Walk-through

  • Article

This section outlines the procedures required to redirect client HTTP requests over HTTPS to an external secure Web server.

This walk-through assumes that you have installed ISA Server 2004 Standard Edition or ISA Server 2004 Enterprise Edition. In the case of Enterprise Edition, you should have installed a Configuration Storage server, and at least one ISA Server array through which you are going to publish the Microsoft Outlook Web Access server. Installation of these ISA Server components is described in ISA Server online Help, and in ISA Server 2004 Enterprise Edition Getting Started at the Windows Server System Web site. You will also need an internal client computer to test access to the external Web site.

Configuring the proposed solution consists of the following steps:

  • Install a client certificate on the ISA Server computer. The external site must trust the client certificate that ISA Server provides. Contact the Web site administrator of the external Web site for instructions on how to obtain a client certificate. It may be provided, or you may need to request a client certificate from an external CA. If you need to request a client certificate from an external CA, you will request the certificate on a computer running Internet Information Services (IIS), and then export it from that computer and import it to the ISA Server computer. If the external organization provides a client certificate, you only need to import it into the certificates Personal store on the ISA Server computer.
  • Verify that ISA Server trusts the CA that issued the server certificate that the external Web site uses. The external Web server will authenticate itself to the ISA Server computer with a server certificate. ISA Server must trust the CA that issued the certificate, indicated by the presence of a root certificate for the CA installed in the Trusted Root Certification Authorities store on the ISA Server computer. If the external Web site has a server certificate issued by a public CA, the root certificate is probably installed by default.
  • Create a URL set. Create a URL set to represent the external SSL Web site. Then use the URL set in an access rule.
  • Create an access rule. Create an access rule allowing access to the external Web site.
  • Create a Web chaining rule. Create a Web chaining rule so that requests to the URL set are routed in accordance with the properties of the rule.
  • Configure bridging. Configure the Web chaining rule to redirect HTTP requests to the URL set over HTTPS.

Procedure 1: Install a Client Certificate on the ISA Server Computer

If you have obtained the client certificate directly from the external organization, you need to import it to the ISA Server computer. If you have obtained a client certificate from a public CA on a computer running IIS, you need to export it from that computer, and import it to the ISA Server computer.

Import the certificate as follows:

  1. Open Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Content tab, click Certificates.
  3. In the Certificates dialog box, on the Personal tab, click Import.
  4. On the Welcome to the Certificate Import Wizard page, click Next.
  5. On the File to Import page, enter the name and location in File name, or use the Browse button to locate the file. Then click Next.
  6. In Password, specify the password if one has been specified.
  7. In Certificate Store, select Automatically select the certificate store based on the type of certificate. Then click Next.
  8. Review the settings, and then click Finish.
  9. When a message appears showing that the import was successful, click OK.
  10. Click Close to close the Certificates dialog box.
  11. Click OK to close Internet Options.

Procedure 2: Verify that ISA Server Trusts the CA that Issued the Server Certificate

To verify that ISA Server trusts the server certificate used by the external Web site to authenticate itself over SSL to the ISA Server computer, do the following:

  1. Open Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Content tab, click Certificates.
  3. Click the Trusted Root Certification Authorities tab, and check that a root certificate appears for the CA that issued the server certificate to the external Web site. Double-click a certificate to check its validity dates.

If the trusted root certificate does not appear, you must contact the external organization for details of how to obtain it and then install it according to the instructions in Appendix A: Install a Root CA Certificate.

Procedure 3: Create a URL Set

To create a URL set, do the following:

  1. In the console tree of ISA Server Management, click Firewall Policy:
    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects.
  3. On the toolbar beneath Network Objects, click New, and then click URL Set.
  4. In Name, type a name for the URL set.
  5. Click New, and then type a URL to include in the set. This is the HTTP address to which the internal clients will make the request. In this example, the address is https://www.contoso.com/extranet.

Procedure 4: Create an Access Rule

To create an access rule, do the following:

  1. In the console tree of ISA Server Management:

    • For ISA Server 2004 Enterprise Edition, for a specific enterprise policy, expand Microsoft Internet Security and Acceleration Server 2004, expand Enterprise, expand Enterprise Policies, and then click Enterprise_Policy.
    • For ISA Server 2004 Enterprise Edition, for array-level firewall policy, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  2. Do one of the following:

    • To create an ISA Server 2004 Enterprise Edition enterprise-level access rule, on the Tasks tab, click Create Enterprise Access Rule.
    • To create an ISA Server 2004 Enterprise Edition array-level access rule, on the Tasks tab, click Create Array Access Rule.
    • To create an access rule in ISA Server 2004 Standard Edition, on the Tasks tab, click Create New Access Rule.

  3. On the Welcome page of the New Access Rule Wizard, type a name for the rule. Then click Next.

  4. On the Rule Action page, click Allow. Then click Next.

  5. On the Protocols page, verify that Selected protocols appears in This rule applies to, and then click Add. In the Add Protocols dialog box, expand Common Protocols. Select HTTP, and then click Add. Select HTTPS, and then click Add. Click Close, and then click Next.

  6. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, expand Networks. Select Internal, and then click Add. Click Close, and then click Next.

  7. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, expand URL Sets. Select the URL set you created, and then click Add. Click Close, and then click Next.

  8. On the User Sets page, All Users is selected by default. Click Next, and then click Finish.

    Note

    If you want to restrict access to the external secure Web site to a limited group of users, you can create group users in a user set, and then apply the rule to authenticated users in that set only. For more information, see the topic "User sets" in ISA Server online Help.

Procedure 5: Create a Web Chaining Rule

To create a Web chaining rule, do the following:

  1. In the console tree of ISA Server Management, click Networks:
    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
  2. In the details pane, select the Web Chaining tab.
  3. On the Tasks tab, click Create New Web Chaining Rule.
  4. On the Welcome page of the New Web Chaining Rule Wizard, type a name for the rule, and then click Next.
  5. On the Web Chaining Rule Destination page, click Add to open the Add Network Entities dialog box. Expand URL Sets, and select the URL set you created. Click Add, and click Close. Then click Next.
  6. On the Request Action page, ensure that Retrieve requests directly from the specified destination is selected, and then click Next.
  7. On the summary page, review the configuration, and then click Finish.
  8. In the details pane, click Apply to apply your changes.

Procedure 6: Configure Bridging on the Web Chaining Rule

To configure bridging on the Web chaining rule, do the following:

  1. In the console tree of ISA Server Management, click Networks:
    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
  2. In the details pane, select the Web Chaining tab.
  3. Right-click the Web chaining rule you created, and then click Properties.
  4. On the Bridging tab, select the following:

    • In Redirect HTTP requests as, select SSL requests (establish a secure channel to the site).

    • Select Use a certificate to authenticate to the SSL Web server, and then click Select to specify the client certificate to be used for authentication to the external Web site.

      Note

      On the Bridging tab, do not select Require secure channel (SSL) because this will require the client computer making the request to authenticate to the ISA Server computer.