SSL Bridging is feature of ISA Server 2000 Web Publishing Rules that adds flexibility and security to SSL-enabled sites. SSL bridging makes it possible to terminate an SSL session at the ISA Server 2000 firewall so that HTTP communications can be screened using deep application layer inspection. With SSL bridging, it is possible to forward the SSL traffic as HTTP traffic to the internal Web site. This configuration reduces the overhead on the internal network Web site that would other need to process encrypted connections. Where greater security is an overriding concern, SSL bridging can be configured to establish a new SSL connection from the internal interface of the ISA Sever to the Web site. This chapter shows you how to configure SSL bridging by exporting a digital certificate from a Web site, importing the digital certificate into the ISA Server, configuring the Incoming Web Requests Listener to use the digital certificate, and to configure SSL bridging in the Web Publishing Rule.

ISA Server 2000 SSL bridging helps to ensure the confidentiality and integrity of the HTTP traffic passing between the external client and the Web site over the Internet. The previous chapter showed how to create a digital certificate that is used to enable SSL on the SharePoint Web site. This chapter explains the benefits of SSL bridging and shows you how to use the previously created digital certificate to configure SSL bridging to protect the SharePoint extranet Web site.

The process for enabling SSL bridging on an ISA Server 2000 firewall is as follows:

Exporting an X.509 digital certificate from the Web site
Importing the digital certificate into the ISA Server 2000 firewall’s machine certificate store.

Configuring the Incoming Web Requests Listener to listen for and to use the digital certificate.

Configuring the Web Publishing Rule to forward either HTTP or HTTPS traffic to the internal SharePoint Web site.
Testing SSL connections from external client

Overview of SSL Bridging

When an ISA Server 2000 Web Publishing Rule is used to publish a Web site, SSL connections to the Web site are always terminated at the ISA Server 2000 firewall. Then, depending on the configuration of the Web publishing rule and the internal Web site, the connection is forwarded to the internal Web server as either an HTTP or an HTTPS (SSL) connection. This process is known as SSL bridging.

The primary advantage of SSL bridging is that the SSL traffic is decrypted at the ISA Server 2000 firewall where it can be inspected through application layer filtering before it is forwarded to the internal network. If the traffic were to remain encrypted, the ISA Server 2000 firewall would have no way of looking into the application layer payload of HTTP packets to determine whether to accept or reject the traffic.

Another advantage of SSL Bridging is flexibility of configuration. When SSL bridging is configured so that the SSL connection is terminated at the ISA Server 2000 firewall and then forwarded to the Web site as HTTP traffic, encryption is the sole responsibility of the firewall. This means the Web site does not have the extra overhead of encrypting connections between itself and the host (in this case ISA Server 2000 firewall). In cases where end-to-end security between the external client and the Web site is more important than performance of the Web server, SSL bridging can be configured so that the ISA Server 2000 firewall negotiates a new SSL session with the Web site in order to forward traffic to it.

Step-by-Step Background Information

The test lab used to demonstrate these step-by-step instructions has the following configuration:

· Internal Network. The internal network uses the 172.16.1.0/24 network ID. The default gateway for the network is 172.16.1.1, which is the internal IP address of the ISA Server.

· External Network The external network uses a 192.168.100.0/24 network ID.

· Internal DNS and Active Directory Namespace Internal.net is used as the Active Directory and DNS namespace for the internal network.

· Active Directory and Domain Controller Configuration. A Windows Server 2003 Active Directory domain controller named Ad1.internal.net is used to provide directory and DNS services. DNS is set up with root hints and forwarding to support resolution to the external network and the Internet. The IP address of the domain controller is 172.16.1.10. Certificate services is installed on the domain controller, which serves as an Enterprise root certification authority. IIS 6.0 is installed on the domain controller to support Web-based enrollment of digital certificates.

· External DNS Namespace. External.net is used as the DNS namespace for external clients that connect to resources published through ISA Server. The DNS zone files for external.net are located on the external network. The zone has been pre-configured with a single host record points to external IP address of ISA Server to resolve the Fully Qualified Domain Name (FQDN) extranet.external.net for access to extranet SPS Web site.

· SharePoint Portal Server 2003 Configuration. SharePoint Portal Server 2003 installed is set up on a Windows 2003 computer named Sps.internal.net. The SharePoint server uses a co-located SQL Server 2000 Standard Edition for the configuration and content databases. The SPS server has a primary IP static IP address of 172.16.1.11 that uses 172.16.1.1 as the default gateway.

· SharePoint Server Virtual Web Sites Configuration. Two SPS co-located Web sites reside on the SPS computer. The intranet Web site is located at 172.16.1.11. This web site is configured to use integrated authentication only. The Web site used for the extranet is located at 172.16.1.12. The web site is configured to use basic authentication only. Additionally, a digital certificate using the common name “extranet.external.net” has been created for the Web site.

