[isapros] Re: SCCM and ISA - Worth a shot!

  • From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Sat, 2 Feb 2008 20:19:13 +0100

I follow very closely the blogs http://www.identityblog.com/?feed=rss2,
http://blogs.msdn.com/vbertocci/rss.xml and
http://blogs.msdn.com/card/rss.xml. I must admit I see some very useful
things we can do with those concepts to solve some real business problems.
However, and that's one of my frustration's, I don't see today any role for
ISA in this. 

Stefaan

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: zaterdag 2 februari 2008 16:17
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!

Yes; that makes sense.
It's a shame that there is no good way to do this but that's the benefit of
client-cert auth; MITM is very difficult to perform.

Something to note about this process; any "SSL inspection" methodology is
going to break client cert auth.  This is equally true of the BlueCoat &
ClearTunnel offerings.  Once you crack the SSL channel, the certs have to be
"mimicked" to each side.  This is how they both work - by "reissuing" the
server certificate and terminating the SSL session at the proxy so that the
internal traffic can be inspected.
While it's relatively simple to use your proxy as an intermediate CA because
you can define a trust for it to your users, doing so for the Internet folks
is much more difficult (and expensive!).  They have to trust your proxy as
an intermediate CA if your "reissued" client cert is to be worthwhile.  Odds
are, this just ain't happening.

I can't speak to any future plans here (obviously), but I'm not a personal
fan of Cardspace.  Perhaps some more research will ease my concerns...

Jim

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Saturday, February 02, 2008 2:19 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!

Hi Jim,

maybe I should rephrase my statement in order to clarify better what I mean.


Whenever the application insist on the client cert itself then nothing much
you can do but using server publishing. A classic example I encounter every
day is the use of the Belgium e-ID to authenticate to a web application. In
this scenario you can't use delegation or user mapping at all because the
users aren't known beforehand. Moreover, in many cases the application must
be able to read some stuff out of the e-ID. In short, a number of reasons
why pre-authentication isn't possible and therefore SSL bridging.

I wonder how 'Windows Cardspace' or in more general terms 'Information
Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario with
ISA server?

Kindly,
Stefaan

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: vrijdag 1 februari 2008 19:58
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!

I'm actually very surprised you take this position.
If ISA can terminate the SSL session (required for ISA to handle client
certs), then you can apply the HTTP smarts ISA brings for the table.
Server publishing SSL can't accomplish this.

Jim

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Friday, February 01, 2008 8:41 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!

Hi Jason,



my reasoning, whenever client certs are involved, use server publishing.
Nothing ISA can do to enhance the security.



HTH,

Stefaan



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: vrijdag 1 februari 2008 16:49
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!



Hi All,



Any more thoughts on this?



From what I now understand, the SCCM client is using a client auth cert to
authenticate to the IIS instance running on the SCCM management point
(mutual cert auth).



We are getting  close to SCCM deployments where customers want IBCM, but the
only ISA Server solution I can get working is to use SSL tunnelling (server
publishing). I have tried various web publishing configurations and none of
them seem to work - I have tried the following:



*         Simple web publishing , ISA listener with no authentication and
"allow client to authenticate" defined in the delegation tab - assumed this
would just use pass-through auth to the IIS website to allow for this to do
the client auth.

*         Pre-auth web publishing, ISA listener using client cert auth and
then KCD to delegate to IIS.



Do we think that one of these should work, or is web publishing for SCCM
IBCM fundamentally flawed?



Anyone actually got it working??? I know SCCM is quite new, but are we just
too ahead of the curve here?



Cheers



JJ



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: 19 October 2007 08:50
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!



Hi t,



I was hoping to do the former and then use KCD, but from what I gather SCCM
is using computer based certs - I believe this makes things harder?. Not
really comes across this scenario before...I currently have it working in
the lab using server publishing, but I cannot bear the thought of doing this
for customers...





From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: 18 October 2007 22:15
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!



While I've not used SCCM, I've done a good bit of work with different
certificate-based authentication models.  Are you considering using a
web-listener configured for SSL Client Certificate Authentication, or just
web-publishing to a back-end web server where it will do its own
certificate-to-user mapping?



t



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Thursday, October 18, 2007 1:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!



Did this Q get hidden within Amy's posts or is it a big fat "don't know"? J



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: 17 October 2007 00:49
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] SCCM and ISA - Worth a shot!



Hi,



Has anyone used ISA with System Centre Configuration Manager (SCCM) yet?
Specifically when using Native mode (e.g. full-on PKI mode).



The initial documentation is a little patchy and seems to contradict itself
between using Web Publishing and Server Publishing when using Internet based
clients that cannot back into the CM server. The SCCM documentation talks
about lots of perimeter and internet-facing scenarios, but I want to try and
use an ISA based model in a similar way to protecting Exchange or
SharePoint. A quote from Jim comes to mind "..we don't need no stinking
DMZs"



Ideally I want to use Web Publishing, but all communications in SCCM utilise
client certificate based authentication.



Am I right in thinking I can use ISA Web publishing combined with KCD to
secure access from CM clients to the CM server?



Answers that tell me that I have to use Server Publishing will make me cry,
so please be sensitive



Thanks in advance...



Cheers



JJ





________________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited
and wish to be removed from any future mailings, please contact our Support
Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx

If this email contains a quotation then unless otherwise stated it is valid
for 7 days and offered subject to Silversands Professional Services Terms
and Conditions, a copy of which is available on request. Any pricing
information, design information or information concerning specific
Silversands' staff contained in this email is considered confidential or of
commercial interest and exempt from the Freedom of Information Act 2000.

Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands

Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.






Other related posts: