Increasing OWA Security by
Configuring the ISA Server to Present a Client Certificate to an OWA Web site
The
connection between the OWA client and server is protected from end to end when you
use SSL to SSL bridging. The OWA client creates an SSL link with the external
interface of the ISA Server and then the ISA Server creates a second SSL
protected link with the OWA site on the internal network. This is a unique
feature of ISA Server firewalls and ISA Server Web Proxies and provides one of
the most compelling reasons to use ISA Server in an OWA publishing environment.
You can
further enhance security by requiring that hosts present a client certificate
before they can connect to the OWA site directories. The client certificate is
required even before any credentials are passed to the
OWA site. Only after the client certificate is accepted
by the OWA site does the site then allow the user credentials to be proxied by
the ISA Server.
Note:
You do not want to force client certificate authentication
with this setup. You only want to require that the machine present a client
certificate to the OWA site before the user credentials are
forwarded to the OWA server. Basic authentication credentials protected
by SSL identify the user and allow access to the appropriate mailbox.
This setup
is especially helpful in environments where the ISA Server is
configured as a unihomed (single NIC) caching-only server on a DMZ
segment. While you have a high level of application layer security protecting
your internal OWA site if you have an ISA Server firewall at the internal
network edge, this is not necessarily true if a non-ISA Server firewall is used to protect the internal network.
In most
circumstances a simple packet filtering device is used
at the internal network edge. Either a packet filter is
configured to allow inbound TCP 443 to the OWA site on the internal
network, or a reverse NAT rule is configured to forward inbound TCP 443 to the
internal network OWA site. In both these cases, the non-ISA firewall forwards packets based only on port
number and does not provide the intelligent application layer
inspection provided by an ISA Server firewall.
You can
protect the OWA site on the internal network from inappropriate connection
attempts by requiring the client certificate. You can distribute client
certificates to all internal network clients that require OWA access, and you
can provide a client certificate to the Web Proxy service on the ISA Server
firewall, which it can use to connect to the OWA site.
You perform
the following procedures to allow the ISA Server to present a client
certificate to the OWA site:
·
Obtain
a client certificate for the Web Proxy service
·
Export
the Web Proxy service’s client certificate
·
Import
the client certificate into the Web Proxy service certificate store
·
Bind
the client certificate to the Web Publishing Rule
·
Force
client certificate authentication on the OWA Web site folders
Note:
The ISA Server and the OWA site must trust each other’s certificates. Confirm
that your Root CA is listed in the Trusted Root Certification Authorities
node in the machine certificate stores on both computers. For more information
on confirming that the Root CA is in the appropriate location and how to place
a Root CA certificate in the Trusted
Root Certification Authorities node if it is not there.
The
remainder of the ISA Server 2000
Exchange Server 2000/2003 Deployment Kit document discusses these
procedures in detail.
Obtain a Client Certificate for the
Web Proxy Service
The first
step is to obtain a client certificate for the Web Proxy service. The Web Proxy
service will present this certificate to the OWA site when it attempts to
connect to one of the OWA folders. You can obtain the client certificate from
the ISA Server computer itself, or you can obtain it from another machine on
the internal network, export it and then copy the exported client certificate
to a file.
In this ISA Server 2000 Exchange Server 2000/2003
Deployment Kit document we will go through the procedures required to
obtain a client certificate from a machine that is not the ISA Server computer.
- From a client on the internal
network, open Internet Explorer
and go to the name or the IP address of the Web enrollment site: http://<ip_address>/certsrv
or http://name/certsrv.
This will take you to the Certificate Server’s Welcome page (figure 1).
Click the Request a
Certificate Link.
Figure 1
- On the Request a Certificate page (figure 2), click on the advanced certificate request link.
Figure 2
- On the Advanced Certificate Request page (figure 3), click the Create and submit a request to this CA
link.
Figure 3
- On the Advanced Certificate Request page (figure 4), will in the
identifying information for the Web Proxy service. The only required field
is the Name field, but you
should fill in all the fields for identification purposes.
In the Type of
Certificate Needed drop down list, select the Client Authentication Certificate
option.
Figure 4
- Scroll down the page and put a
checkmark in the Mark keys as
exportable checkbox (figure 5).
Figure 5
- Click the Submit button on the bottom of the page (figure 6). Click Yes on the
warning dialog box informing you that the Web site is requesting a
certificate on your behalf.
Figure 6
- On the Certificate Pending page (figure 7) you are
informed that your certificate will be issued pending approval by
and administrator. At this point you must go to the standalone CA and
approve the certificate request.
Return to the Welcome
page for the Web enrollment site after the request has been
approved. You can reach the Welcome
page from the Certificate Pending page
by click on the Home link on the
upper right corner of the page.
Figure 7
- On the Welcome page, click the View
the status of a pending certificate request option (figure 8).
Figure 8
- On the View the Status of a Pending Certificate Request page (figure
9), click the link for the certificate.
Figure 9
- On the Certificate issued page (figure 10), click the Install this certificate link.
Figure 10
- Click Yes on the Potential Scripting Violation
dialog box that warns you the Web site is adding one or more certificates
to the computer (figure 11).
Figure 11
- Click Yes on the Root Certificate Store dialog box
that asks if you want to add the CA certificate to the Root Store on this
computer (figure 12).
Figure 12
The machine
now has a user certificate for the ISA Server’s Web Proxy service installed on
it. The next step is to export this certificate so that you can copy it to the
ISA Server machine.
Export the Web Proxy Client’s
Certificate
The user
certificate is stored in the user certificate store on this computer. Because
the certificate is stored in the user certificate store, you can access the
certificate from Internet Explorer.
Perform the
following steps to export the Web Proxy service’s user certificate:
1. Open Internet Explorer and click the Tools menu. On the Tools
menu, click the Internet Options
command (figure 13)
Figure 13
2. In the Internet Options dialog box (figure 14), click the Content tab. Click the Certificates button in the Certificates frame.
Figure 14
3. In the Certificates dialog box, confirm that the Intended purpose drop down list has the <All> option selected (figure 15). Select the webproxyservice
certificate and click the Export
button.
Figure 15
4. Click Next on the Welcome to the Certificate Export Wizard page (figure 16).
Figure 16
5. On the Export Private Key page (figure 17), select the Yes, export the private key option and
click Next.
Figure 17
6. On the Export File Format page (figure 18), select the Personal Information Exchange 00 PKCS #12 (.PFX) option. Place a checkmark in the Include all certificates in the certification path if possible
checkbox and remove all other checkmarks.
Click Next.
Figure 18
7. On the Password page (figure 19), type in a password and confirm the
password. This password protects the certificate from being
stolen in the event that an unauthorized person is able to access this
certificate file. Click Next.
Figure 19
8. Type in a file name and path for
where you want to save the certificate on the File to Export page (figure 20). Remember where you saved the
certificate because you will need to copy it to the ISA Server computer. Click Next.
Figure 20
9. Review your settings on the Completing the Certificate Export Wizard page and click Finish (figure 21).
Figure 21
10. Click OK on the Certificate Export
Wizard dialog box (figure 22).
Figure 22
11. If you want to keep a backup copy of
the Web Proxy service’s certificate, you can leave it on this machine. However,
you can use the Remove button to
remove the certificate from this machine if the machine is not secure and not
under your administrative control (figure 23). Click Close.
Figure 23
12. Click OK in the Internet Options
dialog box (figure 24).
Figure 24
Copy the
certificate to removable media such as a floppy disk or CD-ROM. Then copy the
certificate from the removable media to the ISA Server computer.
Import the Client Certificate into
the Web Proxy Service Certificate Store
You’re
ready to import the certificate into the Web Proxy service’s certificate store
now that the certificate is copied to the ISA Server
machine.
Perform the
following steps to import the Web Proxy service’s user certificate:
1. Click Start and then click the Run
command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File
menu and click the Add/Remove Snap-in
command (figure 25).
Figure 25
2. Click Add on the Add/Remove
Snap-in dialog box (figure 26).
Figure 26
3. On the Add Standalone Snap-in dialog box (figure 27), select the Certificates entry from the Available Standalone Snap-ins list and
click Add.
Figure 27
4. On the Certificates snap-in page, select the Service account option (figure 28) and click Next.
Figure 28
5. On the Select Computer page (figure 29), select the Local Computer (the computer this console option and click Next.
Figure 29
6. On the Certificates snap-in page (figure 30), select the Microsoft Web Proxy option from the Service account list. Click Finish.
Figure 30
7. Click Close on the Add Standalone
Snap-in dialog box (figure 31).
Figure 31
8. Click OK in the Add/Remove Snap-in
dialog box (figure 32).
Figure 32
9. Click on the W3Proxy\Personal node in the left pane of the console. Right click
on an empty area in the right pane of the console, point to All Tasks and click on Import (figure 33).
Figure 33
10. Click Next on the Welcome to the Certificate Import Wizard page (figure 34).
Figure 34
11. Use the Browse button to locate the certificate (figure 35), then click Next.
Figure 35
12. Type in the password you created for
the certificate on the Password page
(figure 36). Click Next.
Figure 36
13. Leave the default selection on the Certificate Store page (figure 37).
Click Next.
Figure 37
14. Review your selections on the Completing the Certificate Import Wizard
page (figure 38) and click Finish.
Figure 38
15. Click OK on the Certificate Import
Wizard dialog box (figure 39).
Figure 39
The Web
Proxy service can now present this certificate to any entity requesting a
client certificate and it can do this without any explicit user intervention.
The Web Proxy client will send this client certificate to any server requesting
client certificate authentication.
Bind the Client Certificate to the
Web Publishing Rule
The Web
Proxy service needs to be informed that it has a
certificate it can present to the OWA server. This setting is
found in the OWA Web Publishing Rule.
Perform the
following steps to bind the client certificate to the OWA Web Publishing Rule:
1. Open the ISA Management console and expand the Servers and Arrays node. Expand your server name and then expand
the Publishing node. Click on the Web Publishing Rules node. Right click
on the OWA Web Publishing Rule in the right pane of the console and click the Properties command (figure 40).
Figure 40
2. Click on the Bridging tab (figure 41). Put a checkmark in the Use a certificate to authenticate to the
SSL Web server checkbox.
Figure 41
3. Click the Select button (figure 42). Select the Web Proxy service’s client
certificate in the Select Certificate
dialog box and click OK.
Figure 42
4. The certificate appears in the text
box at the bottom of the dialog box (figure 43). Click Apply and then click OK.
Figure 43
The Web
Proxy service is now able to present a client certificate to the OWA server on
the internal network whenever it forwards messages for the OWA clients on the
external network.
Force Client Certificate
Authentication on the OWA Web Site Folders
At this
point the ISA Server is able to forward a client when one is
requested. The next step is to configure the OWA Web site directories to
request a client certificate before it allows a connection.
Perform the
following steps to force the OWA Web site to request a client certificate from
the ISA Server before allowing a connection:
1. Click Start, point to Administrative
Tools and click on Internet Information
Services (IIS) Manager. In the Internet
Information Services (IIS) Manager console, expand your server name and
then expand the Web Sites node in
the left pane of the console. Expand the Default
Web Site node and click on the Exchange
node. Right click an empty area in the right pane and click the Properties command (figure 44).
Figure 44
2. On the Exchange Properties dialog box (figure 45), click the Edit button in the Secure communications frame.
Figure 45
3. In the Secure Communications dialog box (figure 46), select the Require client certificate in the Client certificates frame. Click OK.
Figure 46
4. Click OK in the Exchange
Properties dialog box (figure 47). Repeat this procedure for the Exchweb and Public folders.
Figure 47
5. Restart the virtual Web server after
you have configured the Exchange, Exchweb and Public folders to require a client
certificate. Right click on your server name, point to All Tasks and click on Restart
IIS (figure 48).
Figure 48
6. In the Stop/Start/Restart dialog box (figure 49), select the Restart Internet Services on option and
click OK.
Figure 49
7. The IIS services on restart (figure
50).
Figure 50
8. Close the Internet Information Services (IIS) Manager console (figure 51).
Figure 51
