Using ISA to force SSL connections to published websites

When managment tells you that you need to secure the trafic sent to and from your published websites what do you do? Use SSL
Published: Jul 03, 2002 Updated: Jul 16, 2004 Section: Tutorials :: Publishing Author: Ricky M. Magalhaes Printable Version Adjust font size: Rating: 2/5 - 15 Votes 1 2 3 4 5

Using ISA to request a SSL channel for websites published

In this tutorial I will show you how to use ISA server to request a secure SSL (Secure Sockets Layer) channel between the client and the ISA server when making and sustaining the connection. SSL is one of the specialized methods used by websites and firewalls to do authentication.

SSL functions at the Application layer of the OSI model.

Facts about SSL that you should know

· SSL runs above TCP/IP and below high-level application protocols

· SSL allows a user to confirm a server's identity

· SSL allows a server to confirm a user's identity

· A SSL connection requires all information sent between a client and a server to be encrypted

· Data sent over an SSL connection is protected with a mechanism for detecting tampering. Any suspicion of data tampering requires a retransmit.

· SSL uses Algorithms and ciphers to perform encryption

· SSL come in two flavors 128 bit encryption and 40 bit encryption In some countries 128 bit is illegal.

The process that takes place for SSL authentication to take place is as follows.

1. The client check if the certificate is sent by the authenticating sever is still within the validity period, and that the certificate has not expired.

2. The client checks the CA (certificate authority) to make sure it is part of its trusted list of CAs.

3. The client then check if the trusted CA authenticates the certificate that the server sent. The CA has a list of all valid certificates.

4. The client then check the domain name on the certificate and verifies if the authenticating server is on the same domain. This is to verify that no spoofing can occur.

5. When all steps are passed the client proceeds with the SSL handshake and the server is authenticated. If any of the steps fail the client is notified.

The picture above depicts the SSL process when a server authenticates itself to the client.

To require a secure channel for published sites follow the steps below

1.
Click on web publishing rules

2.
now select the published server that you want to apply the SSL settings to and double click it.

3.
Click on the bridging tab within the published web server’s properties.

4.
Read and follow my descriptions to achieve the SSL desired affect. Then click ok to proceed.

Please note that only browsers that are enabled and support 128 bit encryption will work, if you set ISA to use 128 bit encryption.

Summary: Knowing how to use SSL can prove to be a powerful cost effective data transmission tool that many organizations lack. In the tutorial above I have shown you what t you can do using SSL on your published web sites. SSL helps management rest if you are transmitting information to and from your website that requires a firm level of security.

About Ricky M. Magalhaes

Ricky M. Magalhaes is a security specialist that has worked as a consultant and IT technical specialist for the past 8 years. He has been primarily responsible for implementation and design of Security, network architecture, communications, network infrastructure and Security R&D for many South African organizations that he works with. He is a windows 9x product specialist and has been working with the windows product since version win 3.11. He has also written articles on security for www.windowsecurity.com ; www.ISAserver.org ; www.governmentsecurity.com and many other well known security and technology websites.

Click here for Ricky M. Magalhaes's section.