[isapros] Re: SCCM and ISA - Worth a shot!
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Fri, 8 Feb 2008 20:19:26 -0800
You can't test divergence against your forehead...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Friday, February 08, 2008 6:56 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
I'll go through everything over the weekend... brain is fried atm...
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, February 08, 2008 6:27 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Here's one for Tim to shoot down:
>
> Since machine auth certificates are built by default using DNS names
> (subj = "CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and
not
> UPN ("account@xxxxxxxxxx"), it's impossible for Windows to resolve the
> cert to an account. You could try using certreq (supp tools) to build
> a machine cert that uses UPN format (machine$@domain.tld) in the
> subject and/or SAN (you'll probably have to play a bit) and include
> "domain\domain computers" in an ISA "Windows user group". ..all
> speculation, of course...
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Friday, February 08, 2008 6:23 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Right, done a little more testing (playing) with this and here are my
> findings, I think I got the skinny on this, but a sanity check would
be
> good :)
>
> Option 1: Use Server Publishing
>
> Results - SCCM client can authenticate to IIS on the SCCM management
> point using it's own personal client certificate and be fully managed,
> deployed with software/patches etc.
>
> Pros - Everything works
> Cons - Not ideal and ISA isn't adding a lot of value here as having to
> use Server publishing.
>
> Option 2: Use Web Publishing without KCD
>
> Results - I can only get this to work by configuring the ISA listener
> for no auth and then use the "use a client cert to authenticate to the
> SSL web server" option on the bridging tab. If enable the "SSL client
> auth" option on the web listener, ISA attempts to validate the
> certificate with AD, HOWEVER the client certs are issued to Internet
> clients who are not members of AD and hence have no validity with AD.
> Hence ISA gives a 401 error, kinda as expected.
>
> Pros - Everything works and ISA **can** inspect the HTTP requests
> Cons - We have no way of authenticating external clients and they all
> appear to "hide" behind the ISA Server client certificate. This means
> any SCCM client, even without a client cert, can connect as ISA will
> perform the actual client auth request by the internal IIS server on
> the management point. This seems unworkable from what I can tell as
> SCCM will only ever see one client...
>
> Option 3: Use Web Publishing with KCD
>
> Results - As ISA cannot validate the client certificate with AD, we
> don't even get a chance to perform delegation to the IIS server on the
> SCCM management point. Hence this option is a non-starter.
>
> Cons - Fundamentally flawed :-) (I think)
>
> Does all of this look correct or have I missed some options or
> misunderstood something?
>
> From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice
> but to accept defeat and go for server publishing???
>
> As ever, thanks for any input/comments...
>
> Cheers
>
> JJ
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: 02 February 2008 15:17
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Yes; that makes sense.
> It's a shame that there is no good way to do this but that's the
> benefit of client-cert auth; MITM is very difficult to perform.
>
> Something to note about this process; any "SSL inspection" methodology
> is going to break client cert auth. This is equally true of the
> BlueCoat & ClearTunnel offerings. Once you crack the SSL channel, the
> certs have to be "mimicked" to each side. This is how they both work
-
> by "reissuing" the server certificate and terminating the SSL session
> at the proxy so that the internal traffic can be inspected.
> While it's relatively simple to use your proxy as an intermediate CA
> because you can define a trust for it to your users, doing so for the
> Internet folks is much more difficult (and expensive!). They have to
> trust your proxy as an intermediate CA if your "reissued" client cert
> is to be worthwhile. Odds are, this just ain't happening.
>
> I can't speak to any future plans here (obviously), but I'm not a
> personal fan of Cardspace. Perhaps some more research will ease my
> concerns...
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: Saturday, February 02, 2008 2:19 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Hi Jim,
>
> maybe I should rephrase my statement in order to clarify better what I
> mean.
>
>
> Whenever the application insist on the client cert itself then nothing
> much
> you can do but using server publishing. A classic example I encounter
> every
> day is the use of the Belgium e-ID to authenticate to a web
> application. In
> this scenario you can't use delegation or user mapping at all because
> the
> users aren't known beforehand. Moreover, in many cases the application
> must
> be able to read some stuff out of the e-ID. In short, a number of
> reasons
> why pre-authentication isn't possible and therefore SSL bridging.
>
> I wonder how 'Windows Cardspace' or in more general terms 'Information
> Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario
> with
> ISA server?
>
> Kindly,
> Stefaan
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: vrijdag 1 februari 2008 19:58
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> I'm actually very surprised you take this position.
> If ISA can terminate the SSL session (required for ISA to handle
client
> certs), then you can apply the HTTP smarts ISA brings for the table.
> Server publishing SSL can't accomplish this.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Stefaan Pouseele
> Sent: Friday, February 01, 2008 8:41 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Hi Jason,
>
>
>
> my reasoning, whenever client certs are involved, use server
> publishing.
> Nothing ISA can do to enhance the security.
>
>
>
> HTH,
>
> Stefaan
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: vrijdag 1 februari 2008 16:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi All,
>
>
>
> Any more thoughts on this?
>
>
>
> From what I now understand, the SCCM client is using a client auth
cert
> to
> authenticate to the IIS instance running on the SCCM management point
> (mutual cert auth).
>
>
>
> We are getting close to SCCM deployments where customers want IBCM,
> but the
> only ISA Server solution I can get working is to use SSL tunnelling
> (server
> publishing). I have tried various web publishing configurations and
> none of
> them seem to work - I have tried the following:
>
>
>
> * Simple web publishing , ISA listener with no authentication
> and
> "allow client to authenticate" defined in the delegation tab - assumed
> this
> would just use pass-through auth to the IIS website to allow for this
> to do
> the client auth.
>
> * Pre-auth web publishing, ISA listener using client cert auth
> and
> then KCD to delegate to IIS.
>
>
>
> Do we think that one of these should work, or is web publishing for
> SCCM
> IBCM fundamentally flawed?
>
>
>
> Anyone actually got it working??? I know SCCM is quite new, but are we
> just
> too ahead of the curve here?
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: 19 October 2007 08:50
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi t,
>
>
>
> I was hoping to do the former and then use KCD, but from what I gather
> SCCM
> is using computer based certs - I believe this makes things harder?.
> Not
> really comes across this scenario before...I currently have it working
> in
> the lab using server publishing, but I cannot bear the thought of
doing
> this
> for customers...
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: 18 October 2007 22:15
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> While I've not used SCCM, I've done a good bit of work with different
> certificate-based authentication models. Are you considering using a
> web-listener configured for SSL Client Certificate Authentication, or
> just
> web-publishing to a back-end web server where it will do its own
> certificate-to-user mapping?
>
>
>
> t
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Thursday, October 18, 2007 1:11 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Did this Q get hidden within Amy's posts or is it a big fat "don't
> know"? J
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: 17 October 2007 00:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] SCCM and ISA - Worth a shot!
>
>
>
> Hi,
>
>
>
> Has anyone used ISA with System Centre Configuration Manager (SCCM)
> yet?
> Specifically when using Native mode (e.g. full-on PKI mode).
>
>
>
> The initial documentation is a little patchy and seems to contradict
> itself
> between using Web Publishing and Server Publishing when using Internet
> based
> clients that cannot back into the CM server. The SCCM documentation
> talks
> about lots of perimeter and internet-facing scenarios, but I want to
> try and
> use an ISA based model in a similar way to protecting Exchange or
> SharePoint. A quote from Jim comes to mind "..we don't need no
stinking
> DMZs"
>
>
>
> Ideally I want to use Web Publishing, but all communications in SCCM
> utilise
> client certificate based authentication.
>
>
>
> Am I right in thinking I can use ISA Web publishing combined with KCD
> to
> secure access from CM clients to the CM server?
>
>
>
> Answers that tell me that I have to use Server Publishing will make me
> cry,
> so please be sensitive
>
>
>
> Thanks in advance...
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual to whom it is addressed. If you
> have
> received this email in error, or if you believe this email is
> unsolicited
> and wish to be removed from any future mailings, please contact our
> Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid
> for 7 days and offered subject to Silversands Professional Services
> Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential
> or of
> commercial interest and exempt from the Freedom of Information Act
> 2000.
>
> Any view or opinions presented are solely those of the author and do
> not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
>
>
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
Other related posts:
