[isapros] Re: SCCM and ISA - Worth a shot!
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 9 Feb 2008 15:53:22 -0800
Yeah, looks like that's it. I just hope nobody is stupid enough to try to pull
the old "Hey, you need cos(42)xGMT-4 in there" somewhere.
Only a moron would say something like that, though.
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Saturday, February 09, 2008 1:25 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Sure you can... That's what mirrors are for! Besides, I think I've nailed the
divergence. It's the irradiance that I'm trying to determine... I think this
will do it, though: I(x) = A exp[-2 (x - x0)2/w2]
I'll let you know :)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, February 08, 2008 8:19 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> You can't test divergence against your forehead...
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Friday, February 08, 2008 6:56 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> I'll go through everything over the weekend... brain is fried atm...
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Friday, February 08, 2008 6:27 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Here's one for Tim to shoot down:
> >
> > Since machine auth certificates are built by default using DNS names
> > (subj = "CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and
> not
> > UPN ("account@xxxxxxxxxx"), it's impossible for Windows to resolve
> the
> > cert to an account. You could try using certreq (supp tools) to
> build
> > a machine cert that uses UPN format (machine$@domain.tld) in the
> > subject and/or SAN (you'll probably have to play a bit) and include
> > "domain\domain computers" in an ISA "Windows user group". ..all
> > speculation, of course...
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Friday, February 08, 2008 6:23 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Right, done a little more testing (playing) with this and here are my
> > findings, I think I got the skinny on this, but a sanity check would
> be
> > good :)
> >
> > Option 1: Use Server Publishing
> >
> > Results - SCCM client can authenticate to IIS on the SCCM management
> > point using it's own personal client certificate and be fully
> managed,
> > deployed with software/patches etc.
> >
> > Pros - Everything works
> > Cons - Not ideal and ISA isn't adding a lot of value here as having
> to
> > use Server publishing.
> >
> > Option 2: Use Web Publishing without KCD
> >
> > Results - I can only get this to work by configuring the ISA listener
> > for no auth and then use the "use a client cert to authenticate to
> the
> > SSL web server" option on the bridging tab. If enable the "SSL client
> > auth" option on the web listener, ISA attempts to validate the
> > certificate with AD, HOWEVER the client certs are issued to Internet
> > clients who are not members of AD and hence have no validity with AD.
> > Hence ISA gives a 401 error, kinda as expected.
> >
> > Pros - Everything works and ISA **can** inspect the HTTP requests
> > Cons - We have no way of authenticating external clients and they all
> > appear to "hide" behind the ISA Server client certificate. This means
> > any SCCM client, even without a client cert, can connect as ISA will
> > perform the actual client auth request by the internal IIS server on
> > the management point. This seems unworkable from what I can tell as
> > SCCM will only ever see one client...
> >
> > Option 3: Use Web Publishing with KCD
> >
> > Results - As ISA cannot validate the client certificate with AD, we
> > don't even get a chance to perform delegation to the IIS server on
> the
> > SCCM management point. Hence this option is a non-starter.
> >
> > Cons - Fundamentally flawed :-) (I think)
> >
> > Does all of this look correct or have I missed some options or
> > misunderstood something?
> >
> > From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice
> > but to accept defeat and go for server publishing???
> >
> > As ever, thanks for any input/comments...
> >
> > Cheers
> >
> > JJ
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 02 February 2008 15:17
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Yes; that makes sense.
> > It's a shame that there is no good way to do this but that's the
> > benefit of client-cert auth; MITM is very difficult to perform.
> >
> > Something to note about this process; any "SSL inspection"
> methodology
> > is going to break client cert auth. This is equally true of the
> > BlueCoat & ClearTunnel offerings. Once you crack the SSL channel,
> the
> > certs have to be "mimicked" to each side. This is how they both work
> -
> > by "reissuing" the server certificate and terminating the SSL session
> > at the proxy so that the internal traffic can be inspected.
> > While it's relatively simple to use your proxy as an intermediate CA
> > because you can define a trust for it to your users, doing so for the
> > Internet folks is much more difficult (and expensive!). They have to
> > trust your proxy as an intermediate CA if your "reissued" client cert
> > is to be worthwhile. Odds are, this just ain't happening.
> >
> > I can't speak to any future plans here (obviously), but I'm not a
> > personal fan of Cardspace. Perhaps some more research will ease my
> > concerns...
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> > Sent: Saturday, February 02, 2008 2:19 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Hi Jim,
> >
> > maybe I should rephrase my statement in order to clarify better what
> I
> > mean.
> >
> >
> > Whenever the application insist on the client cert itself then
> nothing
> > much
> > you can do but using server publishing. A classic example I encounter
> > every
> > day is the use of the Belgium e-ID to authenticate to a web
> > application. In
> > this scenario you can't use delegation or user mapping at all because
> > the
> > users aren't known beforehand. Moreover, in many cases the
> application
> > must
> > be able to read some stuff out of the e-ID. In short, a number of
> > reasons
> > why pre-authentication isn't possible and therefore SSL bridging.
> >
> > I wonder how 'Windows Cardspace' or in more general terms
> 'Information
> > Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario
> > with
> > ISA server?
> >
> > Kindly,
> > Stefaan
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Jim Harrison
> > Sent: vrijdag 1 februari 2008 19:58
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > I'm actually very surprised you take this position.
> > If ISA can terminate the SSL session (required for ISA to handle
> client
> > certs), then you can apply the HTTP smarts ISA brings for the table.
> > Server publishing SSL can't accomplish this.
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Stefaan Pouseele
> > Sent: Friday, February 01, 2008 8:41 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Hi Jason,
> >
> >
> >
> > my reasoning, whenever client certs are involved, use server
> > publishing.
> > Nothing ISA can do to enhance the security.
> >
> >
> >
> > HTH,
> >
> > Stefaan
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Jason Jones
> > Sent: vrijdag 1 februari 2008 16:49
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> >
> >
> > Hi All,
> >
> >
> >
> > Any more thoughts on this?
> >
> >
> >
> > From what I now understand, the SCCM client is using a client auth
> cert
> > to
> > authenticate to the IIS instance running on the SCCM management point
> > (mutual cert auth).
> >
> >
> >
> > We are getting close to SCCM deployments where customers want IBCM,
> > but the
> > only ISA Server solution I can get working is to use SSL tunnelling
> > (server
> > publishing). I have tried various web publishing configurations and
> > none of
> > them seem to work - I have tried the following:
> >
> >
> >
> > * Simple web publishing , ISA listener with no authentication
> > and
> > "allow client to authenticate" defined in the delegation tab -
> assumed
> > this
> > would just use pass-through auth to the IIS website to allow for this
> > to do
> > the client auth.
> >
> > * Pre-auth web publishing, ISA listener using client cert
> auth
> > and
> > then KCD to delegate to IIS.
> >
> >
> >
> > Do we think that one of these should work, or is web publishing for
> > SCCM
> > IBCM fundamentally flawed?
> >
> >
> >
> > Anyone actually got it working??? I know SCCM is quite new, but are
> we
> > just
> > too ahead of the curve here?
> >
> >
> >
> > Cheers
> >
> >
> >
> > JJ
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Jason Jones
> > Sent: 19 October 2007 08:50
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> >
> >
> > Hi t,
> >
> >
> >
> > I was hoping to do the former and then use KCD, but from what I
> gather
> > SCCM
> > is using computer based certs - I believe this makes things harder?.
> > Not
> > really comes across this scenario before...I currently have it
> working
> > in
> > the lab using server publishing, but I cannot bear the thought of
> doing
> > this
> > for customers...
> >
> >
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Thor (Hammer of God)
> > Sent: 18 October 2007 22:15
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> >
> >
> > While I've not used SCCM, I've done a good bit of work with different
> > certificate-based authentication models. Are you considering using a
> > web-listener configured for SSL Client Certificate Authentication, or
> > just
> > web-publishing to a back-end web server where it will do its own
> > certificate-to-user mapping?
> >
> >
> >
> > t
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Jason Jones
> > Sent: Thursday, October 18, 2007 1:11 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> >
> >
> > Did this Q get hidden within Amy's posts or is it a big fat "don't
> > know"? J
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On
> > Behalf Of Jason Jones
> > Sent: 17 October 2007 00:49
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] SCCM and ISA - Worth a shot!
> >
> >
> >
> > Hi,
> >
> >
> >
> > Has anyone used ISA with System Centre Configuration Manager (SCCM)
> > yet?
> > Specifically when using Native mode (e.g. full-on PKI mode).
> >
> >
> >
> > The initial documentation is a little patchy and seems to contradict
> > itself
> > between using Web Publishing and Server Publishing when using
> Internet
> > based
> > clients that cannot back into the CM server. The SCCM documentation
> > talks
> > about lots of perimeter and internet-facing scenarios, but I want to
> > try and
> > use an ISA based model in a similar way to protecting Exchange or
> > SharePoint. A quote from Jim comes to mind "..we don't need no
> stinking
> > DMZs"
> >
> >
> >
> > Ideally I want to use Web Publishing, but all communications in SCCM
> > utilise
> > client certificate based authentication.
> >
> >
> >
> > Am I right in thinking I can use ISA Web publishing combined with KCD
> > to
> > secure access from CM clients to the CM server?
> >
> >
> >
> > Answers that tell me that I have to use Server Publishing will make
> me
> > cry,
> > so please be sensitive
> >
> >
> >
> > Thanks in advance...
> >
> >
> >
> > Cheers
> >
> >
> >
> > JJ
> >
> >
> >
> >
> >
> > ________________________________
> >
> > This email and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual to whom it is addressed. If you
> > have
> > received this email in error, or if you believe this email is
> > unsolicited
> > and wish to be removed from any future mailings, please contact our
> > Support
> > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it is
> > valid
> > for 7 days and offered subject to Silversands Professional Services
> > Terms
> > and Conditions, a copy of which is available on request. Any pricing
> > information, design information or information concerning specific
> > Silversands' staff contained in this email is considered confidential
> > or of
> > commercial interest and exempt from the Freedom of Information Act
> > 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> > not
> > necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
> >
> >
> >
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual to whom it is
> addressed.
> > If you have received this email in error, or if you believe this
> email
> > is unsolicited and wish to be removed from any future mailings,
> please
> > contact our Support Desk immediately on 01202 360360 or email
> > helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it is
> > valid for 7 days and offered subject to Silversands Professional
> > Services Terms and Conditions, a copy of which is available on
> request.
> > Any pricing information, design information or information concerning
> > specific Silversands' staff contained in this email is considered
> > confidential or of commercial interest and exempt from the Freedom of
> > Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> > not necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
> >
>
>
>
Other related posts:
