Nope, that formula would be having you melting down in 14.7 seconds. The correct formula however...would be... I(x) = A exp[-2 (x - x0)2/w2] / cos(42)xGMT-4 From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Saturday, February 09, 2008 5:25 PM To: ISAPros Mailing List Subject: [isapros] Re: SCCM and ISA - Worth a shot! Sure you can... That's what mirrors are for! Besides, I think I've nailed the divergence. It's the irradiance that I'm trying to determine... I think this will do it, though: I(x) = A exp[-2 (x - x0)2/w2] I'll let you know :) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, February 08, 2008 8:19 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > You can't test divergence against your forehead... > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: Friday, February 08, 2008 6:56 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > I'll go through everything over the weekend... brain is fried atm... > > t > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, February 08, 2008 6:27 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Here's one for Tim to shoot down: > > > > Since machine auth certificates are built by default using DNS names > > (subj = "CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and > not > > UPN ("account@xxxxxxxxxx<mailto:account@xxxxxxxxxx>"), it's impossible for > > Windows to resolve > the > > cert to an account. You could try using certreq (supp tools) to > build > > a machine cert that uses UPN format > > (machine$@domain.tld<mailto:machine$@domain.tld>) in the > > subject and/or SAN (you'll probably have to play a bit) and include > > "domain\domain computers" in an ISA "Windows user group". ..all > > speculation, of course... > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > Sent: Friday, February 08, 2008 6:23 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Right, done a little more testing (playing) with this and here are my > > findings, I think I got the skinny on this, but a sanity check would > be > > good :) > > > > Option 1: Use Server Publishing > > > > Results - SCCM client can authenticate to IIS on the SCCM management > > point using it's own personal client certificate and be fully > managed, > > deployed with software/patches etc. > > > > Pros - Everything works > > Cons - Not ideal and ISA isn't adding a lot of value here as having > to > > use Server publishing. > > > > Option 2: Use Web Publishing without KCD > > > > Results - I can only get this to work by configuring the ISA listener > > for no auth and then use the "use a client cert to authenticate to > the > > SSL web server" option on the bridging tab. If enable the "SSL client > > auth" option on the web listener, ISA attempts to validate the > > certificate with AD, HOWEVER the client certs are issued to Internet > > clients who are not members of AD and hence have no validity with AD. > > Hence ISA gives a 401 error, kinda as expected. > > > > Pros - Everything works and ISA **can** inspect the HTTP requests > > Cons - We have no way of authenticating external clients and they all > > appear to "hide" behind the ISA Server client certificate. This means > > any SCCM client, even without a client cert, can connect as ISA will > > perform the actual client auth request by the internal IIS server on > > the management point. This seems unworkable from what I can tell as > > SCCM will only ever see one client... > > > > Option 3: Use Web Publishing with KCD > > > > Results - As ISA cannot validate the client certificate with AD, we > > don't even get a chance to perform delegation to the IIS server on > the > > SCCM management point. Hence this option is a non-starter. > > > > Cons - Fundamentally flawed :-) (I think) > > > > Does all of this look correct or have I missed some options or > > misunderstood something? > > > > From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice > > but to accept defeat and go for server publishing??? > > > > As ever, thanks for any input/comments... > > > > Cheers > > > > JJ > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: 02 February 2008 15:17 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Yes; that makes sense. > > It's a shame that there is no good way to do this but that's the > > benefit of client-cert auth; MITM is very difficult to perform. > > > > Something to note about this process; any "SSL inspection" > methodology > > is going to break client cert auth. This is equally true of the > > BlueCoat & ClearTunnel offerings. Once you crack the SSL channel, > the > > certs have to be "mimicked" to each side. This is how they both work > - > > by "reissuing" the server certificate and terminating the SSL session > > at the proxy so that the internal traffic can be inspected. > > While it's relatively simple to use your proxy as an intermediate CA > > because you can define a trust for it to your users, doing so for the > > Internet folks is much more difficult (and expensive!). They have to > > trust your proxy as an intermediate CA if your "reissued" client cert > > is to be worthwhile. Odds are, this just ain't happening. > > > > I can't speak to any future plans here (obviously), but I'm not a > > personal fan of Cardspace. Perhaps some more research will ease my > > concerns... > > > > Jim > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele > > Sent: Saturday, February 02, 2008 2:19 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi Jim, > > > > maybe I should rephrase my statement in order to clarify better what > I > > mean. > > > > > > Whenever the application insist on the client cert itself then > nothing > > much > > you can do but using server publishing. A classic example I encounter > > every > > day is the use of the Belgium e-ID to authenticate to a web > > application. In > > this scenario you can't use delegation or user mapping at all because > > the > > users aren't known beforehand. Moreover, in many cases the > application > > must > > be able to read some stuff out of the e-ID. In short, a number of > > reasons > > why pre-authentication isn't possible and therefore SSL bridging. > > > > I wonder how 'Windows Cardspace' or in more general terms > 'Information > > Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario > > with > > ISA server? > > > > Kindly, > > Stefaan > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Jim Harrison > > Sent: vrijdag 1 februari 2008 19:58 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > I'm actually very surprised you take this position. > > If ISA can terminate the SSL session (required for ISA to handle > client > > certs), then you can apply the HTTP smarts ISA brings for the table. > > Server publishing SSL can't accomplish this. > > > > Jim > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Stefaan Pouseele > > Sent: Friday, February 01, 2008 8:41 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi Jason, > > > > > > > > my reasoning, whenever client certs are involved, use server > > publishing. > > Nothing ISA can do to enhance the security. > > > > > > > > HTH, > > > > Stefaan > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Jason Jones > > Sent: vrijdag 1 februari 2008 16:49 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > Hi All, > > > > > > > > Any more thoughts on this? > > > > > > > > From what I now understand, the SCCM client is using a client auth > cert > > to > > authenticate to the IIS instance running on the SCCM management point > > (mutual cert auth). > > > > > > > > We are getting close to SCCM deployments where customers want IBCM, > > but the > > only ISA Server solution I can get working is to use SSL tunnelling > > (server > > publishing). I have tried various web publishing configurations and > > none of > > them seem to work - I have tried the following: > > > > > > > > * Simple web publishing , ISA listener with no authentication > > and > > "allow client to authenticate" defined in the delegation tab - > assumed > > this > > would just use pass-through auth to the IIS website to allow for this > > to do > > the client auth. > > > > * Pre-auth web publishing, ISA listener using client cert > auth > > and > > then KCD to delegate to IIS. > > > > > > > > Do we think that one of these should work, or is web publishing for > > SCCM > > IBCM fundamentally flawed? > > > > > > > > Anyone actually got it working??? I know SCCM is quite new, but are > we > > just > > too ahead of the curve here? > > > > > > > > Cheers > > > > > > > > JJ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Jason Jones > > Sent: 19 October 2007 08:50 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > Hi t, > > > > > > > > I was hoping to do the former and then use KCD, but from what I > gather > > SCCM > > is using computer based certs - I believe this makes things harder?. > > Not > > really comes across this scenario before...I currently have it > working > > in > > the lab using server publishing, but I cannot bear the thought of > doing > > this > > for customers... > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Thor (Hammer of God) > > Sent: 18 October 2007 22:15 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > While I've not used SCCM, I've done a good bit of work with different > > certificate-based authentication models. Are you considering using a > > web-listener configured for SSL Client Certificate Authentication, or > > just > > web-publishing to a back-end web server where it will do its own > > certificate-to-user mapping? > > > > > > > > t > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Jason Jones > > Sent: Thursday, October 18, 2007 1:11 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > Did this Q get hidden within Amy's posts or is it a big fat "don't > > know"? J > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On > > Behalf Of Jason Jones > > Sent: 17 October 2007 00:49 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] SCCM and ISA - Worth a shot! > > > > > > > > Hi, > > > > > > > > Has anyone used ISA with System Centre Configuration Manager (SCCM) > > yet? > > Specifically when using Native mode (e.g. full-on PKI mode). > > > > > > > > The initial documentation is a little patchy and seems to contradict > > itself > > between using Web Publishing and Server Publishing when using > Internet > > based > > clients that cannot back into the CM server. The SCCM documentation > > talks > > about lots of perimeter and internet-facing scenarios, but I want to > > try and > > use an ISA based model in a similar way to protecting Exchange or > > SharePoint. A quote from Jim comes to mind "..we don't need no > stinking > > DMZs" > > > > > > > > Ideally I want to use Web Publishing, but all communications in SCCM > > utilise > > client certificate based authentication. > > > > > > > > Am I right in thinking I can use ISA Web publishing combined with KCD > > to > > secure access from CM clients to the CM server? > > > > > > > > Answers that tell me that I have to use Server Publishing will make > me > > cry, > > so please be sensitive > > > > > > > > Thanks in advance... > > > > > > > > Cheers > > > > > > > > JJ > > > > > > > > > > > > ________________________________ > > > > This email and any files transmitted with it are confidential and > > intended > > solely for the use of the individual to whom it is addressed. If you > > have > > received this email in error, or if you believe this email is > > unsolicited > > and wish to be removed from any future mailings, please contact our > > Support > > Desk immediately on 01202 360360 or email > > helpdesk@xxxxxxxxxxxxxxxxx<mailto:helpdesk@xxxxxxxxxxxxxxxxx> > > > > If this email contains a quotation then unless otherwise stated it is > > valid > > for 7 days and offered subject to Silversands Professional Services > > Terms > > and Conditions, a copy of which is available on request. Any pricing > > information, design information or information concerning specific > > Silversands' staff contained in this email is considered confidential > > or of > > commercial interest and exempt from the Freedom of Information Act > > 2000. > > > > Any view or opinions presented are solely those of the author and do > > not > > necessarily represent those of Silversands > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > Company Registration Number : 2141393. > > > > > > > > > > > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual to whom it is > addressed. > > If you have received this email in error, or if you believe this > email > > is unsolicited and wish to be removed from any future mailings, > please > > contact our Support Desk immediately on 01202 360360 or email > > helpdesk@xxxxxxxxxxxxxxxxx<mailto:helpdesk@xxxxxxxxxxxxxxxxx> > > > > If this email contains a quotation then unless otherwise stated it is > > valid for 7 days and offered subject to Silversands Professional > > Services Terms and Conditions, a copy of which is available on > request. > > Any pricing information, design information or information concerning > > specific Silversands' staff contained in this email is considered > > confidential or of commercial interest and exempt from the Freedom of > > Information Act 2000. > > > > Any view or opinions presented are solely those of the author and do > > not necessarily represent those of Silversands > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > Company Registration Number : 2141393. > > > > > > > > >