[isapros] Re: SCCM and ISA - Worth a shot!
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 1 Feb 2008 14:22:56 -0800
And not just "a" user account, but "THE" user account from the domain
where the Enterprise Root Cert lives... I found that out the hard way
(as you know so well ;)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, February 01, 2008 2:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> It depends on how the client cert (clientcertclientcertclientcert [for
> Tom <g>]) is constructed.
> By default, ISA doesn't really care how the cert is built as long as
it
> can trust the CA. The problem comes in with using the certificate for
> user authentication. When ISA receives a certificate in response to
> "you better show some ID, boy!", ISA passes this to a Windows API
> called AcquireCredentialsHandle. This API expects to resolve the
> certificate to a user account and if it can't, cert auth will fail.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Friday, February 01, 2008 9:02 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Really?? Kinda surprised at that and surely there is quite a lot ISA
> can add rather than dumbing it down to L3 with server publishing???
>
>
>
> The bit that is really annoying is that some of the SCCM guides
> recommend SSL bridging as opposed to SSL tunnelling, so it implies it
> should be possible and is best practice - trouble is, there are no
docs
> that tell you how to get it working!!!. Here are some examples:
>
>
>
> http://technet.microsoft.com/en-us/library/bb680995.aspx
>
>
>
>
http://www.microsoft.com/technet/community/chats/trans/sms/07_0724_tn_s
> ccm.mspx
>
>
>
> Prabhu Padhi [MSFT] (Expert):
> Q: Can I do SSL-Bridging at the edge firewall to route the IBCM
clients
> to my intranet MP/DP (they are shared)?
> A: As long as your firewall supports SSL bridging, we will work fine.
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: 01 February 2008 16:41
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi Jason,
>
>
>
> my reasoning, whenever client certs are involved, use server
> publishing. Nothing ISA can do to enhance the security.
>
>
>
> HTH,
>
> Stefaan
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: vrijdag 1 februari 2008 16:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi All,
>
>
>
> Any more thoughts on this?
>
>
>
> From what I now understand, the SCCM client is using a client auth
cert
> to authenticate to the IIS instance running on the SCCM management
> point (mutual cert auth).
>
>
>
> We are getting close to SCCM deployments where customers want IBCM,
> but the only ISA Server solution I can get working is to use SSL
> tunnelling (server publishing). I have tried various web publishing
> configurations and none of them seem to work - I have tried the
> following:
>
>
>
> * Simple web publishing , ISA listener with no authentication
> and "allow client to authenticate" defined in the delegation tab -
> assumed this would just use pass-through auth to the IIS website to
> allow for this to do the client auth.
>
> * Pre-auth web publishing, ISA listener using client cert auth
> and then KCD to delegate to IIS.
>
>
>
> Do we think that one of these should work, or is web publishing for
> SCCM IBCM fundamentally flawed?
>
>
>
> Anyone actually got it working??? I know SCCM is quite new, but are we
> just too ahead of the curve here?
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 19 October 2007 08:50
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi t,
>
>
>
> I was hoping to do the former and then use KCD, but from what I gather
> SCCM is using computer based certs - I believe this makes things
> harder?. Not really comes across this scenario before...I currently
> have it working in the lab using server publishing, but I cannot bear
> the thought of doing this for customers...
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: 18 October 2007 22:15
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> While I've not used SCCM, I've done a good bit of work with different
> certificate-based authentication models. Are you considering using a
> web-listener configured for SSL Client Certificate Authentication, or
> just web-publishing to a back-end web server where it will do its own
> certificate-to-user mapping?
>
>
>
> t
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Thursday, October 18, 2007 1:11 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Did this Q get hidden within Amy's posts or is it a big fat "don't
> know"? J
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 17 October 2007 00:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] SCCM and ISA - Worth a shot!
>
>
>
> Hi,
>
>
>
> Has anyone used ISA with System Centre Configuration Manager (SCCM)
> yet? Specifically when using Native mode (e.g. full-on PKI mode).
>
>
>
> The initial documentation is a little patchy and seems to contradict
> itself between using Web Publishing and Server Publishing when using
> Internet based clients that cannot back into the CM server. The SCCM
> documentation talks about lots of perimeter and internet-facing
> scenarios, but I want to try and use an ISA based model in a similar
> way to protecting Exchange or SharePoint. A quote from Jim comes to
> mind "..we don't need no stinking DMZs"
>
>
>
> Ideally I want to use Web Publishing, but all communications in SCCM
> utilise client certificate based authentication.
>
>
>
> Am I right in thinking I can use ISA Web publishing combined with KCD
> to secure access from CM clients to the CM server?
>
>
>
> Answers that tell me that I have to use Server Publishing will make me
> cry, so please be sensitive
>
>
>
> Thanks in advance...
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
Other related posts:
