/certsrv. This will take you to the Certificate Serverís Welcome page (figure 1).

 

Click the Request a Certificate Link.

 

Figure 1

 

  1. On the Request a Certificate page (figure 2), click on the advanced certificate request link.

 

Figure 2

 


  1. On the Advanced Certificate Request page (figure 3), click the Create and submit a request to this CA link.

 

Figure 3

 


  1. On the Advanced Certificate Request page (figure 4), will in the identifying information for the Web Proxy service. The only required field is the Name field, but you should fill in all the fields for identification purposes.

 

In the Type of Certificate Needed drop down list, select the Client Authentication Certificate option.

 

Figure 4

 


  1. Scroll down the page and put a checkmark in the Mark keys as exportable checkbox (figure 5).

 

Figure 5

 


  1. Click the Submit button on the bottom of the page (figure 6). Click Yes on the warning dialog box informing you that the Web site is requesting a certificate on your behalf.

 

Figure 6

 


  1. On the Certificate Pending page (figure 7) you are informed that your certificate will be issued pending approval by and administrator. At this point you must go to the standalone CA and approve the certificate request.

 

Return to the Welcome page for the Web enrollment site after the request has been approved. You can reach the Welcome page from the Certificate Pending page by click on the Home link on the upper right corner of the page.

 

Figure 7

 


  1. On the Welcome page, click the View the status of a pending certificate request option (figure 8).

 

Figure 8

 


  1. On the View the Status of a Pending Certificate Request page (figure 9), click the link for the certificate.

 

Figure 9

 


  1. On the Certificate issued page (figure 10), click the Install this certificate link.

 

Figure 10

 


  1. Click Yes on the Potential Scripting Violation dialog box that warns you the Web site is adding one or more certificates to the computer (figure 11).

 

Figure 11

 


  1. Click Yes on the Root Certificate Store dialog box that asks if you want to add the CA certificate to the Root Store on this computer (figure 12).

 

Figure 12

 

The machine now has a user certificate for the ISA Serverís Web Proxy service installed on it. The next step is to export this certificate so that you can copy it to the ISA Server machine.

 

 

 


Export the Web Proxy Clientís Certificate

 

The user certificate is stored in the user certificate store on this computer. Because the certificate is stored in the user certificate store, you can access the certificate from Internet Explorer.

 

Perform the following steps to export the Web Proxy serviceís user certificate:

 

1.       Open Internet Explorer and click the Tools menu. On the Tools menu, click the Internet Options command (figure 13)

 

Figure 13

 


2.       In the Internet Options dialog box (figure 14), click the Content tab. Click the Certificates button in the Certificates frame.

 

Figure 14

 


3.       In the Certificates dialog box, confirm that the Intended purpose drop down list has the <All> option selected (figure 15). Select the webproxyservice certificate and click the Export button.

 

Figure 15

 


4.       Click Next on the Welcome to the Certificate Export Wizard page (figure 16).

 

Figure 16

 


5.       On the Export Private Key page (figure 17), select the Yes, export the private key option and click Next.

 

Figure 17

 


6.       On the Export File Format page (figure 18), select the Personal Information Exchange 00 PKCS #12 (.PFX) option. Place a checkmark in the Include all certificates in the certification path if possible checkbox and remove all other checkmarks. Click Next.

 

Figure 18

 


7.       On the Password page (figure 19), type in a password and confirm the password. This password protects the certificate from being stolen in the event that an unauthorized person is able to access this certificate file. Click Next.

 

Figure 19

 


8.       Type in a file name and path for where you want to save the certificate on the File to Export page (figure 20). Remember where you saved the certificate because you will need to copy it to the ISA Server computer. Click Next.

 

Figure 20

 


9.       Review your settings on the Completing the Certificate Export Wizard page and click Finish (figure 21).

 

Figure 21

 


10.   Click OK on the Certificate Export Wizard dialog box (figure 22).

 

Figure 22

 


11.   If you want to keep a backup copy of the Web Proxy serviceís certificate, you can leave it on this machine. However, you can use the Remove button to remove the certificate from this machine if the machine is not secure and not under your administrative control (figure 23). Click Close.

 

Figure 23

 


12.   Click OK in the Internet Options dialog box (figure 24).

 

Figure 24

 

Copy the certificate to removable media such as a floppy disk or CD-ROM. Then copy the certificate from the removable media to the ISA Server computer.

 

 

 


Import the Client Certificate into the Web Proxy Service Certificate Store

 

Youíre ready to import the certificate into the Web Proxy serviceís certificate store now that the certificate is copied to the ISA Server machine.

 

Perform the following steps to import the Web Proxy serviceís user certificate:

 

1.       Click Start and then click the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 25).

 

Figure 25

 


2.       Click Add on the Add/Remove Snap-in dialog box (figure 26).

 

Figure 26

 


3.       On the Add Standalone Snap-in dialog box (figure 27), select the Certificates entry from the Available Standalone Snap-ins list and click Add.

 

Figure 27

 


4.       On the Certificates snap-in page, select the Service account option (figure 28) and click Next.

 

Figure 28

 


5.       On the Select Computer page (figure 29), select the Local Computer (the computer this console option and click Next.

 

Figure 29

 


6.       On the Certificates snap-in page (figure 30), select the Microsoft Web Proxy option from the Service account list. Click Finish.

 

Figure 30

 


7.       Click Close on the Add Standalone Snap-in dialog box (figure 31).

 

Figure 31

 


8.       Click OK in the Add/Remove Snap-in dialog box (figure 32).

 

Figure 32

 


9.       Click on the W3Proxy\Personal node in the left pane of the console. Right click on an empty area in the right pane of the console, point to All Tasks and click on Import (figure 33).

 

Figure 33

 


10.   Click Next on the Welcome to the Certificate Import Wizard page (figure 34).

 

Figure 34

 


11.   Use the Browse button to locate the certificate (figure 35), then click Next.

 

Figure 35

 


12.   Type in the password you created for the certificate on the Password page (figure 36). Click Next.

 

Figure 36

 


13.   Leave the default selection on the Certificate Store page (figure 37). Click Next.

 

Figure 37

 


14.   Review your selections on the Completing the Certificate Import Wizard page (figure 38) and click Finish.

 

Figure 38

 


15.   Click OK on the Certificate Import Wizard dialog box (figure 39).

 

Figure 39

 

The Web Proxy service can now present this certificate to any entity requesting a client certificate and it can do this without any explicit user intervention. The Web Proxy client will send this client certificate to any server requesting client certificate authentication.

 

 

 


Bind the Client Certificate to the Web Publishing Rule

 

The Web Proxy service needs to be informed that it has a certificate it can present to the OWA server. This setting is found in the OWA Web Publishing Rule.

 

Perform the following steps to bind the client certificate to the OWA Web Publishing Rule:

 

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand your server name and then expand the Publishing node. Click on the Web Publishing Rules node. Right click on the OWA Web Publishing Rule in the right pane of the console and click the Properties command (figure 40).

 

Figure 40

 


2.       Click on the Bridging tab (figure 41). Put a checkmark in the Use a certificate to authenticate to the SSL Web server checkbox.

 

Figure 41

 


3.       Click the Select button (figure 42). Select the Web Proxy serviceís client certificate in the Select Certificate dialog box and click OK.

 

Figure 42

 


4.       The certificate appears in the text box at the bottom of the dialog box (figure 43). Click Apply and then click OK.

 

Figure 43

 

The Web Proxy service is now able to present a client certificate to the OWA server on the internal network whenever it forwards messages for the OWA clients on the external network.

 

 

 


Force Client Certificate Authentication on the OWA Web Site Folders

 

At this point the ISA Server is able to forward a client when one is requested. The next step is to configure the OWA Web site directories to request a client certificate before it allows a connection.

 

Perform the following steps to force the OWA Web site to request a client certificate from the ISA Server before allowing a connection:

 

1.       Click Start, point to Administrative Tools and click on Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager console, expand your server name and then expand the Web Sites node in the left pane of the console. Expand the Default Web Site node and click on the Exchange node. Right click an empty area in the right pane and click the Properties command (figure 44).

 

Figure 44

 


2.       On the Exchange Properties dialog box (figure 45), click the Edit button in the Secure communications frame.

 

Figure 45

 


3.       In the Secure Communications dialog box (figure 46), select the Require client certificate in the Client certificates frame. Click OK.

 

Figure 46

 


4.       Click OK in the Exchange Properties dialog box (figure 47). Repeat this procedure for the Exchweb and Public folders.

 

Figure 47

 


5.       Restart the virtual Web server after you have configured the Exchange, Exchweb and Public folders to require a client certificate. Right click on your server name, point to All Tasks and click on Restart IIS (figure 48).

 

Figure 48

 


6.       In the Stop/Start/Restart dialog box (figure 49), select the Restart Internet Services on option and click OK.

 

Figure 49

 


7.       The IIS services on restart (figure 50).

 

Figure 50

 


8.       Close the Internet Information Services (IIS) Manager console (figure 51).

 

Figure 51