· ISA Server 2000 Configuration. ISA Server 2000 with Service Pack 1, Feature Pack 1, and HotFix isahf255.exe is installed on a Windows 2003 server.

o External NIC configuration:

§ IP address: 192.168.100.22/24

§ Default Gateway: 192.168.100.254/24

§ File and Print Sharing: disabled

§ Client for Microsoft Networks: disabled

§ NetBIOS: disabled

§ Registration of external IP address in Dynamic DNS zone: disabled

§ DNS server: None

§ Binding order: lowest

o Internal NIC configuration:

§ IP address: 172.16.1.1/24

§ Default Gateway: None

§ File and Print Sharing: enabled

§ NetBIOS: enabled

§ Registration of IP address in Dynamic DNS zone: enabled

§ DNS server: 172.16.1.10

§ Binding order: highest

o ISA configuration details:

§ Installation type: Standalone

§ Installation mode: Integrated (firewall and proxy services)

§ Local Address Table (LAT): 172.16.1.0 – 172.16.1.255

§ Site and Content Rule: Default

§ Protocol Rule: a single protocol rule to enable outbound access for all protocols.

§ Packet Filtering: enabled.

§ Incoming Web Request Listener enabled and configured for external IP address.

§ Destination set created for SharePoint extranet site at 172.16.1.12

§ Web Publishing Rule created to forward HTTP requests to SharePoint site using Destination Set.

§ URLScan 2.5 installed using the IIS template configuration file.

§ Client Configuration: All clients configured as SecureNAT clients (no Web proxy client configuration or Firewall client).

Step-by-Step How To: Exporting Digital Certificate from SharePoint Web Site

A prerequisite for enabling SSL on the ISA Server 2000 firewall is the existence of an exportable digital certificate that is already installed on a Web site. That is, the ISA Server 2000 firewall will use the same digital certificate as the internal Web site for the SSL connections. Consequently, the first step for enabling SSL on the ISA Server 2000 firewall is to export the digital certificate from the Web site.

If you haven’t already created and installed a digital certificate to enable SSL on the published Web site, please see the previous chapter, Configuring and Implementing Secure Sockets Layer (SSL) for SharePoint Web Sites, which explains the steps for setting up a Certification Authority and installing this digital certificate.

To export the digital certificate from an SSL-enabled Web site,

1. Open the Internet Information Services (IIS) Manager MMC console, expand the Web Sites node, right click on the virtual Web site node where the digital certificate is installed, and click Properties from the context menu.

2. In the <Name-of-Virtual-Web-Site> Properties page, click on the Directory Security tab, as in the figure below.

Figure 1 Directory Security Tab of Web Site Properties

3. In the Secure Communications frame, click on the Server Certificate button.

4. In the subsequent Welcome to the Web Server Certificate Wizard page, click Next. The Modify the Current Certificate Assignment page appears, as in the figure below.

Figure 2 Modify the Current Certificate Assignment Page

5. In the Modify the Current Certificate Assignment page, click the radio button to Export the current certificate to a .pfx file, and then click Next. The Export Certificate page appears.

Figure 3 Export Certificate Page

6. The Path and file name text box of the Export Certificate page includes a default name and path for the .pfx file. Enter a file name (excluding the extension) and path as appropriate, and click Next. The Certificate Password page appears.

Figure 4 Certificate Password Page

7. In the Certificate Password page, type a strong password in the Password and Confirm Password text boxes. (You will need this password later, so you should make a secure record of it.) Click Next to proceed to the Export Certificate Summary page.

Figure 5 Export Certificate Summary Page

8. Review the information on the Export Certificate Summary page. In particular, you should confirm that the Issued To field matches the FQDN that external clients will use to connect to the published Web site. After reviewing the certificate details, click Next to proceed to the Completing the Web Server Certificate Wizard page.

9. On the Completing the Web Server Certificate Wizard page, click Finish.

10. If necessary, copy the .pfx file to a location or media that is accessible to the ISA Server.

Step-by-Step How To: Importing a Digital Certificate to ISA Server

After creating the .pfx file, the next step is to import the file into the ISA Server 2000 firewall’s machine certificate store. This file can be on a floppy disk or other media, or it can be located in a folder that is accessible to the ISA Server 2000 firewall. Before beginning the process to import the certificate to the ISA Server 2000 firewall computer, copy the .pfx file to an accessible location, if necessary.

