[isapros] Re: SCCM and ISA - Worth a shot!
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 2 Feb 2008 11:51:58 -0600
User Cert or Computer Certcertcertcertcertcertcertcertcer
Show me the "client cert" template. Ha!
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, February 01, 2008 4:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> It depends on how the client cert
> (clientcertclientcertclientcert [for Tom <g>]) is constructed.
> By default, ISA doesn't really care how the cert is built as
> long as it can trust the CA. The problem comes in with using
> the certificate for user authentication. When ISA receives a
> certificate in response to "you better show some ID, boy!",
> ISA passes this to a Windows API called
> AcquireCredentialsHandle. This API expects to resolve the
> certificate to a user account and if it can't, cert auth will fail.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Friday, February 01, 2008 9:02 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Really?? Kinda surprised at that and surely there is quite a
> lot ISA can add rather than dumbing it down to L3 with server
> publishing???
>
>
>
> The bit that is really annoying is that some of the SCCM
> guides recommend SSL bridging as opposed to SSL tunnelling,
> so it implies it should be possible and is best practice -
> trouble is, there are no docs that tell you how to get it
> working!!!. Here are some examples:
>
>
>
> http://technet.microsoft.com/en-us/library/bb680995.aspx
>
>
>
> http://www.microsoft.com/technet/community/chats/trans/sms/07_
> 0724_tn_sccm.mspx
>
>
>
> Prabhu Padhi [MSFT] (Expert):
> Q: Can I do SSL-Bridging at the edge firewall to route the
> IBCM clients to my intranet MP/DP (they are shared)?
> A: As long as your firewall supports SSL bridging, we will work fine.
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: 01 February 2008 16:41
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi Jason,
>
>
>
> my reasoning, whenever client certs are involved, use server
> publishing. Nothing ISA can do to enhance the security.
>
>
>
> HTH,
>
> Stefaan
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: vrijdag 1 februari 2008 16:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi All,
>
>
>
> Any more thoughts on this?
>
>
>
> From what I now understand, the SCCM client is using a client
> auth cert to authenticate to the IIS instance running on the
> SCCM management point (mutual cert auth).
>
>
>
> We are getting close to SCCM deployments where customers
> want IBCM, but the only ISA Server solution I can get working
> is to use SSL tunnelling (server publishing). I have tried
> various web publishing configurations and none of them seem
> to work - I have tried the following:
>
>
>
> * Simple web publishing , ISA listener with no
> authentication and "allow client to authenticate" defined in
> the delegation tab - assumed this would just use pass-through
> auth to the IIS website to allow for this to do the client auth.
>
> * Pre-auth web publishing, ISA listener using client
> cert auth and then KCD to delegate to IIS.
>
>
>
> Do we think that one of these should work, or is web
> publishing for SCCM IBCM fundamentally flawed?
>
>
>
> Anyone actually got it working??? I know SCCM is quite new,
> but are we just too ahead of the curve here?
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 19 October 2007 08:50
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi t,
>
>
>
> I was hoping to do the former and then use KCD, but from what
> I gather SCCM is using computer based certs - I believe this
> makes things harder?. Not really comes across this scenario
> before...I currently have it working in the lab using server
> publishing, but I cannot bear the thought of doing this for
> customers...
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: 18 October 2007 22:15
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> While I've not used SCCM, I've done a good bit of work with
> different certificate-based authentication models. Are you
> considering using a web-listener configured for SSL Client
> Certificate Authentication, or just web-publishing to a
> back-end web server where it will do its own
> certificate-to-user mapping?
>
>
>
> t
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Thursday, October 18, 2007 1:11 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Did this Q get hidden within Amy's posts or is it a big fat
> "don't know"? J
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 17 October 2007 00:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] SCCM and ISA - Worth a shot!
>
>
>
> Hi,
>
>
>
> Has anyone used ISA with System Centre Configuration Manager
> (SCCM) yet? Specifically when using Native mode (e.g. full-on
> PKI mode).
>
>
>
> The initial documentation is a little patchy and seems to
> contradict itself between using Web Publishing and Server
> Publishing when using Internet based clients that cannot back
> into the CM server. The SCCM documentation talks about lots
> of perimeter and internet-facing scenarios, but I want to try
> and use an ISA based model in a similar way to protecting
> Exchange or SharePoint. A quote from Jim comes to mind "..we
> don't need no stinking DMZs"
>
>
>
> Ideally I want to use Web Publishing, but all communications
> in SCCM utilise client certificate based authentication.
>
>
>
> Am I right in thinking I can use ISA Web publishing combined
> with KCD to secure access from CM clients to the CM server?
>
>
>
> Answers that tell me that I have to use Server Publishing
> will make me cry, so please be sensitive
>
>
>
> Thanks in advance...
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential
> and intended solely for the use of the individual to whom it
> is addressed. If you have received this email in error, or if
> you believe this email is unsolicited and wish to be removed
> from any future mailings, please contact our Support Desk
> immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise
> stated it is valid for 7 days and offered subject to
> Silversands Professional Services Terms and Conditions, a
> copy of which is available on request. Any pricing
> information, design information or information concerning
> specific Silversands' staff contained in this email is
> considered confidential or of commercial interest and exempt
> from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author
> and do not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential
> and intended solely for the use of the individual to whom it
> is addressed. If you have received this email in error, or if
> you believe this email is unsolicited and wish to be removed
> from any future mailings, please contact our Support Desk
> immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise
> stated it is valid for 7 days and offered subject to
> Silversands Professional Services Terms and Conditions, a
> copy of which is available on request. Any pricing
> information, design information or information concerning
> specific Silversands' staff contained in this email is
> considered confidential or of commercial interest and exempt
> from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author
> and do not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
>
Other related posts:
