[isapros] Re: SCCM and ISA - Worth a shot!

  • From: Steve Moffat <steve@xxxxxxxxxx>
  • To: ISAPros Mailing List <isapros@xxxxxxxxxxxxx>
  • Date: Sat, 9 Feb 2008 19:47:25 -0400

Nope, that formula would be having you melting down in 14.7 seconds.

The correct formula however...would be...

I(x) = A exp[-2 (x - x0)2/w2] / cos(42)xGMT-4

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Saturday, February 09, 2008 5:25 PM
To: ISAPros Mailing List
Subject: [isapros] Re: SCCM and ISA - Worth a shot!


Sure you can...  That's what mirrors are for!  Besides, I think I've nailed the 
divergence. It's the irradiance that I'm trying to determine... I think this 
will do it, though: I(x) = A exp[-2 (x - x0)2/w2]



I'll let you know :)



t



> -----Original Message-----

> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison

> Sent: Friday, February 08, 2008 8:19 PM

> To: isapros@xxxxxxxxxxxxx

> Subject: [isapros] Re: SCCM and ISA - Worth a shot!

>

> You can't test divergence against your forehead...

>

> -----Original Message-----

> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)

> Sent: Friday, February 08, 2008 6:56 PM

> To: isapros@xxxxxxxxxxxxx

> Subject: [isapros] Re: SCCM and ISA - Worth a shot!

>

> I'll go through everything over the weekend... brain is fried atm...

>

> t

>

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison

> > Sent: Friday, February 08, 2008 6:27 PM

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > Here's one for Tim to shoot down:

> >

> > Since machine auth certificates are built by default using DNS names

> > (subj = "CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and

> not

> > UPN ("account@xxxxxxxxxx<mailto:account@xxxxxxxxxx>"), it's impossible for 
> > Windows to resolve

> the

> > cert to an account.  You could try using certreq (supp tools) to

> build

> > a machine cert that uses UPN format 
> > (machine$@domain.tld<mailto:machine$@domain.tld>) in the

> > subject and/or SAN (you'll probably have to play a bit) and include

> > "domain\domain computers" in an ISA "Windows user group".  ..all

> > speculation, of course...

> >

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones

> > Sent: Friday, February 08, 2008 6:23 AM

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > Right, done a little more testing (playing) with this and here are my

> > findings, I think I got the skinny on this, but a sanity check would

> be

> > good :)

> >

> > Option 1: Use Server Publishing

> >

> > Results - SCCM client can authenticate to IIS on the SCCM management

> > point using it's own personal client certificate and be fully

> managed,

> > deployed with software/patches etc.

> >

> > Pros - Everything works

> > Cons - Not ideal and ISA isn't adding a lot of value here as having

> to

> > use Server publishing.

> >

> > Option 2: Use Web Publishing without KCD

> >

> > Results - I can only get this to work by configuring the ISA listener

> > for no auth and then use the "use a client cert to authenticate to

> the

> > SSL web server" option on the bridging tab. If enable the "SSL client

> > auth" option on the web listener, ISA attempts to validate the

> > certificate with AD, HOWEVER the client certs are issued to Internet

> > clients who are not members of AD and hence have no validity with AD.

> > Hence ISA gives a 401 error, kinda as expected.

> >

> > Pros - Everything works and ISA **can** inspect the HTTP requests

> > Cons - We have no way of authenticating external clients and they all

> > appear to "hide" behind the ISA Server client certificate. This means

> > any SCCM client, even without a client cert, can connect as ISA will

> > perform the actual client auth request by the internal IIS server on

> > the management point. This seems unworkable from what I can tell as

> > SCCM will only ever see one client...

> >

> > Option 3: Use Web Publishing with KCD

> >

> > Results - As ISA cannot validate the client certificate with AD, we

> > don't even get a chance to perform delegation to the IIS server on

> the

> > SCCM management point. Hence this option is a non-starter.

> >

> > Cons - Fundamentally flawed :-) (I think)

> >

> > Does all of this look correct or have I missed some options or

> > misunderstood something?

> >

> > From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice

> > but to accept defeat and go for server publishing???

> >

> > As ever, thanks for any input/comments...

> >

> > Cheers

> >

> > JJ

> >

> >

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison

> > Sent: 02 February 2008 15:17

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > Yes; that makes sense.

> > It's a shame that there is no good way to do this but that's the

> > benefit of client-cert auth; MITM is very difficult to perform.

> >

> > Something to note about this process; any "SSL inspection"

> methodology

> > is going to break client cert auth.  This is equally true of the

> > BlueCoat & ClearTunnel offerings.  Once you crack the SSL channel,

> the

> > certs have to be "mimicked" to each side.  This is how they both work

> -

> > by "reissuing" the server certificate and terminating the SSL session

> > at the proxy so that the internal traffic can be inspected.

> > While it's relatively simple to use your proxy as an intermediate CA

> > because you can define a trust for it to your users, doing so for the

> > Internet folks is much more difficult (and expensive!).  They have to

> > trust your proxy as an intermediate CA if your "reissued" client cert

> > is to be worthwhile.  Odds are, this just ain't happening.

> >

> > I can't speak to any future plans here (obviously), but I'm not a

> > personal fan of Cardspace.  Perhaps some more research will ease my

> > concerns...

> >

> > Jim

> >

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele

> > Sent: Saturday, February 02, 2008 2:19 AM

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > Hi Jim,

> >

> > maybe I should rephrase my statement in order to clarify better what

> I

> > mean.

> >

> >

> > Whenever the application insist on the client cert itself then

> nothing

> > much

> > you can do but using server publishing. A classic example I encounter

> > every

> > day is the use of the Belgium e-ID to authenticate to a web

> > application. In

> > this scenario you can't use delegation or user mapping at all because

> > the

> > users aren't known beforehand. Moreover, in many cases the

> application

> > must

> > be able to read some stuff out of the e-ID. In short, a number of

> > reasons

> > why pre-authentication isn't possible and therefore SSL bridging.

> >

> > I wonder how 'Windows Cardspace' or in more general terms

> 'Information

> > Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario

> > with

> > ISA server?

> >

> > Kindly,

> > Stefaan

> >

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Jim Harrison

> > Sent: vrijdag 1 februari 2008 19:58

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > I'm actually very surprised you take this position.

> > If ISA can terminate the SSL session (required for ISA to handle

> client

> > certs), then you can apply the HTTP smarts ISA brings for the table.

> > Server publishing SSL can't accomplish this.

> >

> > Jim

> >

> > -----Original Message-----

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Stefaan Pouseele

> > Sent: Friday, February 01, 2008 8:41 AM

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> > Hi Jason,

> >

> >

> >

> > my reasoning, whenever client certs are involved, use server

> > publishing.

> > Nothing ISA can do to enhance the security.

> >

> >

> >

> > HTH,

> >

> > Stefaan

> >

> >

> >

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Jason Jones

> > Sent: vrijdag 1 februari 2008 16:49

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> >

> >

> > Hi All,

> >

> >

> >

> > Any more thoughts on this?

> >

> >

> >

> > From what I now understand, the SCCM client is using a client auth

> cert

> > to

> > authenticate to the IIS instance running on the SCCM management point

> > (mutual cert auth).

> >

> >

> >

> > We are getting  close to SCCM deployments where customers want IBCM,

> > but the

> > only ISA Server solution I can get working is to use SSL tunnelling

> > (server

> > publishing). I have tried various web publishing configurations and

> > none of

> > them seem to work - I have tried the following:

> >

> >

> >

> > *         Simple web publishing , ISA listener with no authentication

> > and

> > "allow client to authenticate" defined in the delegation tab -

> assumed

> > this

> > would just use pass-through auth to the IIS website to allow for this

> > to do

> > the client auth.

> >

> > *         Pre-auth web publishing, ISA listener using client cert

> auth

> > and

> > then KCD to delegate to IIS.

> >

> >

> >

> > Do we think that one of these should work, or is web publishing for

> > SCCM

> > IBCM fundamentally flawed?

> >

> >

> >

> > Anyone actually got it working??? I know SCCM is quite new, but are

> we

> > just

> > too ahead of the curve here?

> >

> >

> >

> > Cheers

> >

> >

> >

> > JJ

> >

> >

> >

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Jason Jones

> > Sent: 19 October 2007 08:50

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> >

> >

> > Hi t,

> >

> >

> >

> > I was hoping to do the former and then use KCD, but from what I

> gather

> > SCCM

> > is using computer based certs - I believe this makes things harder?.

> > Not

> > really comes across this scenario before...I currently have it

> working

> > in

> > the lab using server publishing, but I cannot bear the thought of

> doing

> > this

> > for customers...

> >

> >

> >

> >

> >

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Thor (Hammer of God)

> > Sent: 18 October 2007 22:15

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> >

> >

> > While I've not used SCCM, I've done a good bit of work with different

> > certificate-based authentication models.  Are you considering using a

> > web-listener configured for SSL Client Certificate Authentication, or

> > just

> > web-publishing to a back-end web server where it will do its own

> > certificate-to-user mapping?

> >

> >

> >

> > t

> >

> >

> >

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Jason Jones

> > Sent: Thursday, October 18, 2007 1:11 PM

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!

> >

> >

> >

> > Did this Q get hidden within Amy's posts or is it a big fat "don't

> > know"? J

> >

> >

> >

> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-

> > bounce@xxxxxxxxxxxxx] On

> > Behalf Of Jason Jones

> > Sent: 17 October 2007 00:49

> > To: isapros@xxxxxxxxxxxxx

> > Subject: [isapros] SCCM and ISA - Worth a shot!

> >

> >

> >

> > Hi,

> >

> >

> >

> > Has anyone used ISA with System Centre Configuration Manager (SCCM)

> > yet?

> > Specifically when using Native mode (e.g. full-on PKI mode).

> >

> >

> >

> > The initial documentation is a little patchy and seems to contradict

> > itself

> > between using Web Publishing and Server Publishing when using

> Internet

> > based

> > clients that cannot back into the CM server. The SCCM documentation

> > talks

> > about lots of perimeter and internet-facing scenarios, but I want to

> > try and

> > use an ISA based model in a similar way to protecting Exchange or

> > SharePoint. A quote from Jim comes to mind "..we don't need no

> stinking

> > DMZs"

> >

> >

> >

> > Ideally I want to use Web Publishing, but all communications in SCCM

> > utilise

> > client certificate based authentication.

> >

> >

> >

> > Am I right in thinking I can use ISA Web publishing combined with KCD

> > to

> > secure access from CM clients to the CM server?

> >

> >

> >

> > Answers that tell me that I have to use Server Publishing will make

> me

> > cry,

> > so please be sensitive

> >

> >

> >

> > Thanks in advance...

> >

> >

> >

> > Cheers

> >

> >

> >

> > JJ

> >

> >

> >

> >

> >

> > ________________________________

> >

> > This email and any files transmitted with it are confidential and

> > intended

> > solely for the use of the individual to whom it is addressed. If you

> > have

> > received this email in error, or if you believe this email is

> > unsolicited

> > and wish to be removed from any future mailings, please contact our

> > Support

> > Desk immediately on 01202 360360 or email 
> > helpdesk@xxxxxxxxxxxxxxxxx<mailto:helpdesk@xxxxxxxxxxxxxxxxx>

> >

> > If this email contains a quotation then unless otherwise stated it is

> > valid

> > for 7 days and offered subject to Silversands Professional Services

> > Terms

> > and Conditions, a copy of which is available on request. Any pricing

> > information, design information or information concerning specific

> > Silversands' staff contained in this email is considered confidential

> > or of

> > commercial interest and exempt from the Freedom of Information Act

> > 2000.

> >

> > Any view or opinions presented are solely those of the author and do

> > not

> > necessarily represent those of Silversands

> >

> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.

> > Company Registration Number : 2141393.

> >

> >

> >

> >

> >

> >

> > This email and any files transmitted with it are confidential and

> > intended solely for the use of the individual to whom it is

> addressed.

> > If you have received this email in error, or if you believe this

> email

> > is unsolicited and wish to be removed from any future mailings,

> please

> > contact our Support Desk immediately on 01202 360360 or email

> > helpdesk@xxxxxxxxxxxxxxxxx<mailto:helpdesk@xxxxxxxxxxxxxxxxx>

> >

> > If this email contains a quotation then unless otherwise stated it is

> > valid for 7 days and offered subject to Silversands Professional

> > Services Terms and Conditions, a copy of which is available on

> request.

> > Any pricing information, design information or information concerning

> > specific Silversands' staff contained in this email is considered

> > confidential or of commercial interest and exempt from the Freedom of

> > Information Act 2000.

> >

> > Any view or opinions presented are solely those of the author and do

> > not necessarily represent those of Silversands

> >

> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.

> > Company Registration Number : 2141393.

> >

> >

> >

>

>

>


Other related posts: