How come I don't have one? I think you MADE yours! :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Saturday, February 16, 2008 2:12 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > Whew! I'm SO relieved. And I sure do-- it's under "Certificate > Templates" in the CA MMC -- > > See attached (Note the "ClientAuth" Certificate Template) > highlighted in > attached jpeg. Please let me know if there is anything else I can do > for you :-p > > t > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Saturday, February 16, 2008 11:06 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > A "client certificate" template :) > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > > (Hammer of God) > > > Sent: Saturday, February 16, 2008 12:32 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > I hate coming in on the back end of things like this! I've got > what? > > > And if Debbie gave you one, do I even want to know? I feel > > > so exposed!! > > > > > > t > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > Sent: Saturday, February 16, 2008 10:04 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > Debi gave me one for Valentine's day :) > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Steve Moffat > > > > > Sent: Friday, February 15, 2008 5:27 PM > > > > > To: ISAPros Mailing List > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > Tim's got it.... > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > > > W Shinder > > > > > Sent: Friday, February 15, 2008 11:31 AM > > > > > To: ISAPros Mailing List > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > Do I need to use a User Certificate or Machine Certificate? > > > > > > > > > > I can't find the "Client Certificate" template > > > > > > > > > > :-p > > > > > > > > > > Thomas W Shinder, M.D. > > > > > Site: www.isaserver.org > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > Book: http://tinyurl.com/3xqb7 > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Friday, February 15, 2008 2:51 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > At last, some feedback from MS... > > > > > > > > > > > > > http://blogs.msdn.com/ameltzer/archive/2008/02/14/firewalls-an > > > > > > d-internet-based-client-management-part-2-isa-bridging.aspx > > > > > > > > > > > > It seems I was pretty much spot on in my final config! > > > > > > > > > > > > Personally, I like the idea of creating machine > based subject > > > > > > names (UPN format) and then creating fake computer > accounts - > > > > > > this seems more logical as SCCM is based around machine > > > > > > management and not user management. > > > > > > > > > > > > Jim => Will try to test the KCD stuff later... > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 14 February 2008 21:23 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Of course... > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Thursday, February 14, 2008 9:38 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Ok, will give it a try...you keen to know the result? > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 14 February 2008 17:03 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > If you ditch the client certs requirement, you can test KCD. > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Thursday, February 14, 2008 12:57 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Nope, SCCM web instance at default and "require client > > > > > certs" enabled. > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 13 February 2008 18:08 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Actually, I'd be surprised to learn that KCD works for > > > > > > non-user accounts. > > > > > > Did you remove "require client certificates" from the SCCM > > > > > > web instance? > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Wednesday, February 13, 2008 8:51 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > P.S. I also had to make sure the certificate on the SCCM > > > > > > management point had the external FQDN as the CN and first > > > > > > SAN to avoid the current issue with ISA and SAN certs ;-) > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: 13 February 2008 16:35 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Well.....................it does work!!! :-) mucho :-) > > > > > > > > > > > > I had to use the online CA, and use a new template that > > > > > > allows the subject name to be defined in the request and the > > > > > > cert private key to be exported. I then used > > > > > > homepc$@domain.com in the cert requests subject line and > > > > > > exported the cert onto the client. I then added a fake > > > > > > computer object to the domain called homepc$. Once > these were > > > > > > both done, ISA was then able to authenticate the > client cert, > > > > > > and I got one step closer...hurrah! > > > > > > > > > > > > However, I can't get KCD to work, but think this is more an > > > > > > issue with SCCM than ISA, as everything looks right and I > > > > > > don't get and KCD alerts (which you normally get when it is > > > > > > wrong!). If I use the bridging option to specify ISAs own > > > > > > client cert I have a fully working setup. I think this > > > > > > actually now makes sense based upon how SCCM works. > > > > > > > > > > > > To tie this down even more, I have then created a group > > > > > > called 'SCCM Internet clients' and added homepc$, then > > > > > > configured the web pubs rule to use this group. > > > > > > > > > > > > So, unless I am mistaken we now have the following scenario: > > > > > > > > > > > > * ISA pre-auth'ing all clients based upon their client > > > > > > certificates, no cert, no dice! (I like preauth) > > > > > > * ISA is in reverse web proxy and can HTTP inspect all > > > > > > traffic (will tie down allowed verbs as next step) > > > > > > * ISA SSL bridges to SCCM management point and provides it's > > > > > > own client auth cert to satisfy the MP > > > > > > * SCCM client specifies a special GUID in the packets (as I > > > > > > have now found out) so the cert provided by ISA is not > > > > > > actually used to identify the client, just to setup the > > > > > > mutual TLS session. > > > > > > > > > > > > This looks sooooo MUCH better than server > publishing to me ;-) > > > > > > > > > > > > Thanks to Jim (again) for the crucial "next step" link! > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 13 February 2008 15:19 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Actually, in re-examining the idea, there is no UPN for a > > > > > > computer account (and no place I can see to add one). > > > > > > It'll take some playing to find out if it can work and > > > if so, how. > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Wednesday, February 13, 2008 3:19 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Ok, this seems to make sense - need to have a look > at see how > > > > > > achievable it is. The best practice for issuing client > > > > > > certificates for Internet SCCM clients is to use a > standalone > > > > > > CA (as they are not part of AD), so I guessing this options > > > > > > is not workable - correct? > > > > > > > > > > > > If I **can** just get ISA to validate the certs, I should > > > > > > then just be able to KCD them to the IIS server - yes? > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 09 February 2008 02:27 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Here's one for Tim to shoot down: > > > > > > > > > > > > Since machine auth certificates are built by default using > > > > > > DNS names (subj = "CN=host.domain.tld", SAN = "DNS > > > > > > Name=host.domain.tld") and not UPN ("account@xxxxxxxxxx"), > > > > > > it's impossible for Windows to resolve the cert to an > > > > > > account. You could try using certreq (supp tools) > to build a > > > > > > machine cert that uses UPN format (machine$@domain.tld) in > > > > > > the subject and/or SAN (you'll probably have to play a bit) > > > > > > and include "domain\domain computers" in an ISA > "Windows user > > > > > > group". ..all speculation, of course... > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jason Jones > > > > > > Sent: Friday, February 08, 2008 6:23 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Right, done a little more testing (playing) with this and > > > > > > here are my findings, I think I got the skinny on > this, but a > > > > > > sanity check would be good :) > > > > > > > > > > > > Option 1: Use Server Publishing > > > > > > > > > > > > Results - SCCM client can authenticate to IIS on the SCCM > > > > > > management point using it's own personal client certificate > > > > > > and be fully managed, deployed with software/patches etc. > > > > > > > > > > > > Pros - Everything works > > > > > > Cons - Not ideal and ISA isn't adding a lot of value here as > > > > > > having to use Server publishing. > > > > > > > > > > > > Option 2: Use Web Publishing without KCD > > > > > > > > > > > > Results - I can only get this to work by configuring the ISA > > > > > > listener for no auth and then use the "use a client cert to > > > > > > authenticate to the SSL web server" option on the bridging > > > > > > tab. If enable the "SSL client auth" option on the web > > > > > > listener, ISA attempts to validate the certificate with AD, > > > > > > HOWEVER the client certs are issued to Internet clients who > > > > > > are not members of AD and hence have no validity with AD. > > > > > > Hence ISA gives a 401 error, kinda as expected. > > > > > > > > > > > > Pros - Everything works and ISA **can** inspect the > > > HTTP requests > > > > > > Cons - We have no way of authenticating external clients and > > > > > > they all appear to "hide" behind the ISA Server client > > > > > > certificate. This means any SCCM client, even without a > > > > > > client cert, can connect as ISA will perform the actual > > > > > > client auth request by the internal IIS server on the > > > > > > management point. This seems unworkable from what I can tell > > > > > > as SCCM will only ever see one client... > > > > > > > > > > > > Option 3: Use Web Publishing with KCD > > > > > > > > > > > > Results - As ISA cannot validate the client certificate with > > > > > > AD, we don't even get a chance to perform delegation to the > > > > > > IIS server on the SCCM management point. Hence this > option is > > > > > > a non-starter. > > > > > > > > > > > > Cons - Fundamentally flawed :-) (I think) > > > > > > > > > > > > Does all of this look correct or have I missed some options > > > > > > or misunderstood something? > > > > > > > > > > > > From my understanding FOR THIS PARTICULUAR SCENARIO, I have > > > > > > no choice but to accept defeat and go for server > publishing??? > > > > > > > > > > > > As ever, thanks for any input/comments... > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: 02 February 2008 15:17 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Yes; that makes sense. > > > > > > It's a shame that there is no good way to do this but that's > > > > > > the benefit of client-cert auth; MITM is very difficult to > > > perform. > > > > > > > > > > > > Something to note about this process; any "SSL inspection" > > > > > > methodology is going to break client cert auth. This is > > > > > > equally true of the BlueCoat & ClearTunnel offerings. Once > > > > > > you crack the SSL channel, the certs have to be > "mimicked" to > > > > > > each side. This is how they both work - by "reissuing" the > > > > > > server certificate and terminating the SSL session at the > > > > > > proxy so that the internal traffic can be inspected. > > > > > > While it's relatively simple to use your proxy as an > > > > > > intermediate CA because you can define a trust for > it to your > > > > > > users, doing so for the Internet folks is much more > difficult > > > > > > (and expensive!). They have to trust your proxy as an > > > > > > intermediate CA if your "reissued" client cert is to be > > > > > > worthwhile. Odds are, this just ain't happening. > > > > > > > > > > > > I can't speak to any future plans here (obviously), but I'm > > > > > > not a personal fan of Cardspace. Perhaps some more research > > > > > > will ease my concerns... > > > > > > > > > > > > Jim > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan > > > Pouseele > > > > > > Sent: Saturday, February 02, 2008 2:19 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi Jim, > > > > > > > > > > > > maybe I should rephrase my statement in order to clarify > > > > > > better what I mean. > > > > > > > > > > > > > > > > > > Whenever the application insist on the client cert itself > > > > > > then nothing much > > > > > > you can do but using server publishing. A classic example I > > > > > > encounter every > > > > > > day is the use of the Belgium e-ID to authenticate to a web > > > > > > application. In > > > > > > this scenario you can't use delegation or user > mapping at all > > > > > > because the > > > > > > users aren't known beforehand. Moreover, in many cases the > > > > > > application must > > > > > > be able to read some stuff out of the e-ID. In short, a > > > > > > number of reasons > > > > > > why pre-authentication isn't possible and therefore SSL > > > bridging. > > > > > > > > > > > > I wonder how 'Windows Cardspace' or in more general terms > > > > > 'Information > > > > > > Cards' and 'WS-*' can/will cooperate in a pre-authentication > > > > > > scenario with > > > > > > ISA server? > > > > > > > > > > > > Kindly, > > > > > > Stefaan > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Jim Harrison > > > > > > Sent: vrijdag 1 februari 2008 19:58 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > I'm actually very surprised you take this position. > > > > > > If ISA can terminate the SSL session (required for ISA to > > > > > > handle client > > > > > > certs), then you can apply the HTTP smarts ISA > brings for the > > > > table. > > > > > > Server publishing SSL can't accomplish this. > > > > > > > > > > > > Jim > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Stefaan Pouseele > > > > > > Sent: Friday, February 01, 2008 8:41 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi Jason, > > > > > > > > > > > > > > > > > > > > > > > > my reasoning, whenever client certs are involved, use server > > > > > > publishing. > > > > > > Nothing ISA can do to enhance the security. > > > > > > > > > > > > > > > > > > > > > > > > HTH, > > > > > > > > > > > > Stefaan > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Jason Jones > > > > > > Sent: vrijdag 1 februari 2008 16:49 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > > > > > Any more thoughts on this? > > > > > > > > > > > > > > > > > > > > > > > > From what I now understand, the SCCM client is > using a client > > > > > > auth cert to > > > > > > authenticate to the IIS instance running on the SCCM > > > > > management point > > > > > > (mutual cert auth). > > > > > > > > > > > > > > > > > > > > > > > > We are getting close to SCCM deployments where customers > > > > > > want IBCM, but the > > > > > > only ISA Server solution I can get working is to use SSL > > > > > > tunnelling (server > > > > > > publishing). I have tried various web publishing > > > > > > configurations and none of > > > > > > them seem to work - I have tried the following: > > > > > > > > > > > > > > > > > > > > > > > > * Simple web publishing , ISA listener with no > > > > > > authentication and > > > > > > "allow client to authenticate" defined in the delegation tab > > > > > > - assumed this > > > > > > would just use pass-through auth to the IIS website to allow > > > > > > for this to do > > > > > > the client auth. > > > > > > > > > > > > * Pre-auth web publishing, ISA listener using client > > > > > > cert auth and > > > > > > then KCD to delegate to IIS. > > > > > > > > > > > > > > > > > > > > > > > > Do we think that one of these should work, or is web > > > > > > publishing for SCCM > > > > > > IBCM fundamentally flawed? > > > > > > > > > > > > > > > > > > > > > > > > Anyone actually got it working??? I know SCCM is quite new, > > > > > > but are we just > > > > > > too ahead of the curve here? > > > > > > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Jason Jones > > > > > > Sent: 19 October 2007 08:50 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > > > > > > > > > > > > > Hi t, > > > > > > > > > > > > > > > > > > > > > > > > I was hoping to do the former and then use KCD, but > from what > > > > > > I gather SCCM > > > > > > is using computer based certs - I believe this makes things > > > > > > harder?. Not > > > > > > really comes across this scenario before...I currently have > > > > > > it working in > > > > > > the lab using server publishing, but I cannot bear the > > > > > > thought of doing this > > > > > > for customers... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Thor (Hammer of God) > > > > > > Sent: 18 October 2007 22:15 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > > > > > > > > > > > > > While I've not used SCCM, I've done a good bit of work with > > > > > different > > > > > > certificate-based authentication models. Are you > > > > > considering using a > > > > > > web-listener configured for SSL Client Certificate > > > > > > Authentication, or just > > > > > > web-publishing to a back-end web server where it will do its > > own > > > > > > certificate-to-user mapping? > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Jason Jones > > > > > > Sent: Thursday, October 18, 2007 1:11 PM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > > > > > > > > > > > > > Did this Q get hidden within Amy's posts or is it a big fat > > > > > > "don't know"? J > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Jason Jones > > > > > > Sent: 17 October 2007 00:49 > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] SCCM and ISA - Worth a shot! > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > Has anyone used ISA with System Centre Configuration Manager > > > > > > (SCCM) yet? > > > > > > Specifically when using Native mode (e.g. full-on PKI mode). > > > > > > > > > > > > > > > > > > > > > > > > The initial documentation is a little patchy and seems to > > > > > > contradict itself > > > > > > between using Web Publishing and Server Publishing > when using > > > > > > Internet based > > > > > > clients that cannot back into the CM server. The SCCM > > > > > > documentation talks > > > > > > about lots of perimeter and internet-facing scenarios, but I > > > > > > want to try and > > > > > > use an ISA based model in a similar way to protecting > > > Exchange or > > > > > > SharePoint. A quote from Jim comes to mind "..we don't need > > > > > > no stinking > > > > > > DMZs" > > > > > > > > > > > > > > > > > > > > > > > > Ideally I want to use Web Publishing, but all communications > > > > > > in SCCM utilise > > > > > > client certificate based authentication. > > > > > > > > > > > > > > > > > > > > > > > > Am I right in thinking I can use ISA Web publishing combined > > > > > > with KCD to > > > > > > secure access from CM clients to the CM server? > > > > > > > > > > > > > > > > > > > > > > > > Answers that tell me that I have to use Server Publishing > > > > > > will make me cry, > > > > > > so please be sensitive > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance... > > > > > > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended > > > > > > solely for the use of the individual to whom it is > addressed. > > > > > > If you have > > > > > > received this email in error, or if you believe > this email is > > > > > > unsolicited > > > > > > and wish to be removed from any future mailings, please > > > > > > contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid > > > > > > for 7 days and offered subject to Silversands Professional > > > > > > Services Terms > > > > > > and Conditions, a copy of which is available on request. Any > > > > pricing > > > > > > information, design information or information > > > concerning specific > > > > > > Silversands' staff contained in this email is considered > > > > > > confidential or of > > > > > > commercial interest and exempt from the Freedom of > > > > > > Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not > > > > > > necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > > > > and intended solely for the use of the individual to whom it > > > > > > is addressed. If you have received this email in error, or > > > > > > if you believe this email is unsolicited and wish to be > > > > > > removed from any future mailings, please contact our Support > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > > > > > stated it is valid for 7 days and offered subject to > > > > > > Silversands Professional Services Terms and Conditions, a > > > > > > copy of which is available on request. Any pricing > > > > > > information, design information or information concerning > > > > > > specific Silversands' staff contained in this email is > > > > > > considered confidential or of commercial interest and exempt > > > > > > from the Freedom of Information Act 2000. > > > > > > > > > > > > Any view or opinions presented are solely those of > the author > > > > > > and do not necessarily represent those of Silversands > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
Attachment:
NoClientAuth4Me.jpg
Description: NoClientAuth4Me.jpg