P.S. I also had to make sure the certificate on the SCCM management point had the external FQDN as the CN and first SAN to avoid the current issue with ISA and SAN certs ;-) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: 13 February 2008 16:35 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Well.....................it does work!!! :-) mucho :-) I had to use the online CA, and use a new template that allows the subject name to be defined in the request and the cert private key to be exported. I then used homepc$@domain.com in the cert requests subject line and exported the cert onto the client. I then added a fake computer object to the domain called homepc$. Once these were both done, ISA was then able to authenticate the client cert, and I got one step closer...hurrah! However, I can't get KCD to work, but think this is more an issue with SCCM than ISA, as everything looks right and I don't get and KCD alerts (which you normally get when it is wrong!). If I use the bridging option to specify ISAs own client cert I have a fully working setup. I think this actually now makes sense based upon how SCCM works. To tie this down even more, I have then created a group called 'SCCM Internet clients' and added homepc$, then configured the web pubs rule to use this group. So, unless I am mistaken we now have the following scenario: * ISA pre-auth'ing all clients based upon their client certificates, no cert, no dice! (I like preauth) * ISA is in reverse web proxy and can HTTP inspect all traffic (will tie down allowed verbs as next step) * ISA SSL bridges to SCCM management point and provides it's own client auth cert to satisfy the MP * SCCM client specifies a special GUID in the packets (as I have now found out) so the cert provided by ISA is not actually used to identify the client, just to setup the mutual TLS session. This looks sooooo MUCH better than server publishing to me ;-) Thanks to Jim (again) for the crucial "next step" link! Cheers JJ -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 13 February 2008 15:19 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Actually, in re-examining the idea, there is no UPN for a computer account (and no place I can see to add one). It'll take some playing to find out if it can work and if so, how. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Wednesday, February 13, 2008 3:19 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Ok, this seems to make sense - need to have a look at see how achievable it is. The best practice for issuing client certificates for Internet SCCM clients is to use a standalone CA (as they are not part of AD), so I guessing this options is not workable - correct? If I **can** just get ISA to validate the certs, I should then just be able to KCD them to the IIS server - yes? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 09 February 2008 02:27 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Here's one for Tim to shoot down: Since machine auth certificates are built by default using DNS names (subj = "CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and not UPN ("account@xxxxxxxxxx"), it's impossible for Windows to resolve the cert to an account. You could try using certreq (supp tools) to build a machine cert that uses UPN format (machine$@domain.tld) in the subject and/or SAN (you'll probably have to play a bit) and include "domain\domain computers" in an ISA "Windows user group". ..all speculation, of course... -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, February 08, 2008 6:23 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Right, done a little more testing (playing) with this and here are my findings, I think I got the skinny on this, but a sanity check would be good :) Option 1: Use Server Publishing Results - SCCM client can authenticate to IIS on the SCCM management point using it's own personal client certificate and be fully managed, deployed with software/patches etc. Pros - Everything works Cons - Not ideal and ISA isn't adding a lot of value here as having to use Server publishing. Option 2: Use Web Publishing without KCD Results - I can only get this to work by configuring the ISA listener for no auth and then use the "use a client cert to authenticate to the SSL web server" option on the bridging tab. If enable the "SSL client auth" option on the web listener, ISA attempts to validate the certificate with AD, HOWEVER the client certs are issued to Internet clients who are not members of AD and hence have no validity with AD. Hence ISA gives a 401 error, kinda as expected. Pros - Everything works and ISA **can** inspect the HTTP requests Cons - We have no way of authenticating external clients and they all appear to "hide" behind the ISA Server client certificate. This means any SCCM client, even without a client cert, can connect as ISA will perform the actual client auth request by the internal IIS server on the management point. This seems unworkable from what I can tell as SCCM will only ever see one client... Option 3: Use Web Publishing with KCD Results - As ISA cannot validate the client certificate with AD, we don't even get a chance to perform delegation to the IIS server on the SCCM management point. Hence this option is a non-starter. Cons - Fundamentally flawed :-) (I think) Does all of this look correct or have I missed some options or misunderstood something? From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice but to accept defeat and go for server publishing??? As ever, thanks for any input/comments... Cheers JJ -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 02 February 2008 15:17 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Yes; that makes sense. It's a shame that there is no good way to do this but that's the benefit of client-cert auth; MITM is very difficult to perform. Something to note about this process; any "SSL inspection" methodology is going to break client cert auth. This is equally true of the BlueCoat & ClearTunnel offerings. Once you crack the SSL channel, the certs have to be "mimicked" to each side. This is how they both work - by "reissuing" the server certificate and terminating the SSL session at the proxy so that the internal traffic can be inspected. While it's relatively simple to use your proxy as an intermediate CA because you can define a trust for it to your users, doing so for the Internet folks is much more difficult (and expensive!). They have to trust your proxy as an intermediate CA if your "reissued" client cert is to be worthwhile. Odds are, this just ain't happening. I can't speak to any future plans here (obviously), but I'm not a personal fan of Cardspace. Perhaps some more research will ease my concerns... Jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Saturday, February 02, 2008 2:19 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Hi Jim, maybe I should rephrase my statement in order to clarify better what I mean. Whenever the application insist on the client cert itself then nothing much you can do but using server publishing. A classic example I encounter every day is the use of the Belgium e-ID to authenticate to a web application. In this scenario you can't use delegation or user mapping at all because the users aren't known beforehand. Moreover, in many cases the application must be able to read some stuff out of the e-ID. In short, a number of reasons why pre-authentication isn't possible and therefore SSL bridging. I wonder how 'Windows Cardspace' or in more general terms 'Information Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario with ISA server? Kindly, Stefaan -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: vrijdag 1 februari 2008 19:58 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! I'm actually very surprised you take this position. If ISA can terminate the SSL session (required for ISA to handle client certs), then you can apply the HTTP smarts ISA brings for the table. Server publishing SSL can't accomplish this. Jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Friday, February 01, 2008 8:41 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Hi Jason, my reasoning, whenever client certs are involved, use server publishing. Nothing ISA can do to enhance the security. HTH, Stefaan From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: vrijdag 1 februari 2008 16:49 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Hi All, Any more thoughts on this? From what I now understand, the SCCM client is using a client auth cert to authenticate to the IIS instance running on the SCCM management point (mutual cert auth). We are getting close to SCCM deployments where customers want IBCM, but the only ISA Server solution I can get working is to use SSL tunnelling (server publishing). I have tried various web publishing configurations and none of them seem to work - I have tried the following: * Simple web publishing , ISA listener with no authentication and "allow client to authenticate" defined in the delegation tab - assumed this would just use pass-through auth to the IIS website to allow for this to do the client auth. * Pre-auth web publishing, ISA listener using client cert auth and then KCD to delegate to IIS. Do we think that one of these should work, or is web publishing for SCCM IBCM fundamentally flawed? Anyone actually got it working??? I know SCCM is quite new, but are we just too ahead of the curve here? Cheers JJ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: 19 October 2007 08:50 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Hi t, I was hoping to do the former and then use KCD, but from what I gather SCCM is using computer based certs - I believe this makes things harder?. Not really comes across this scenario before...I currently have it working in the lab using server publishing, but I cannot bear the thought of doing this for customers... From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: 18 October 2007 22:15 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! While I've not used SCCM, I've done a good bit of work with different certificate-based authentication models. Are you considering using a web-listener configured for SSL Client Certificate Authentication, or just web-publishing to a back-end web server where it will do its own certificate-to-user mapping? t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Thursday, October 18, 2007 1:11 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: SCCM and ISA - Worth a shot! Did this Q get hidden within Amy's posts or is it a big fat "don't know"? J From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: 17 October 2007 00:49 To: isapros@xxxxxxxxxxxxx Subject: [isapros] SCCM and ISA - Worth a shot! Hi, Has anyone used ISA with System Centre Configuration Manager (SCCM) yet? Specifically when using Native mode (e.g. full-on PKI mode). The initial documentation is a little patchy and seems to contradict itself between using Web Publishing and Server Publishing when using Internet based clients that cannot back into the CM server. The SCCM documentation talks about lots of perimeter and internet-facing scenarios, but I want to try and use an ISA based model in a similar way to protecting Exchange or SharePoint. A quote from Jim comes to mind "..we don't need no stinking DMZs" Ideally I want to use Web Publishing, but all communications in SCCM utilise client certificate based authentication. Am I right in thinking I can use ISA Web publishing combined with KCD to secure access from CM clients to the CM server? Answers that tell me that I have to use Server Publishing will make me cry, so please be sensitive Thanks in advance... Cheers JJ ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.