نمایش نتایج: از شماره 1 تا 2 از مجموع 2

موضوع: Implementing and Troubleshooting Certificate Deployment in ISA Server 2006

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Implementing and Troubleshooting Certificate Deployment in ISA Server 2006

    کد:
    http://www.isaserver.org/tutorials/Implementing-Troubleshooting-Certificate-Deployment-ISA-Server-2006.html

    PART-1


    n this article, we will cover certificate and certificate authority basics and how to use certificates in reverse proxy scenarios and how to troubleshoot certificate use and revocation.

    Let’s begin

    Let’s start with some basics about PKI definitions, digital certificates and certificate authorities.
    PKI
    In cryptography terms, a public key infrastructure (PKI) is the building block for several other technology aspects with the goal of issuing certificates for users, computers and services from a certificate authority (CA). The PKI role that issues certificates is called the Registration Authority (RA).
    Certificates
    In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). Source: Public key certificate - Wikipedia, the free encyclopedia
    Certificate Authority
    In cryptography terms, a certification authority (CA) is a server or a set of servers in a CA hierarchy which issues digital certificates for use by users, computers and services. Windows Server 2003 (and older versions) has its own CA implementation.
    Certification authorities can be a single server or can be chained into certificate chains where every hierarchy has special tasks like intermediate CA, issuing CA and more. You will see a CA hierarchy in the following picture.

    Figure 1: CA Hierarchy
    File extensions used in Cryptography

    There are several file extension which are used when you work with ISA Server 2006 and certificates. Here are some examples:

    Key
    Description
    PCKS #12
    Private Information Exchange
    .PFX
    Private Information Exchange
    .P12
    Private Information Exchange
    PCKS #7
    Cryptographic Message Syntax Standard
    .P7B
    PCKS #7 certificate
    .CER
    DER-coded-binary X.509
    Base-64-coded-X.509
    .PFX
    Private Information Exchange PCKS #12
    .CRL
    Certification Revocation List
    .P7C
    Digital ID-file
    .P7M
    PCKS #7 MIME-message
    .P7R
    PCKS #7 certificate
    .P7S
    PCKS #7 signature
    Table 1: PKI file extensions Installing a CA

    Installing and operating a CA is a relatively easy process. What makes PKI designs complicated are the several applications which use this PKI for several purposes.
    This article is not designed to show you the whole installation process; I will only cover some pictures.

    Figure 2: Installing a Windows CA
    After installing the CA, the Server name and the domain membership should not be changed (If you feel pain: There is a KB article which gives you a chance to move the CA).
    There are several types of CA. For this example we select a Enterprise Root CA which integrates into Active Directory.

    Figure 3: Select CA type
    Give the CA a name and a lifetime.

    Figure 4: CA Name
    After installing the CA, the CA can be used for issuing certificates
    Certificate Snap-In

    Every modern Windows version has a certificate Snap-In which handles locally installed certificates. If you are logged in as an Administrator, you can manage certificates for your own user account, a service account and a computer account.

    Figure 5: Manage certificates
    A normal user account can only open its own certificate store.
    Certificates can be managed in the console (Import, export, request new certificates and certificate deletion).

    Figure 6: Manage certificates
    There is also a website which can be used to request new certificates or to download CA root certificates.

    Figure 7: CA website
    Settings in a reverse publishing scenario

    If you want to use ISA Server as a reverse publishing proxy to publish services like Outlook Web Access (OWA) or Outlook Anywhere (OA), it is possible to enable SSL Bridging to enhance the security of ISA Server. When SSL Bridging is enabled, ISA Server terminates the SSL connection from the Server to the client; ISA then inspects the traffic and encrypts the traffic to HTTPS again. This is the most secure scenario.
    In this scenario, ISA server needs the Root CA certificate from the internal CA that has issued certificates for the server to publish. ISA Server also needs a certificate for the ISA listener which Common Name (CN) has the same entry as the public name which clients enter when they try to establish a connection with the published server.
    During the publishing process, ISA Server 2006 has a new certificate assistant that helps you to select the correct certificate. For troubleshooting purposes read the SSL troubleshooting article that is linked at the end of this article.
    The certificate must be issued from a trusted CA, the certificate must be valid and keep a closer look at the Common Name of the certificate. The CN must match the public name that clients use to connect to the server.

