[isapros] Re: SCCM and ISA - Worth a shot!
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Wed, 13 Feb 2008 16:50:31 +0000
P.S. I also had to make sure the certificate on the SCCM management point had
the external FQDN as the CN and first SAN to avoid the current issue with ISA
and SAN certs ;-)
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: 13 February 2008 16:35
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Well.....................it does work!!! :-) mucho :-)
I had to use the online CA, and use a new template that allows the subject name
to be defined in the request and the cert private key to be exported. I then
used homepc$@domain.com in the cert requests subject line and exported the cert
onto the client. I then added a fake computer object to the domain called
homepc$. Once these were both done, ISA was then able to authenticate the
client cert, and I got one step closer...hurrah!
However, I can't get KCD to work, but think this is more an issue with SCCM
than ISA, as everything looks right and I don't get and KCD alerts (which you
normally get when it is wrong!). If I use the bridging option to specify ISAs
own client cert I have a fully working setup. I think this actually now makes
sense based upon how SCCM works.
To tie this down even more, I have then created a group called 'SCCM Internet
clients' and added homepc$, then configured the web pubs rule to use this group.
So, unless I am mistaken we now have the following scenario:
* ISA pre-auth'ing all clients based upon their client certificates, no cert,
no dice! (I like preauth)
* ISA is in reverse web proxy and can HTTP inspect all traffic (will tie down
allowed verbs as next step)
* ISA SSL bridges to SCCM management point and provides it's own client auth
cert to satisfy the MP
* SCCM client specifies a special GUID in the packets (as I have now found out)
so the cert provided by ISA is not actually used to identify the client, just
to setup the mutual TLS session.
This looks sooooo MUCH better than server publishing to me ;-)
Thanks to Jim (again) for the crucial "next step" link!
Cheers
JJ
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 13 February 2008 15:19
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Actually, in re-examining the idea, there is no UPN for a computer account (and
no place I can see to add one).
It'll take some playing to find out if it can work and if so, how.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Wednesday, February 13, 2008 3:19 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Ok, this seems to make sense - need to have a look at see how achievable it is.
The best practice for issuing client certificates for Internet SCCM clients is
to use a standalone CA (as they are not part of AD), so I guessing this options
is not workable - correct?
If I **can** just get ISA to validate the certs, I should then just be able to
KCD them to the IIS server - yes?
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 09 February 2008 02:27
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Here's one for Tim to shoot down:
Since machine auth certificates are built by default using DNS names (subj =
"CN=host.domain.tld", SAN = "DNS Name=host.domain.tld") and not UPN
("account@xxxxxxxxxx"), it's impossible for Windows to resolve the cert to an
account. You could try using certreq (supp tools) to build a machine cert that
uses UPN format (machine$@domain.tld) in the subject and/or SAN (you'll
probably have to play a bit) and include "domain\domain computers" in an ISA
"Windows user group". ..all speculation, of course...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Friday, February 08, 2008 6:23 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Right, done a little more testing (playing) with this and here are my findings,
I think I got the skinny on this, but a sanity check would be good :)
Option 1: Use Server Publishing
Results - SCCM client can authenticate to IIS on the SCCM management point
using it's own personal client certificate and be fully managed, deployed with
software/patches etc.
Pros - Everything works
Cons - Not ideal and ISA isn't adding a lot of value here as having to use
Server publishing.
Option 2: Use Web Publishing without KCD
Results - I can only get this to work by configuring the ISA listener for no
auth and then use the "use a client cert to authenticate to the SSL web server"
option on the bridging tab. If enable the "SSL client auth" option on the web
listener, ISA attempts to validate the certificate with AD, HOWEVER the client
certs are issued to Internet clients who are not members of AD and hence have
no validity with AD. Hence ISA gives a 401 error, kinda as expected.
Pros - Everything works and ISA **can** inspect the HTTP requests
Cons - We have no way of authenticating external clients and they all appear to
"hide" behind the ISA Server client certificate. This means any SCCM client,
even without a client cert, can connect as ISA will perform the actual client
auth request by the internal IIS server on the management point. This seems
unworkable from what I can tell as SCCM will only ever see one client...
Option 3: Use Web Publishing with KCD
Results - As ISA cannot validate the client certificate with AD, we don't even
get a chance to perform delegation to the IIS server on the SCCM management
point. Hence this option is a non-starter.
Cons - Fundamentally flawed :-) (I think)
Does all of this look correct or have I missed some options or misunderstood
something?
From my understanding FOR THIS PARTICULUAR SCENARIO, I have no choice but to
accept defeat and go for server publishing???
As ever, thanks for any input/comments...
Cheers
JJ
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 02 February 2008 15:17
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Yes; that makes sense.
It's a shame that there is no good way to do this but that's the benefit of
client-cert auth; MITM is very difficult to perform.
