I know that NOW ;) t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, August 26, 2007 12:45 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration You *do* know that the RPC filter isn't involved in processing RPC/HTTP? Also, in order for the ISA RPC filter to process the RPC within the HTTP stream, the call would have to start at the EPM, and RPC/HTTP doesn't do that. Likewise, there's no method for one application or web filter to call another "sibling" filter; much less making a "parent's sibling" call as would be required for the HTTP Filter to reach the RPC filter. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:22 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Totally... but that does two things: one, it allows full stack access via the IPSec channel which I don't like. Secondly, it obviates the use of the HTTP and RPC filters, which I also don't like. What I think I'll do, in the absence of an RDP client hack for the ISA listener or a smartcard solution for TSGateway, is to use my "source port" trickery to limit the connection based on a small range of source ports and use fpipe to bounce my RDP client off a secondary connection where I can dictate the source port... t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 12:17 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration You got me on that one, I'm completely forgot about how KCD works and takes the drudgery of certificate mapping away. We don't even need a "client" certificate in the scenario I painted for L2TP/IPSec. You just need both machines to have computer certificates installed in their machine certificate store (sometime called machine certificates) and both sides just need to trust the other guy's CA. That should be easy as cake. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 1:57 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration There's no "mapping" requirement as there is in IIS-- it's just that for ISA to accept the user's "client authentication" certificate, ISA must be a member of the domain the CA issued it in... Other than that, it's a piece of cake. Well, for HTTP anyway. If there is a way to tell the RDP client what user "client authentication" certificate to use, we'll be golden. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 11:48 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration That's a better idea -- instead of using a User Certificate and dealing with all the painful mappings in AD, why not implement it in a way like the L2TP/IPSec mutual machine authentication using machine certificates. That would be very easy and domain membership isn't an issue, as long as both sides trust the issuing CA of the other guy's cert, that should be enough. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 1:40 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Wasn't blaming ISA for the RDP client issue at all... I totally agree. However, I *was* blaming ISA for its implementation of "SSL Client Certificate Authentication" in regard to it having to actively be a member of the domain where the Enterprise Root CA issued the cert one chooses to use for SCCA... So yeah, I was just hoping you (will prob be Jim) can find some registry hack where the RDP client can "present" not the "User Certificate" but a "Client Authentication Certificate", be is a user, service, or system cert :-p The RDP client actually goes as far as saying that the TSGateway certificate is revoked- so I think there's hope for securing TSGateway via ISA configured to use a SCCA enabled listener. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 11:31 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration I occasionally enjoy a fine whine :) I've been in and out of this discussion becasue of Exchange horkage, but Jim probably said that the problem is with the client side software, right? There's no way to tell the client to present it's User Certificate for authentication, sort of like the problem with Oulook 2003+ RPC/HTTP -- the Outlook client doesn't know how to present the User Certificate for authentication, so it just chokes on it. So, I don't really see it as ISA's fault, but the RDP client's fault, if we need to assign blame, and I think we do because the RDP and Outlook guyz really need to think about security in a bit more depth and enable User Certificate assignment and presentation to the destination machine. There is a solution, but it means using additional software. The IAG 2007 supports User Certificate authentication to access the SSL VPN portal. Once you're authenticated and authorized by the IAG 2007 to use RDP, you can then use Integrated authentication to authenticate with the terminal server. It's not the best solution, because the best solution would be to build User Certificate support into the RDP and Outloook clients. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 1:18 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration You mean a "Client Authentication Certificate" in the user's account's certificate store? Done that ;) You just can't tell the RDP client to use it. And ISA's "SSL Client Authentication Certificate" authentication mechanism is flawed-- it only allows the use of a cert generated by a CA that ISA is not only a domain member of, but also one where it can connect to AD and validate it. It completely horks "standard" certificate and trust usage in that regard. You can't even use something like a Verisign "Client Authentication" certificate (I bought one and tried it- no workie). So even if you have a full private key certificate you load and trust on the ISA box, if the ISA server can't confirm via AD, it won't work. Really poor implementation if you asked me. So, you gonna answer the question now? I mean, since you're the one who came up with the idea of publishing TSGateway via an SSL Listener configured to use SCCA, I figga'd you'd have some better answers than nomenclature whining. :-p t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 11:04 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Try using a User Certificate and see if that helps ;) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:56 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] RDP v6.0 Client Certificate configuration Jim, et. al. -- any word on how to get the v6.0 RDP client to present a Client Authentication certificate to an ISA server listener using SSL Client Certificate Authentication? It no workie, and I can't find any data on a hack to specify a cert for the RDP client... t ----------------------------- vinni, viddi, vinni denuo All mail to and from this domain is GFI-scanned.