User Cert or Computer Certcertcertcertcertcertcertcertcer Show me the "client cert" template. Ha! Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, February 01, 2008 4:12 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > It depends on how the client cert > (clientcertclientcertclientcert [for Tom <g>]) is constructed. > By default, ISA doesn't really care how the cert is built as > long as it can trust the CA. The problem comes in with using > the certificate for user authentication. When ISA receives a > certificate in response to "you better show some ID, boy!", > ISA passes this to a Windows API called > AcquireCredentialsHandle. This API expects to resolve the > certificate to a user account and if it can't, cert auth will fail. > > Jim > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Friday, February 01, 2008 9:02 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > Really?? Kinda surprised at that and surely there is quite a > lot ISA can add rather than dumbing it down to L3 with server > publishing??? > > > > The bit that is really annoying is that some of the SCCM > guides recommend SSL bridging as opposed to SSL tunnelling, > so it implies it should be possible and is best practice - > trouble is, there are no docs that tell you how to get it > working!!!. Here are some examples: > > > > http://technet.microsoft.com/en-us/library/bb680995.aspx > > > > http://www.microsoft.com/technet/community/chats/trans/sms/07_ > 0724_tn_sccm.mspx > > > > Prabhu Padhi [MSFT] (Expert): > Q: Can I do SSL-Bridging at the edge firewall to route the > IBCM clients to my intranet MP/DP (they are shared)? > A: As long as your firewall supports SSL bridging, we will work fine. > > > > Cheers > > > > JJ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele > Sent: 01 February 2008 16:41 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi Jason, > > > > my reasoning, whenever client certs are involved, use server > publishing. Nothing ISA can do to enhance the security. > > > > HTH, > > Stefaan > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: vrijdag 1 februari 2008 16:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi All, > > > > Any more thoughts on this? > > > > From what I now understand, the SCCM client is using a client > auth cert to authenticate to the IIS instance running on the > SCCM management point (mutual cert auth). > > > > We are getting close to SCCM deployments where customers > want IBCM, but the only ISA Server solution I can get working > is to use SSL tunnelling (server publishing). I have tried > various web publishing configurations and none of them seem > to work - I have tried the following: > > > > * Simple web publishing , ISA listener with no > authentication and "allow client to authenticate" defined in > the delegation tab - assumed this would just use pass-through > auth to the IIS website to allow for this to do the client auth. > > * Pre-auth web publishing, ISA listener using client > cert auth and then KCD to delegate to IIS. > > > > Do we think that one of these should work, or is web > publishing for SCCM IBCM fundamentally flawed? > > > > Anyone actually got it working??? I know SCCM is quite new, > but are we just too ahead of the curve here? > > > > Cheers > > > > JJ > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: 19 October 2007 08:50 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi t, > > > > I was hoping to do the former and then use KCD, but from what > I gather SCCM is using computer based certs - I believe this > makes things harder?. Not really comes across this scenario > before...I currently have it working in the lab using server > publishing, but I cannot bear the thought of doing this for > customers... > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: 18 October 2007 22:15 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > While I've not used SCCM, I've done a good bit of work with > different certificate-based authentication models. Are you > considering using a web-listener configured for SSL Client > Certificate Authentication, or just web-publishing to a > back-end web server where it will do its own > certificate-to-user mapping? > > > > t > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Thursday, October 18, 2007 1:11 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Did this Q get hidden within Amy's posts or is it a big fat > "don't know"? J > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: 17 October 2007 00:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] SCCM and ISA - Worth a shot! > > > > Hi, > > > > Has anyone used ISA with System Centre Configuration Manager > (SCCM) yet? Specifically when using Native mode (e.g. full-on > PKI mode). > > > > The initial documentation is a little patchy and seems to > contradict itself between using Web Publishing and Server > Publishing when using Internet based clients that cannot back > into the CM server. The SCCM documentation talks about lots > of perimeter and internet-facing scenarios, but I want to try > and use an ISA based model in a similar way to protecting > Exchange or SharePoint. A quote from Jim comes to mind "..we > don't need no stinking DMZs" > > > > Ideally I want to use Web Publishing, but all communications > in SCCM utilise client certificate based authentication. > > > > Am I right in thinking I can use ISA Web publishing combined > with KCD to secure access from CM clients to the CM server? > > > > Answers that tell me that I have to use Server Publishing > will make me cry, so please be sensitive > > > > Thanks in advance... > > > > Cheers > > > > JJ > > > > > > ________________________________ > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual to whom it > is addressed. If you have received this email in error, or if > you believe this email is unsolicited and wish to be removed > from any future mailings, please contact our Support Desk > immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise > stated it is valid for 7 days and offered subject to > Silversands Professional Services Terms and Conditions, a > copy of which is available on request. Any pricing > information, design information or information concerning > specific Silversands' staff contained in this email is > considered confidential or of commercial interest and exempt > from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author > and do not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > ________________________________ > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual to whom it > is addressed. If you have received this email in error, or if > you believe this email is unsolicited and wish to be removed > from any future mailings, please contact our Support Desk > immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise > stated it is valid for 7 days and offered subject to > Silversands Professional Services Terms and Conditions, a > copy of which is available on request. Any pricing > information, design information or information concerning > specific Silversands' staff contained in this email is > considered confidential or of commercial interest and exempt > from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author > and do not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > >