ISA Server 2000 Feature Pack 1

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

This document describes scenarios in which digital certificates (also called SSL certificates) are required on the ISA Server computer and/or on published servers behind ISA Server. The procedures for obtaining and installing digital certificates are provided.

On This Page

Where to Install a Digital Certificate
SSL Bridging

Where to Install a Digital Certificate

There are three publishing scenarios in which you may require digital certificate installation:

  • Publishing using Web publishing rules

  • Publishing using server publishing rules

  • Publishing using packet filters

Publishing Using Web Publishing Rules

When using Web publishing rules to publish a server, and SSL communication from external clients is required, at a minimum a server certificate must be installed on the ISA Server computer. In addition, you may have a certificate installed on the internal Web server. You will have to configure SSL bridging on the Web publishing rule accordingly. For more information see "SSL Bridging" later in this document.

These are the general steps you have to take to install SSL certificates in a Web publishing scenario. The detailed procedure for each of these steps is provided later in this document.

  1. Install a trusted root certificate on computers that will be SSL clients of the server certificate following certificate procedure 1, "Root certificate support". If you are using a certificate from a commercial certification authority (CA) that is included in the Internet Explorer database of CAs, you do not have to perform this step.

  2. Generate a Certificate Request for the ISA server computer following certificate procedure 2, "Generating a Certificate Request File".

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the fully qualified host name or URL that external clients will type in their Web browser to access the Web site, for example news.adatum.com. This would be the same name used in the destination set for the Web publishing rule.
  3. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request File".

  4. Install the certificate following certificate procedure 4, "Installing a certificate". Do not perform other steps until you've installed the certificate.

  5. Export the certificate to a file and copy it to the ISA server computer following certificate procedure 5, "Exporting a certificate from the Web server to ISA".

  6. Install the certificate on the ISA server computer following certificate procedure 6, "Installing the certificate on ISA server".

  7. Remove the certificate from the Web server computer following the procedure in certificate procedure 7, "Removing the certificate from the Web server".

These steps enabled you to install a certificate on the ISA Server computer. The remaining steps enable you to install an additional certificate on the Web server computer.

  1. Generate a Certificate Request File for the Web server computer following certificate procedure 2, "Generating a Certificate Request File".

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the fully qualified host name of the Web server, for example, webserver.adatum.com.
  2. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request File".

  3. Install the certificate following certificate procedure 4, "Installing a certificate".

Publishing Using Server Publishing Rules

When you publish a server using server publishing rules, install a digital certificate on the published server, not on the ISA Server computer. Select HTTPS Server as the mapped protocol in your server publishing rule.

These are the general steps you have to take to install an SSL certificate in a server publishing scenario. The detailed procedure for each of these steps is provided later in this document.

  1. Install a trusted root certificate on computers that will be SSL clients of the server certificate following certificate procedure 1, "Root certificate support". If you are using a certificate from a commercial certification authority (CA) that is included in the Internet Explorer database of CAs, you do not have to perform this step.

  2. Generate a Certificate Request File following certificate procedure 2, "Generating a Certificate Request File")

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the address (FQDN host name) of the site that the user will input when requesting your published server, for example, news.adatum.com.
  3. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request File".

  4. Install the certificate following certificate procedure 4, "Installing a certificate".

Publishing Using Packet Filters

In general, it is recommended that you publish servers using publishing rules. However, there are scenarios, such as the three-homed perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenario, where you use packet filtering to allow traffic to a server. In this scenario, the digital certificate would be installed only on the published server, following the same steps as in the server publishing scenario.

Certificate Procedures

The following procedures describe in detail how to install digital certificates.

1. Root certificate support

Establishing SSL connections between a client and a server requires installation of a root CA certificate that will validate the server certificate. Generally, if you are using a certificate from a commercial CA that is included in the computer's database of CAs, you do not have to perform this step since the root certificate is already installed. To see a list of installed root certificates, in the Internet Explorer menu choose Tools -> Internet Options. Select the Content tab, click Certificates, and select the Trusted Root Certification Authorities tab. If you choose to install Microsoft Certificate Server to be the CA in your organization to issue certificates, you will have to handle the installation of root certificates.

A root certificate must be installed on every client that will access a server using SSL. For example, in a scenario in which Server Certificate #1 is installed on the ISA Server computer, and Server Certificate #2 is installed on an internal Web server computer (behind the ISA Server computer), you will require the following root certificate installations:

  • External clients will require root certificates validating Server Certificate #1, as they are clients of the ISA Server computer

  • The ISA Server computer, as a client of the Web server computer, will require a root certificate validating Server Certificate #2.

In general, it is recommended that the certificates installed on the ISA Server computer and the published server in a server publishing scenario be issued by a commercial certification authority, so that they are easily trusted by clients attempting to establish a connection. However, in a Web publishing scenario the certificate on a Web server could be issued by an internal Microsoft Certificate Server, as it only has to be trusted by the ISA Server computer when it is trying to establish an SSL connection to the internal Web server.