Adding Certificates MMC Console

Importing the certificate to the ISA Server requires the use of Certificates MMC console. Because, the Certificates MMC console is not available by default in the Administrative Tools folder, we have to add it to an MMC console. Perform the following steps to add the Certificates snap-in,

Click Start I Run, type mmc in the Open text box of the Run dialog box, and press Enter. A blank MMC console appears.

Figure 6 Blank MMC Console

Click on the File menu of the MMC console and select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.

Figure 7 Add/Remove Snap-in Dialog box

In the Add/Remove Snap-in dialog box, click the Add button. The Add Standalone Snap-in dialog box appears.

Figure 8 Add Standalone Snap-in Dialog box

In the Add Standalone Snap-in page, select the Certificates snap-in, and click the Add button. The Certificates snap-in page appears.

Figure 9 Certificates Snap-in Page

In the Certificates snap-in page, select the Computer account option (you must select this option in order to import the certificate properly), and click Next. The Select Computer page appears.

Figure 10 Select Computer Page

In the Select Computer page, select the radio button for Local computer: (the computer this console is running on), and click Finish.
Click Close in the Add/Remove Standalone Snap-in page.
Click OK in the Add/Remove Snap-in page, and leave the MMC console open for the next procedure to import the certificate to the ISA Server.

Importing the Web Site Certificate to the ISA Server 2000 Firewall Using Certificates MMC Console

After adding the Certificates snap-in MMC console, you can now import the .pfx file to the Personal certificate store for the local computer. To import the file using the Certificates MMC console,

In the Certificates MMC console, expand the Certificates (local computer) node, right click on the Personal node, and select All Tasks | Import from the context menu, as in the figure below.

Figure 11 Importing Certificate to Personal Certificate Store of Local Computer

In the Welcome to the Certificate Import Wizard page that subsequently appears, click Next to proceed to the File to Import page.

On the File to Import page, click Browse to navigate to the .pfx file or enter the path and file name in the File name text box. Then click Next to proceed to the Password page.

Figure 12 Specifying .pfx file to Import

Enter the strong password you created earlier when you exported the certificate from the Web site in the Password text box, and click Next to proceed to the Certificate Store page.

You can also, if you wish, select the check box to Mark this key as exportable. However, because the Web site already has an exportable key that should be closely protected, this step is not necessary and weakens the security of the digital certificate.

Figure 13 Certificate Password Page

On the Certificate Store page, ensure that Place all certificates in the following store is selected and that the Certificate store text box points to the Personal store, and click Next.

In the subsequent Completing the Certificate Import Wizard page, verify that the certificate will be imported to the Personal store, and click Finish.

Click OK to confirm the successful import of the certificate, and close the MMC console.

After importing the certificate to the ISA Server 2000 firewall’s machine certificate store, the next step is to enable the Incoming Web Requests Listener to use the certificate.

Step-by-Step: Configuring the Incoming Web Requests Listener To Use a Digital Certificate

By default, the Incoming Web Requests Listener is not configured to listen for requests on TCP Port 443, which is the port used for HTTPS (SSL) connections. Therefore, the first step in configuring the listener is to enable it to listen on TCP Port 443 (or a custom port you wish to use for this purpose) for HTTPS connection requests. This setting is a global one for all listeners and can not be configured on a per-listener basis.

The next step is to configure the listener(s) to use a specific certificate. Individual listeners can also be configured to use specific, individual certificates. The ability to use different certificates for different listeners is a powerful and unique feature of ISA Server 2000.

Tip:

If you have only one external IP address through which you publish multiple Web sites, you can create a digital certificate that uses a wildcard for the common name, for example, *.external.net. As long as all of the published SSL-enabled Web sites use the same domain name, external clients won’t see a warning message indicating that the name of the certificate does not match the name of the requested Web site.

To configure the Incoming Web Requests Listener to listen for HTTPS connection requests,

Open the ISA Management MMC console, right click on the Server object node, and select Properties from the context menu.
In the <Name-of-ISA-Server> Properties page, click on the Incoming Web Requests tab, as in the figure below.

Figure 14 Enabling SSL Listeners on the Incoming Web Requests Tab

In the Identification frame, click the check box to Enable SSL listeners. (Remember that this is global setting, so that by selecting it all listeners will listen for HTTPS connection requests.) When you select the check box, a message will appear informing that SSL requests will only be accepted if a listener is configured with a certificate. Click OK on the message to indicate acceptance.

Figure 15

After enabling SSL listeners, it is necessary to associate the listener with a specific digital certificate.

In the Identification frame on the Incoming Web Requests dialog box, highlight the appropriate listener, and click the Edit button. The Add/Edit Listeners dialog box appears. In the Add/Edit Listeners dialog box, click the check box to Use a server certificate to authenticate to web clients, and click the Select button. The Select Certificate page appears.

Figure 16 Add/Edit Listeners