Something to note about this process; any "SSL inspection" methodology is going
to break client cert auth. This is equally true of the BlueCoat & ClearTunnel
offerings. Once you crack the SSL channel, the certs have to be "mimicked" to
each side. This is how they both work - by "reissuing" the server certificate
and terminating the SSL session at the proxy so that the internal traffic can
be inspected.
While it's relatively simple to use your proxy as an intermediate CA because
you can define a trust for it to your users, doing so for the Internet folks is
much more difficult (and expensive!). They have to trust your proxy as an
intermediate CA if your "reissued" client cert is to be worthwhile. Odds are,
this just ain't happening.
I can't speak to any future plans here (obviously), but I'm not a personal fan
of Cardspace. Perhaps some more research will ease my concerns...
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Saturday, February 02, 2008 2:19 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Hi Jim,
maybe I should rephrase my statement in order to clarify better what I mean.
Whenever the application insist on the client cert itself then nothing much
you can do but using server publishing. A classic example I encounter every
day is the use of the Belgium e-ID to authenticate to a web application. In
this scenario you can't use delegation or user mapping at all because the
users aren't known beforehand. Moreover, in many cases the application must
be able to read some stuff out of the e-ID. In short, a number of reasons
why pre-authentication isn't possible and therefore SSL bridging.
I wonder how 'Windows Cardspace' or in more general terms 'Information
Cards' and 'WS-*' can/will cooperate in a pre-authentication scenario with
ISA server?
Kindly,
Stefaan
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: vrijdag 1 februari 2008 19:58
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
I'm actually very surprised you take this position.
If ISA can terminate the SSL session (required for ISA to handle client
certs), then you can apply the HTTP smarts ISA brings for the table.
Server publishing SSL can't accomplish this.
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Friday, February 01, 2008 8:41 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Hi Jason,
my reasoning, whenever client certs are involved, use server publishing.
Nothing ISA can do to enhance the security.
HTH,
Stefaan
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: vrijdag 1 februari 2008 16:49
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Hi All,
Any more thoughts on this?
From what I now understand, the SCCM client is using a client auth cert to
authenticate to the IIS instance running on the SCCM management point
(mutual cert auth).
We are getting close to SCCM deployments where customers want IBCM, but the
only ISA Server solution I can get working is to use SSL tunnelling (server
publishing). I have tried various web publishing configurations and none of
them seem to work - I have tried the following:
* Simple web publishing , ISA listener with no authentication and
"allow client to authenticate" defined in the delegation tab - assumed this
would just use pass-through auth to the IIS website to allow for this to do
the client auth.
* Pre-auth web publishing, ISA listener using client cert auth and
then KCD to delegate to IIS.
Do we think that one of these should work, or is web publishing for SCCM
IBCM fundamentally flawed?
Anyone actually got it working??? I know SCCM is quite new, but are we just
too ahead of the curve here?
Cheers
JJ
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: 19 October 2007 08:50
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Hi t,
I was hoping to do the former and then use KCD, but from what I gather SCCM
is using computer based certs - I believe this makes things harder?. Not
really comes across this scenario before...I currently have it working in
the lab using server publishing, but I cannot bear the thought of doing this
for customers...
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: 18 October 2007 22:15
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
While I've not used SCCM, I've done a good bit of work with different
certificate-based authentication models. Are you considering using a
web-listener configured for SSL Client Certificate Authentication, or just
web-publishing to a back-end web server where it will do its own
certificate-to-user mapping?
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Thursday, October 18, 2007 1:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
Did this Q get hidden within Amy's posts or is it a big fat "don't know"? J
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: 17 October 2007 00:49
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] SCCM and ISA - Worth a shot!
Hi,
Has anyone used ISA with System Centre Configuration Manager (SCCM) yet?
Specifically when using Native mode (e.g. full-on PKI mode).
The initial documentation is a little patchy and seems to contradict itself
between using Web Publishing and Server Publishing when using Internet based
clients that cannot back into the CM server. The SCCM documentation talks
about lots of perimeter and internet-facing scenarios, but I want to try and
use an ISA based model in a similar way to protecting Exchange or
SharePoint. A quote from Jim comes to mind "..we don't need no stinking
DMZs"
Ideally I want to use Web Publishing, but all communications in SCCM utilise
client certificate based authentication.
Am I right in thinking I can use ISA Web publishing combined with KCD to
secure access from CM clients to the CM server?
Answers that tell me that I have to use Server Publishing will make me cry,
so please be sensitive
Thanks in advance...
Cheers
JJ
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited
and wish to be removed from any future mailings, please contact our Support
Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid
for 7 days and offered subject to Silversands Professional Services Terms
and Conditions, a copy of which is available on request. Any pricing
information, design information or information concerning specific
Silversands' staff contained in this email is considered confidential or of
commercial interest and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