Note: For more information on Microsoft Certificate Server see Creating Certificate Hierarchies with MS Certificate Server Version 1.0 (https://go.microsoft.com/fwlink?linkid=12107)

To obtain a Microsoft Certificate Server root certificate

Note: The following steps assume no direct connectivity to the Certificate Server; all information exchange must be done using a floppy disk The following steps assume no direct connectivity to the Certificate Server; all information exchange must be done using a floppy disk.

  1. On the Microsoft Certificate Server computer open Internet Explorer and type https://localhost/certsrv in the address field.

  2. Select Retrieve the CA certificate or certificate revocation list and click Next.

  3. Click on the link Download CA certification path and save the file to a floppy disk.

To install the Microsoft Certificate Server Root certificate

  1. Copy the root certificate from the floppy disk to the appropriate computers.

  2. Go to each of the appropriate computers and open the MMC Certificate snap-in. Click Start, Run, MMC

  3. Click Console, Add/Remove Snap-in. Click the Add button

  4. Select Certificates, Click Add and choose Computer account, Click Next

  5. Select Local Computer, Click Finish, Click Close and Click OK

  6. Click the Trusted Root Certification Authorities folder.

  7. Right-click All Tasks, and then click Import.

  8. In the Import Wizard, click Next.

  9. Make sure that your root certificate file is listed and select it. Click Next.

  10. Click Next.

  11. Click Finish.

  12. Under the Trusted Root Certification Authorities, verify that you see the root certificate.

2. Generating a Certificate Request File

This procedure details how to generate a certificate request file. Perform this procedure on a computer that has IIS installed. Since IIS is generally not installed on the ISA Server computer, this procedure should take place on the published server.

Note: The certificate request fails if it contains non-alphanumeric characters.

Between creating the request file (that is, completing the following steps) and installing the certificate, do not perform any of the following actions:

  • Change the computer name or Web site bindings.

  • Apply service packs or security patches.

  • Change encryption levels (that is, apply the high encryption pack).

  • Delete the pending certificate request.

  • Change any of the Web site's Secure Communications properties.

To generate a certificate request file

Follow this procedure to generate a new certificate request to be sent to a CA for processing:

  1. Open the Internet Services Manager (or your custom MMC containing the IIS snap-in).

  2. Select the default Website. Right-click and select Properties.

  3. Click the Directory Security tab.

  4. In the Secure Communications section, click Server Certificate. This starts the new Web Site Certificate Wizard.

  5. Click Next.

  6. Choose the Create a New Certificate option and click Next. (There may be a slight pause before the next screen appears.)

  7. Choose the Prepare a New Request but Send it later option and click Next.

    Note: Send the request immediately to an online certification authority option is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 with Active Directory.Note: the Send the request immediately to an online certification authority option is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 with Active Directory.

  8. Choose a friendly name for the site (this can be any name, for example, the friendly name of the site in the MMC, or the name of the Web site owner).

  9. Choose the bit length of the key you want to use and whether you want to use Server Gated Cryptography (SGC), and then click Next.

    Note: For more information on bit length and SGC, see the IIS Help that is located on the server at the following address: https://<servername>/iishelp/iis/htm/core/iistesc.htm, where <servername> is the name of your IIS server Input your Organization (O) and your Organizational Unit (OU). For example, if your company is called Fabrikam and you are setting up a Web server for the Sales department, you would enter Fabrikam for the Organization and Sales for your Organizational Unit. Click Next when complete

  10. Input the common name (CN) for your site. This should match the Web address you want to certify. In the case of server publishing this would be the name users will input when requesting your Web site. In Web publishing this should be the FQDN of the Web server computer. When done, click Next.

  11. Input your Country/Region, City, and State. It is very important that you do not abbreviate the names of the state or city. When done, click Next.

  12. Choose a name for the certificate request file you are about to create. This file will contain all the information you created here, as well as your public key for your site. You can browse the file name if you want. This creates a .txt file when the steps are completed. The default name for the file is Certreq.txt. When you have finished this step, click the Finish button.

  13. You will now be presented with a summary screen with all the information you entered. Verify that all of this information is correct, and then click Finish.

3. Processing a Certificate Request File

In order for the certificate to be used on the Internet, submit the request file to a CA (online authority). They will generate a certificate response file, which contains your public key and which is digitally signed by the commercial CA.

For internal use purposes, such as deploying a certificate on the internal Web server computer in a Web publishing scenario, you may want to install your own private certificate authority using Microsoft Certificate server.

To process a certificate request using Microsoft Certificate Server

The following steps assume no direct connectivity to the Certificate Server; all information exchange will be done using a floppy disk.

  1. Copy the certificate request file to a floppy disk, take the disk to the Certificate Server and copy the file from the disk to the hard drive of the Certificate Server, remembering its location. Alternatively, you can work from the floppy disk itself.

  2. On the Microsoft Certificate Server computer, open Internet Explorer and type https://localhost/certsrv.

  3. Click Request a Certificate and click Next.

  4. Click Advanced Request and click Next.

  5. Choose the second option, Submit a certificate request using a base64 encoded PKCS #10 file... and click Next.

  6. Under the certificate template heading, select Web server.

  7. Using Notepad, open the certificate request file and copy all of its contents to the Clipboard by typing CTRL+A and CTRL+C.

  8. Paste the contents of the file into the Saved Request edit box in the browser page and click Submit.

  9. Click the Download CA certificate link to save the response file to the floppy disk.

  10. Take the floppy disk to the published server computer and copy the response file to its hard drive, remembering the location.

4. Installing a certificate

When you receive your response file from the CA you have to install it on the Web server. A certificate that will be exported to the ISA Server computer must first be installed on the Web server for which the certificate was requested.

To install the response file

  1. Open Internet Services Manager.

  2. Expand Internet Information Services. Select the Default Web site that has a pending certificate request.

  3. Right-click the Default Web Site and then click Properties.

  4. Click the Directory Security tab.

  5. In the Secure Communications section, click Server Certificate.

  6. On the Web Site Certificate Wizard, click Next.

  7. Choose to Process the Pending Request and Install the Certificate. Click Next.

  8. Type the location of the certificate response file (you may also browse to the file), and then click Next.

  9. Read the summary screen to be sure that you are processing the correct certificate, and then click Next.

  10. You will see a confirmation screen. When you have read this information, click Next.

  11. Click Yes on the Message box warning and then click Finish.

5. Exporting a certificate from the Web server computer to the ISA server computer

Follow this procedure to export a certificate from the Web server computer to the ISA Server computer.

  1. Click Start, Run. In the Open field type MMC, then click OK.

  2. Click Console, Add/Remove Snap-in. Click the Add button.

  3. Select Certificates, Click Add and choose Computer account, Click Next.

  4. Select Local Computer, Click Finish, Click Close and Click OK.

  5. Expand the Personal folder, and then expand Certificates. A certificate with the name of your Web site appears in the Issued To column in the right pane.

  6. Right-click your certificate, Click All Tasks, and then click Export.

  7. In the Export window, click Next.

  8. Click Yes, export the private key, and then click Next.

    Note: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.

  9. Select Personal Information Exchange. Maintain the default setting for all three checkboxes.

  10. Assign a password to protect the exported file, and confirm it.

  11. Assign a file name and location.

  12. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.

  13. Copy the file that you created to the ISA Server computer.

6. Installing the certificate on the ISA server computer

Follow this procedure to install the certificate on the ISA Server computer.

  1. Click Start, Run. In the Open field type MMC, then click OK.

  2. Click Console, Add/Remove Snap-in. Click the Add button.

  3. Select Certificates, Click Add and choose Computer account, Click Next.

  4. Select Local Computer, Click Finish, Click Close and Click OK.

  5. Click the Personal folder.

  6. Right-click All Tasks, and then click Import.

  7. In the Import Wizard, click Next.

  8. Make sure that your file is listed, and then click Next.

  9. Type the password for this file.

  10. Click to select the Mark the private key as exportable check box.

  11. Click Next.

  12. Click Finish.

  13. Under the Personal folder, when you see a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the Web site address, for example, news.adatum.com.

7. Removing the certificate from the Web server computer

Follow this procedure to remove the certificate from the Web server computer

  1. On the Web server computer, open the Internet Services Manager.

  2. Expand the server node and select the Default Web Site node. Click Properties.

  3. Click the Directory security tab. In the Secure Communications section, click Server Certificate. This starts the new Web Site Certificate Wizard.

  4. Click Next.

  5. Select "remove the current certificate" and click Next

  6. Click Next, then click Finish.

  7. Close the Internet Services Manager.

SSL Bridging

If you are publishing a server that requires SSL communication, you must have a digital certificate installed on your ISA Server computer. In addition, you may have a digital certificate installed on the Web server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you have to configure SSL bridging accordingly.

SSL bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as HTTP requests, as follows:

  • If there is no digital certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

  • If there is a digital certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the client-ISA and on the ISA-Web server levels.

If your Web server has a digital certificate, and you want ISA Server to listen for SSL requests without purchasing an additional certificate, you have to export the certificate from the Web server and import it to the ISA Server computer. For more information, see HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server (https://go.microsoft.com/fwlink/?LinkID=10713)

  • To modify the SSL bridging configuration

  • Click the Web Publishing Rules node.

  • Double-click the applicable Web publishing rule.

  • Select the Bridging tab.

  • For the first two redirection options, select the appropriate redirection:

    • If you are using the ISA Server digital certificate to handle SSL requests, in Redirect HTTP requests as: and Redirect SSL requests as: select HTTP requests, and then click OK. This configuration is shown in the figure.

      Cc722924.dcisa01(en-us,TechNet.10).gif

    • If you want to continue to use an existing digital certificate on the Web server as well as the certificate on the ISA Server, in Redirect HTTP requests as: select HTTP requests and in Redirect SSL requests as: select SSL requests, and then click OK.

    Note: There are two other options available on the SSL bridging tab:

    • Require secure channel (SSL) for published site will reject HTTP requests that are received by ISA Server. This option also provides the possibility of returning 128-bit encryption for HTTPS requests.

    • Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.

For More Information

More information about digital certificates and ISA Server can be found at HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server.