ISA Server 2000 Feature Pack 1

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

The Web filter for authentication for RSA SecurID introduces functionality to authenticate users, based on authentication credentials for RSA SecurID. RSA SecurID is based on technology from RSA Security, Inc.

This document describes the steps required to publish a Web server that requires users to authenticate using RSA SecurID credentials. This document focuses on these scenarios:

• Authentication for RSA SecurID using ISA Server

• Dual authentication schemes

• Dual co-located authentication schemes

• Authentication for RSA SecurID on Microsoft Internet Information Services (IIS) server

• Microsoft Exchange Outlook Web Access publishing with authentication for RSA SecurID

On This Page

Hardware Requirements
Software Requirements
Before You Begin
Scenario 1: Authentication for RSA SecurID Using ISA Server
Scenario 2: Dual Authentication Schemes
Scenario 3: Dual Co-located Authentication Schemes
Scenario 4: Authentication for RSA SecurID on IIS Server
Scenario 5: Outlook Web Access Publishing
Troubleshooting
Additional Tips and Hints

Hardware Requirements

For the scenarios described here, you need two computers and a connection to the Internet. One computer will serve as the Web server, and will be located inside the corporate network, which will be protected by the ISA Server computer. To test the setup, you will need a computer that is external to your network, with a connection to the Internet.

ISA Server will be installed on a third computer, with two network adapters: one connected to the internal network, and one connected to the Internet.

Software Requirements

The ISA Server computer must have:

• Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003, with Service Pack 3

• ISA Server with Service Pack 1

• ISA Server Feature Pack 1

• Web filter for authentication for RSA SecurID

The Web server must have either Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Before You Begin

To save time during configuration, verify that the public name of the Web site is mapped by a public Internet DNS server to the external IP address of ISA Server.

Note: You must have administrator privileges to perform many of these tasks.

Scenario 1: Authentication for RSA SecurID Using ISA Server

Procedures

You will perform the following steps, described in the following sections, to configure this scenario:

1. Set up ISA Server as an RSA ACE/Agent.

2. Add users to the ISA Server Host record on the RSA ACE/Agent.

3. Test connectivity with the ACE Server computer.

4. Create a Web publishing rule.

5. Configure a secure connection between the client and the ISA Server computer.

Step 1. Set up ISA Server as an RSA ACE/Agent

To set up ISA Server as an RSA ACE/Agent

1. On the ACE Server computer, click Start, click Programs, click RSA ACE Server, and then click Database Administration - Host Mode.

2. On the Agent Host menu, click Add Agent Host....

3. In Name, type the name of the ISA Server computer.

4. In Network address, type the IP address of the ISA Server computer, if it did not appear. (Note this IP address.)

5. Copy the Sdconf.rec file, located in the ACE\Data folder on the RSA ACE/Server computer, to the %windir%\system32 folder on the ISA Server computer.

Step 2. Add users to the ISA Server Host record on the ACE Server computer

Users with valid authentication credentials must be specified on the ACE Server computer. For instructions on adding users to the ISA Server Host record on the ACE Server computer, refer to the ACE Server documentation.

Step 3. Test connectivity with ACE Server computer

To test connectivity with the ACE Server computer

1. From a command prompt, type ISA_installation_directory\sdtest.exe.

2. In RSA SecurID Authentication Information, click RSA ACE/Server Test Directly.

3. In RSA SecurID Authentication, type the user name in Enter User Name and the passcode in Enter PASSCODE.

4. Click OK when the Authentication successful message displays.

Tip Refer to the Troubleshooting section in this document, if you fail to establish connectivity with the ACE Server computer.

Step 4. Create a Web publishing rule for the Web site

To configure a Web publishing rule

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

2. In the details pane, right-click the applicable Web publishing rule, and then click Properties.

3. On the SecurID tab, select Enable authentication.

Step 5. Configure a secure connection between the client and the ISA Server computer

To configure a secure connection between the client and the ISA Server computer, you must:

• Enable the Web filter for authentication for RSA SecurID

• Configure the Web publishing rule

• Configure the applicable incoming Web request listener

To enable the Web filter for authentication for RSA SecurID

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Extensions, and then click Web Filters.

2. In the details pane, right-click the Web filter for authentication for RSA SecurID, and then click Enable.

3. Restart the Web Proxy service.

To configure the Web publishing rule

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

2. In the details pane, right-click the applicable rule and then click Properties.

3. On the Bridging tab, select Require secure channel (SSL) for published site.

To configure the incoming Web request listener

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, and then right-click the applicable array.

2. On the Incoming Web Requests tab, verify that Enable SSL listeners is enabled for the appropriate incoming Web request listener.

3. Verify that a server certificate is configured for the incoming Web request listener.

Scenario 2: Dual Authentication Schemes

In this scenario, authentication for both RSA SecurID and Windows is required to access a Web site. Windows authentication is configured on the Web server. ISA Server performs the authentication for RSA SecurID.

Procedures

To configure this scenario, first perform the steps described in Scenario 1: Authentication for RSA SecurID Using ISA Server. Then, perform the following step:

• On the ACE Server computer, add all users that had authentication permissions on the IIS server Host record to the ISA Server Host record.

Scenario 3: Dual Co-located Authentication Schemes

In this scenario, authentication for both RSA SecurID and Windows is required to access a Web site. Authentication for Windows and RSA SecurID is configured on the Web server. Authentication for RSA SecurID is also configured on the ISA Server computer.

In this scenario, it is recommended to allow delegation of RSA SecurID credentials from ISA Server to the Web server.

Procedures

In addition to the steps described in Scenario 2: Dual Authentication Schemes, you must perform the following:

1. Guarantee that ISA Server and IIS Server both use the same cookie

2. Configure ISA Server to ignore the browser's IP address.

3. Configure IIS Server to ignore the browser's IP address.

Step 1. Guarantee that ISA Server and IIS Server both use the same cookie

First, generate a cookie on the ISA Server computer. Then, import this cookie to the IIS Server computer.

To configure the same cookie for both ISA Server and IIS Server:

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

2. In the details pane of the Web publishing rule, right-click the applicable Web publishing rule and then click Properties.

3. On the RSA SecurID tab, select Enable RSA Web Access Authentication Feature Set for this rule.

4. In Cookie Expiration Control, click Manage Domain Configuration.

5. Select Enable Domain Cookies.

6. Click Manage Domain Secret.

7. Click Generate New Domain Secret for This Web Publishing Rule, and then click OK.

8. Browse to the folder where you want to store the domain secret file (for example, domain.sdi) and click Save.

9. In Password and Confirm, type the password to protect the domain secret file.

   The password must contain at least six characters.

10. On the IIS server, import the domain secret.

Step 2. Configure ISA Server to ignore the browser's IP address

To configure ISA Server to ignore the browser's IP address:

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

2. In the details pane, right-click the applicable Web publishing rule and then click Properties.

3. On the RSA SecurID tab, select Enable RSA Web Access Authentication Feature for this rule.

4. On the RSA SecurID tab, select Ignore Browser IP Address for Cookie Validation.

Step 3. Configure IIS Server to ignore the browser's IP address

To configure IIS Server to ignore the browser's IP address:

• On the RSA SecurID tab of the Web Site Properties dialog, check Ignore Browser IP Address for Cookie Validation.

Important: In this case, the Web server's client is actually the ISA Server computer. The IP address, hidden in the cookie, is the IP address of the client that received the cookie from ISA Server. Therefore, it does not match the IP address of the Web server's client (the ISA Server computer).

Scenario 4: Authentication for RSA SecurID on IIS Server

In this scenario, the Web server authenticates for RSA SecurID, and the ISA Server computer does not authenticate at all. You do not install the Web filter for authentication for RSA SecurID on the ISA Server computer. Nonetheless, some configuration is required on the ISA Server computer, to enable pass-through authentication.

During the authentication process, the client sends requests of the form /WebID/* to the Web server. To allow this process through ISA Server, you must configure a Web publishing rule that allows anonymous access to the content on the Web server whose path begins with /WebID/; that is, include the path /WebID/* in the destination set specified in the rule.

For example, suppose you publish a virtual directory /docs on a Web site with the internal name localfs.microsoft.com whose externally resolvable name is www.microsoft.com. This may be enabled by a Web publishing rule that allows a specific destination set, which includes www.microsoft.com and the path /docs.

You will perform the following steps, described in the following sections, to configure this scenario:

1. Create a destination set.

2. Create a Web publishing rule.

Step 1. Create a destination set

To create a destination set

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Policy Elements, right-click Destination Sets, click New, and then click Set.

2. In Name, type MyDocs. Then, click Add.

3. In Destination, type www.microsoft.com.

4. In Path, type /WebID/*.

Step 2. Create a Web publishing rule

To create a Web publishing rule

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, right-click Web Publishing, click New, and then click Rule.

2. In Name, type My Rule. Then, click Next.

3. In Destination Sets, choose Specified destination set.

4. In Name, select MyDocs. Then, click Next.

5. On the Client Type page, select Any request. Then, click Next.

6. On the Rule Action page, choose Redirect the request to this internal Web Server (name or IP Address). Type localfs.microsoft.com in the text box.

7. Click Next, and then click Finish.

In addition, to allow the RSA SecurID credentials to pass through ISA Server to the Web server, you must configure a Web publishing rule that is applied to a destination set that includes the www.microsoft.com and the /WebID/* paths, and that applies to Any user (or to a specific client address set).

Scenario 5: Outlook Web Access Publishing

This scenario is similar to the other scenarios described in this document. In this scenario, an Outlook Web Access server, located behind the ISA Server computer on the internal network, is made accessible to external users.

First, perform the steps described in Scenario 1: Authentication for RSA SecurID Using ISA Server. Then, perform the following steps:

1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, right-click Web Publishing Rules, click New, and then click Publish Outlook Web Access Server.

2. On the Name of Published Server page, select the Use an SSL connection... option.

3. On the Secure Connection from Client page, select the Enable SSL. Clients must use SSL... option.

4. Enable RSA SecurID for the Web publishing rule created by the wizard.

Troubleshooting

This section describes some common issues that you might encounter when configuring authentication for RSA SecurID.

Sdtest Cannot Authenticate with the Ace Server Computer

If you receive the message "Cannot communicate with RSA Ace/Server," try the following:

• Verify that the authentication service on the ACE Server computer is started. If necessary, start the service, and verify that communication has been established.

• If the RSA server is not in the LAT, it is possible that packet filtering on ISA Server is blocking communication to the ACE Server computer. Create a packet filter to allow communication.

• Check the Event Viewer's application log for an event that indicates Multihomed host detected; Primary IP assumed is x.x.x.x.

  If x.x.x.x is not the IP address by which the ACE Server computer identifies the ISA Server computer, add a value named PrimaryInterfaceIP of type REG_SZ to the HKEY_LOCAL_MACHINE\Software\SDTI\ACECLIENT registry key. Set the value to the IP address of the interface on the ISA Server computer that communicates with the ACE Server computer.

Node Verification Failed

If the log on the Ace Server computer contains the message "Node Verification Failed," try the following:

1. On the ISA Server computer, delete the HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT\NodeSecret key from the registry.

2. On the ACE Server computer, on the Agent Host menu, select Edit Agent Host.

3. Select the ISA Server computer that you are troubleshooting, and then verify that Sent Node Secret is not selected.

4. On the ISA Server computer, verify if you can use sdtest successfully.

Requests Pass Anonymously

If requests sent to a Web publishing rule, for which authentication for RSA SecurID is enabled, do not receive the RSA authentication form and pass anonymously, try the following:

• Verify that the filter is enabled (under Extensions\Web Filters) and that authentication for SecurID is enabled in the Web publishing rule.

• Restart the Web Proxy service.

• Check the event log for an event with Error Code 0x7e, where the text mentions that sdisa.dll filter failed to load. In this case, try to determine why the filter failed to load. Try to uninstall and reinstall.

Accessing OWA Servers

Sometimes, a user encounters problems when trying to access an OWA server using Netscape Navigator Internet Browser. Use the link translation feature, introduced in ISA Server Feature Pack 1, to resolve the issue. Do the following (assuming that the internal name of the OWA server is internalmail.microsoft.com and the external name is mail.microsoft.com):

1. Enable the Link Translation Web filter.

2. Enable link translation for the publishing rule that allows access to the OWA server.

3. Add the following dictionary item to the Link Translation tab in the OWA Web publishing rule:

   • String In Response: https://mail.myorg.com

   • Replace with string: https://mail.myorg.com:443

Note that if an incoming Web request listener is configured to listen on a secure port other than 443, replace 443 with the specific port.

Additional Tips and Hints

This section lists some additional information about:

• Using SSL. If the cookie produced by ISA Server (or any other RSA ACE/Agent) is stolen by a malicious user, it can be used to receive secured Web content by a user who does not have permission. For this reason, it is strongly recommended that RSA SecurID credentials be sent over SSL channels. The SSL connection uses a server certificate to authenticate the ISA Server computer to the client, and to enable encrypting of communication. RSA SecureID provides the means by which the client authenticates itself to ISA Server. Having the cookie sent over a secured connection protects the cookie from malicious users.

• Preventing caching. The Prevent Caching of Protected Pages on Clients option on the Web publishing rule's RSA SecurID prevents pages from being cached on the client browser. However, even with this option enabled, protected pages may be cached on ISA Server.

  To enhance the security of the system in scenarios such as described in the "Scenario 4: Authentication for RSA SecurID on IIS" Server section, it is recommended that you prevent caching on the ISA Server of Web content protected by RSA SecurID authentication (on the IIS Server). To do this, create a routing rule that does not cache responses for the specified destination set. See the ISA Server on-line help for more information.