    Figure 8: Certificate assistant
    What is the Bridging Tab in ISA Server 2006?

    Have you ever tried to use the Bridging feature in the publishing rule? If you try to select the certificate, ISA often says that there is no certificate, right?
    To get this working you must issue a user certificate for a normal user. This issued certificate must be imported (with the private key) into the local certificate store of the Microsoft ISA Server Firewall service. After that you can use the certificate to redirect incoming request to the internal server which requires certificate authentication.

    Figure 9: SSL Bridging
    There are no certificates that are available because there is no certificate installed in the local certificate store of the ISA Server Firewall service.

    Figure 10: SSL Bridging – select a certificate
    Certificate revocation

    Certificate revocation is the process when an application requests the certificate chaining engine to evaluate a certificate, the validation is performed on all certificates in that certificates chain. This includes every certificate from the issuing CA to the issued certificate. As a first step the certificate chain will be evaluated. If the certificate chain is intact, the process checks that:

    • The certificates signature is valid
    • Verify that the current date and time from the certificate falls into the valid time period of the certificate.
    • Verify that each certificate is not corrupt or malformed

    A certificate revocation list contains no more valid certificates. A process or Software like ISA Server can check the requested certificate against the certificate revocation list.
    It is possible to configure ISA Server for several validation requests. ISA Server can verify that incoming certificates are not in the Certificate Revocation List (CRL).

    Figure 11: Certificate revocation
    Verify that incoming client certificates are not revoked
    You must select this certificate if you want to let ISA Server to perform a check of the incoming certificate against the Certificate revocation List (CRL) to see if the certificate is revoked. If the certificate is revoked, the client request will be denied.
    Verify that incoming server certificates are not revoked in a forward scenario
    This option is a little different from the scenario above. In this scenario, ISA server checks to see if the incoming Server certificate in an SSL Bridging scenario is revoked. If the certificate is revoked, the request will be denied.
    Verify that incoming server certificates are not revoked in a reverse scenario
    Select this check box to specify that ISA Server will automatically check the Certificate Revocation List (CRL) to see if server certificates, in a Web publishing scenario, are revoked. If the certificate is revoked, the request will be denied.
    Conclusion

    In this article I tried to show you all aspects of certificate use in ISA Server 2006 for reverse publishing scenarios for Outlook Web Access (OWA), Outlook Anywhere (OA) and more. I also tried to give you some basics about certificates, certificate authorities and certificate checks.








    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Microsoft-ISA-Server-2006-Certificate-troubleshooting-Part2.html

    PART-2



    How ISA Server 2006 uses digital certificates in web chaining and reverse publishing scenarios.

    Introduction

    In this article, I will give you some additional information about how ISA Server 2006 uses digital certificates in web chaining and reverse publishing scenarios. This is the second article of my series on ISA Server 2006 certificate deployment, published in July 2008 on www.ISAserver.org
    Let us get to it…

    Let us start with a short explanation of the type of certificates used in secure publishing scenarios and move on to explain what functionality SAN certificates (SAN = Subject Alternate Name) provides and what distinguishes them from classic certificates, like wildcard certificates.
    Certificate Types

    There are three types of certificates which are often used:

    • Normal certificates
    • Wildcard certificates
    • Subject Alternate Name certificates (SAN)

    Normal certificates
    A normal certificate is the “classic” certificate. This type of certificate is issued for only one FQDN = Fully Qualified Domain Name aka a DNS hostname like owa.it-training-grote.de.
    Wildcard certificates
    A Wildcard certificate is often used when a company needs to publish different hostnames with the same domain name. Instead of using multiple normal certificates, it is possible to use this type of certificate. As an example if you buy a wildcard certificate for *.it-training-grote.de, it is possible to use the certificate to publish webservers with, for example, the names owa.it-training-grote.de and www.it-training-grote.de.
    SAN certificates
    SAN (Subject Alternate Name) certificates are also often called multi domain certificates or Unified Communication (UC) certificates. With the help of SAN certificates it is possible to publish multiple FQDN with the same or other Top Level Domain (TLD) name.
    For example:
    owa.it-training-grote.de
    www.it-training-grote.de
    Server01
    Server01.exchange.internal
    Autodiscover.exchange.internal
    Autodiscover.it-training-grote.de
    A SAN certificate is widly used in Exchange Server publishing scenarios with or without ISA Server 2006.
    ISA Server 2006 Service Pack 1 certificate enhancements

