Geoffrey DeFilippi

Installing Certificates on ISA 2004 (Bridging SSL to SSL)

April 20, 2007 @ 10:29 am by Geoff | Programming

I ran into this problem a few times over the past few years in relation to SSL to SSL bridging. If you do not understand this concept:

This is where you intercept a SSL connection at the firewall and then pass it as an SSL connection to the web server.

You have a few other options; you could pass the connection straight through the firewall (tunneling), or you could accept it at the firewall level and then pass it as a normal unencrypted connection to the web server (SSL to HTTP).

It is my personal opinion that if you advertise SSL or an encrypted connection you really should pass the connection through the firewall and keep it secure all the way to the server. You are cheating if you don’t. Allowing the connection to tunnel straight through your firewall is great, but then why use a firewall at all (okay there are still plenty of reasons, but that is a subject for a whole different post and perhaps different site). I can give you a few:

Reasons to Bridge SSL -> SSL over Tunneling

  1. You might want or need to inspect the traffic headed to the server before it arrives.
  2. You might want to catch traffic and redirect it for the end user.
  3. You may be performing validation before entrance to you system at the perimeter level.
  4. Etc.

I had a very difficult time getting my ISA 2004 to web server bridge set up correctly (I’m going to put up a separate post related to the routing table and issue I experienced there). The primary issues I experienced was very frustrating and confounded by the fact that dredging up a good answer on the internet seemed impossible.  So how do you actually get a certificate installed on the ISA 2004 server to allow SSL -> SSL bridging?

Here are my assumptions:

  1. You are generating certificates internally (I was).
  2. You are starting at the IIS server and you are able to correctly request and install a certificate at this level.
  3. You have the capability to create web publishing rules using ISA 2004.

* I don’t have access to or use in my production environment CA generated certificates for a variety of reasons; the largest being cost. There are definite advantages of using CA generated certificates as they install onto the client computer without intrusion and are far less confusing to the client. This inconvenience has not outweighed the cost involved in doing this for me at this point. I don’t have practical experience to offer specifically related to CA certificates although I would imagine the process is very similar.

Step 1: Export the valid and functioning certificate to a password protected pfx file.

  1. Open IIS Manager
  2. Expand the websites and right click your web site.
  3. Select properties to bring up the Website Properties modal dialog.
  4. Click the Directory Security Tab
  5. Click Server Certificateā€¦ button under Secure communications
  6. Select Export the current certificate to a .pfx file (this will not be an option if you don’t have a certificate installed. For information go to: HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003)
  7. Browse to or enter an path were you want to store your file. I would use a directory shared on the ISA 2004 server if possible.
  8. Use a password (this prevents the certificate from being used or digested later)

Step 2: Move the .pfx file to the ISA 2004 Server if you haven’t already saved it there

Step 3: Open the Certificate Management Console on the ISA 2004 Server

  1. Click Start -> Run
  2. Type mmc and hit enter or click ok
  3. Click File -> Add/Remove Snap-inā€¦
  4. Click Add (I would leave the drown down labeled Snap-ins added to: set to Console Root)
  5. Select Certificates (not certificate authority) and click ok or double click certificates
  6. Click Ok to return to the MMC Console (you’ll have a single entry for Certificates)
  7. If you would like to save this for ease of use later try File -> Save As

Step 4: Install the certificate from the .pfx file

  1. You will want to install this certificate into the Personal Store (it seemed counter intuitive to me to do this)
  2. Since you have the Certificate Console open (see above step 3) right click the personal folder
  3. Under All Tasks in the context menu choose Import
  4. In the Welcome to Certificate Import Wizard click next
  5. Click browse and navigate to where you saved your .pfx file. (you will need to change the file extension filter to Personal Information Exchange (*.pfx, *.p12) to see your file.)
  6. Click next
  7. Type in the password to allow the certificate to be installed (if you used one in step 1). I don’t mark these as exportable because I only ever export from the web server not from the ISA Server.
  8. Make sure you have the option: Place all certificates in the following store selected and it has Personal as the certificate store.
  9. If you don’t click browse and select the personal folder -> ok
  10. Click Next
  11. Click Finish

At this point you have correctly installed the certificate and you should be able to see it when you enable or use SSL in your web listeners.

Happy hunting!

More information

2 Responses to “Installing Certificates on ISA 2004 (Bridging SSL to SSL)”

  1. July 7th, 2007 @ 3:09 pm by Michael Heffernan:

    Geoffrey,

    I read yours, and everybody elses article about installing SSL and still can’t make heads or tales of it. I have a Windows 2003 Server with ISA 2004 on it acting as a firewall. It is three legged. One goes to the internet, the other to a domain area, and the third to a DMZ that holds DNS servers, Development Systems, and Web Servers (Windows 2000 Server). I purchased a certificate from Thawte and installed it on the web server with an internal IP of 192.168.0.60. There is currently a publishing rule for port 80 for this IP on the ISA 2004 which is at an external Internet Address of 74.92.195.219. When I tried to create a listener for the Secure web site publishing, regardless of tunnel or bridge (and I want a Bridge for filter and inspection security), it wants a security certificate on the ISA server listener to continue with the install of the rule? I’m Lost!!!!

    Michael Heffernan

  2. August 21st, 2007 @ 12:13 pm by Geoff:

    The certificate has to be installed on the ISA server to bridge the SSL to SSL as it is receiving the traffic and then reporting it to the server.

    For what you are doing I would set up SSL on the Web Server and verify it works correctly. You’ll need the cert and perhaps the CA auth chain.

    I would at this point use ISA a strictly as pass through and pass the traffic straight through making sure you keep the original packet in tact. I believe there is an option to allow you to pass the original header and not the ISA header.

    Make sure your external traffic routes correctly before you start worrying about setting up the bridging.

    Normally with ISA I’ve found that once the server is installed and setup correctly on IIS you can take a SSL cert and export it via the properties -> security of the site to a pfx file.

    see this article:

    http://www.isaserver.org/articles/exportsslcert.html

    Then you need to install it via the certificate cpl into the personal store.

    This works pretty well and should help fix your issue.

Leave a comment

Powered by WordPress