    ISA Server 2006 Service Pack 1 supports the use of SAN certificates. Prior to ISA Server 2006 Service Pack 1, ISA Server only checked the first name in the certificate and ignored the additional names in the SAN field of the certificate.
    Using self signed certificates

    One way to use certificates for ISA Server publishing is to use the SELFSSL.EXE tool from the IIS 6 resource kit . With the help of the SELFSSL tool administrators can create certificates which every Common Name (CN) they want.

    Figure 1: SELFSSL from the IIS 6 Resource Kit
    Because a self signed certificate is not issued by a trusted Root Certificate Authority you must manually place the self signed certificate in the Trusted Root CA store on the local ISA Server.

    Figure 2: Add certificate Snap-In
    Next, select the local Computer account as the certificate store to see all local installed certificates, which ISA Server uses for publishing and webchaining scenarios.

    Figure 3: Display certificates in certificate store
    Trusted Root CA certificates

    ISA Server ensures that each certificate used can be verified against the issuing Certificate Authority. ISA Server checks the certificate chain of the certificate to the Root CA. The list of trusted Root Certificate Authorities can be found in the local computer certificate store on the ISA Server 2006 machine.

    Figure 4: Trusted Root CA certificates
    Certificates used in Web chaining scenarios

    One of the less used features in ISA Server 2006 is the use of certificates in ISA Server web chaining scenarios. Web chaining is used to chain the Web traffic from ISA Server with another Webproxy like ISA Server. To use a certificate in a webchaining scenario, the following prerequisites must be present:

    • Have a client authentication certificate
    • Be trusted by the issuing Root Certificate Authority
    • Have a private key installed in the local computer certificate store
    • Be installed in the Firewall service account personal certificate store


    Figure 5: Select certificates in web chaining scenarios
    Exchange Remote Connectivity Analyzer

    The Microsoft Exchange Remote Connectivity Analyzer is a helpful tool to test different types of Exchange Server publishings with and without ISA Server, without the use of the required tools like Microsoft Outlook.The Exchange Remote Connectivity Analyzer is also very helpful to verifiy the correct Deployment of certificates on the Exchange Client Access Server (CAS) or/and on the ISA Server.

    Figure 6: Exchange Remote Connectivity Analyzer checks
    ISA Server 2006 Best Practice Analyzer

    On helpful troubleshooting utility for certificate issues with ISA Server 2006 is the well known ISA Server 2006 Best Practice Analyzer which analyzes the ISA Server installation against a database with best practices from Microsoft to find possible missconfigurations or other problems. For certificate troubleshooting purposes, ISABPA checks the ISA Server configuration and looks if certificates are used in publishing or web chaining scenarios, if the corresponding certificates can be found in the local computer certificate store.

    Figure 7: ISA Server Best Practices Analyzer
    To give you some information about how ISABPA displays certificate related issues, I deleted all certificates from the local computer store.
    Conclusion

    In this article, I tried to give you some more information about ISA Server 2006 certificate deployment and troubleshooting. We also covered some new features of ISA Server 2006 Service Pack 1 which extends ISA Server 2006 capabilities to use SAN certificates in webserver publishing scenarios.






کلمات کلیدی در جستجوها:

ca certificate pki

certificate invalid isa 2006

.cer certificate iis

importing a certificate into isa server public key not valid

isa 2006 web publishing rule invalid certificateisa 2006 certificate invalidexchange certificate shows invalid on isa 2006how install ssl certificate iis 6 with the extension .p7sthis certificate has an nonvalid digital signature isa 2006selfssl.exe exchange isaserver2006.p7s فایل چی هستthis certificate has an nonvalid digital signature windows 2003certificate iis * invalidchain certificate in isa 2006selfssl isa import certificateselfssl invalid certificate isaselfssl isa 2006troubleshooting no certificate installed in ssl bridgingmultidomain certificates troubles to ISA15outlook web app چیستisa server 2006 intermediate CAfree certificates pfxverified identity information isa proxyisa 2006 certificate revocation

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •