How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management

If you are using Microsoft Internet Security and Acceleration (ISA) Server with the Internet-based client management feature of Microsoft System Center Configuration Manager 2007, configuring SSL to SSL bridging provides a high level of security for Internet traffic. In this scenario, connections from Configuration Manager Internet-based clients are authenticated and terminated at the ISA Server, inspected, and then new SSL connections are made to the Configuration Manager Internet-based site system servers.

The alternative configuration for SSL-to-SSL bridging is to use SSL tunneling with ISA server publishing, which is a less secure option because the SSL traffic from the Internet clients is forwarded to the Configuration Manager Internet-based site system servers without termination, so it cannot be pre-authenticated or inspected for malicious content.

The following sections of this document provide detailed information about the steps required to support ISA SSL-to-SSL bridging for Configuration Manager Internet-based client management:

• Provisioning Active Directory Domain Services with Computer Accounts and a Security Group

• Deploying an Internet-based SAN Client Certificate

• Deploying the Certificates for ISA Server

• Configuring ISA Server for Web Publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server

• Configuring ISA Server for the Web Publishing of a Configuration Manager Internet-based Software Update Point Site System Server

Requirements

The procedures in this document require the following:

• You have an operational Microsoft public key infrastructure (PKI) with root domain or Enterprise Domain administrator access to an issuing certification authority (CA). The example certificate deployments in this document refer to Windows Server 2003 without KB 922706 installed. The hotfix referenced in KB 922706 to support Web enrollment for Windows Vista and Windows Server 2008 removes the option to store an advanced certificate request in the computer store. This option is used in the certificate deployment examples in this document, so if this option is not available on your Web enrollment pages, you must use an alternative certificate deployment method for the examples in this document. For example, you can install the certificate into the user store and then export it and import it into the computer store, or you can use the command-line utility Certreq.exe to request the certificates.

• You have installed and configured ISA Server 2006 or ISA Server 2004 into an Active Directory domain. If you cannot join ISA Server to a domain environment (it is installed on a workgroup computer), you cannot use SSL bridging for Internet-based client management, and you can use server publishing (SSL tunneling) only. For instructions about how to configure ISA Server for server publishing of Configuration Manager Internet-based servers, see Appendix C and Appendix D in this document. For information about installing and other configuration solutions for ISA Server, see https://go.microsoft.com/fwlink/?LinkId=91897.

• You have installed System Center Configuration Manager and have configured a Configuration Manager Internet-based site. The instructions in this document are suitable for a single Configuration Manager Internet-based site system server that has installed one or more Internet-based site system roles, but does not include the Internet-based fallback status point. Additionally, these instructions require that certificate revocation checking is not enabled on Configuration Manager Internet-based clients. For more information about these requirements, see the following resources from the System Center Configuration Manager 2007 documentation library:

  • Determine If You Need to Enable Certificate Revocation Checking (CRL) on Clients (Native Mode) (https://go.microsoft.com/fwlink/?LinkId=120837).

  • Deploying Configuration Manager Sites to Support Internet-based Clients (https://go.microsoft.com/fwlink/?LinkId=120631).

• The Configuration Manager Internet-based site system server is configured to use a native mode certificate that contains the site system’s Internet FQDN in the certificate Subject name. When the site system accepts connections from intranet clients as well as from Internet clients, the certificate Subject name must contain the site system’s configured Internet FQDN, and the certificate Subject Alternative Name (SAN) must contain both the Internet FQDN and the intranet server name. When you are using a SAN, ensure that the Internet FQDN is specified as the Subject name and also as the first SAN entry. For more information about the Configuration Manager certificate requirements, see the following resources from the System Center Configuration Manager 2007 documentation library:

  • Certificate Requirements for Native Mode (https://go.microsoft.com/fwlink/?LinkId=103553).

  • Deploying the PKI Certificates Required for Native Mode (https://go.microsoft.com/fwlink/?LinkId=103566).

Community Resources

Use the following community resources to help you implement an ISA Server solution with Configuration Manager Internet-based client management.

ISA Server:

• TechNet ISA Blog (https://blogs.technet.com/isablog)

• ISAServer.org (https://isaserver.org)

Configuration Manager Internet-based Client Management:

• TechNet forum: System Center Configuration Manager – Internet Clients and Native Mode (https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1888&SiteID=17)

Microsoft Certificate Services:

• TechNet forum: Security (https://forums.technet.microsoft.com/en-US/winserversecurity/threads/)

Provisioning Active Directory Domain Services with Computer Accounts and a Security Group

This ISA Server solution requires that Active Directory Domain Services contains computer accounts for each Configuration Manager Internet-based client computer. If any of your Internet-based client computers do not have a computer account that can be authenticated by the ISA Server computer (they are workgroup computers or computers from an untrusted domain), you must first create computer accounts for them in a domain that is trusted by the ISA Server. The computer name that you specify and the domain location will be referenced in the client authentication certificate.

After ensuring that all Internet-based computers have computer accounts in Active Directory Domain Services, create a security group to contain all these computer accounts. This security group will be used by ISA Server to control access to the Configuration Manager Internet-based services.

Deploying an Internet-based SAN Client Certificate

This solution requires that each Internet-based computer has a computer certificate with the following:

• Enhanced Key Usage (EKU) of Client Authentication (OID 1.3.6.1.5.5.7.3.2).

• Optional: Subject name (for example, the computer’s FQDN).

• SAN value, using one of the following formats:

  • For computers that do not belong to the Active Directory forest, use the following UPN (Universal Principal Name) SAN format: upn=<hostname>$@<domain.tld>. In this format, <hostname> is the unqualified name of the Configuration Manager Internet-based client computer and <domain.tld> is the Active Directory domain suffix where the Internet-based client computer account is located. For example, if the computer name is client1 and the computer account is in the contoso.com domain, specify upn=client1$@contoso.com for the SAN value.

  • For computers that belong to the Active Directory forest, use a DNS SAN format: DNS Name=<hostname>.<domain.sfx>. In this format, <hostname> is the unqualified name of the Configuration Manager Internet-based client computer and <domain.sfx> is the DNS domain suffix where the Internet-based client computer account is located. If you have an enterprise CA based on a Workstation Authentication certificate template, deploy client certificates with this DNS SAN format. For example, if the computer name is client1 and the computer account is in the contoso.com domain, a certificate that is requested by using the Workstation Authentication certificate template will have DNS Name=client1.contoso.com for the SAN value.

• Private key.

• Key usage includes signing and encryption.

These certificates can be created and deployed with any CA that issues X.509-compliant certificates and that meets the preceding requirements.

Ensure that your CA supports certificates with the SAN value. By default, a CA does not issue a certificate request with a SAN attribute. To enable SAN attributes on the CA for manual certificate requests, perform the following steps:

1. Log on to the server running Certificate Services by using an administrative account.

2. Click Start, click Run, type cmd, and then press Enter.

3. In the command window, type the following commands:

   1. certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

   2. net stop certsvc

   3. net start certsvc

For more information about using SAN attributes and the security considerations for a production environment, see How to Request a Certificate With a Subject Alternative Name (https://go.microsoft.com/fwlink/?LinkId=196847).

The procedure in this section provides an example deployment of the Configuration Manager Internet-based client certificate with the required SAN. This example uses a Microsoft Windows Server 2003 stand-alone CA that is configured for manual approval, and it uses Web enrollment for a client computer that is running Windows XP. For an example deployment of the same certificate that is created and installed by using an enterprise CA with the Workstation Authentication certificate template, see Appendix A: Deploying an Internet-based Client Certificate with a UPN SAN by Using an Enterprise CA; for an example deployment of a DNS SAN certificate that is created and installed by using an enterprise CA with the Workstation Authentication certificate template, see Appendix B: Deploying an Internet-based Client Certificate with a DNS SAN by Using an Enterprise CA.

If these example deployment methods are not suitable for your environment, refer to your PKI documentation for alternative deployment methods. For example, if the Internet-based client computer does not have access to your CA, you can deploy the certificate to another computer that does have access to the CA, export the certificate, and then import it to the Internet-based client computer. This is the technique used in this document for the certificates to be installed on the ISA Server, and the procedure can easily be modified for the Internet-based client computer.

To Deploy an Internet-based Client Certificate with a UPN SAN by Using a Stand-alone CA:

1. Log on to an Internet-based computer by using an account that has local administrator access.

2. Load Internet Explorer and connect to the Web enrollment service with the address https://<server>/certsrv, where <server> is the name or IP address of the stand-alone CA.

3. On the Welcome page, select Request a certificate.

4. On the Request a Certificate page, click advanced certificate request.

5. On the Advanced Certificate Request page, select Create and submit a request to this CA.

6. On the Advanced Certificate page, specify the following:

   1. Type the FQDN of the requesting computer in the Name box, and then complete the remaining identification fields according to your company requirements.

   2. Select Client Authentication Certificate from the Type of Certificate Needed list.

   3. Select Store certificate in the local computer store in the Key Options section.

   4. Type SAN:upn=<hostname>$@<domain.tld> in the Attributes box where <hostname> is the unqualified name for the Internet-based computer and <domain.tld> is the domain suffix where the computer account is located in Active Directory Domain Services. For example, if the computer name is client1 and the computer belongs to the contoso.com domain, type san:upn=client1$@contoso.com in the Attributes text box.

   5. Type your choice of name in the Friendly Name box for easy identification of this client certificate.

7. Click Submit.

8. On the Certificate Pending page, you will see that your certificate request has been received but requires an administrator to issue the certificate. Make a note of the displayed Request ID, and do not exit Internet Explorer.

9. Log on to the CA, and load the Certification Authority console.

10. Click Pending Requests.

11. In the results pane, you will see the requested certificate with the Request ID that was displayed on the Web enrollment page.

12. Right-click the requested certificate, click All Tasks, and then click Issue.

13. On the Internet-based computer still running Internet Explorer and connected to the Web enrollment service, on the Microsoft Certificate Services Web page, click Home to return to the Welcome page.

14. On the Welcome page, click View the status of a pending certificate request.

15. On the View the Status of a Pending Certificate Request page, click the hyperlink that displays the certificate that you requested.

16. On the Certificate Issued Web page, click Install this certificate.

17. If you are prompted with a Potential Scripting Violation warning message, click Yes.

18. The final page should display a message saying that your new certificate has been successfully installed.

19. Close Internet Explorer.

Deploying the Certificates for ISA Server

The certificates that are needed on the ISA Server are the following:

• An ISA Server Web listener certificate.

• An ISA client authentication certificate.

The ISA Web listener certificate has the following requirements:

• Enhanced Key Usage (EKU) of Server Authentication (OID 1.3.6.1.5.5.7.3.1).

• Subject name contains the Internet FQDN of the Internet-based site system server.

• Private key that must be exportable.

• Key usage includes signing and encryption.

The ISA client authentication certificate has the following requirements:

• Enhanced Key Usage (EKU) of Client Authentication (OID 1.3.6.1.5.5.7.3.2).

• Subject name (for example, the ISA Server computer’s FQDN).

• Private key that must be exportable.

• Key usage includes signing and encryption.

These certificates can be created and deployed with any CA that issues X.509-compliant certificates and that meets the preceding requirements. The following procedures provide an example deployment that uses a Microsoft Windows Server 2003 stand-alone CA with Web enrollment; a domain computer running Windows XP is used to request the certificates.

In these example certificate deployments, the certificate request and issuance uses DCOM, which is unsupported across ISA Server networks. Therefore, another domain computer is used to request and install the certificates so that reconfiguration is not required for DCOM. The certificates are then exported and imported to ISA Server.

To Create the ISA Server Web Listener Certificate by Using a Stand-alone CA:

1. Log on to a domain computer by using an account that has local and domain administrator access.

2. Load Internet Explorer, and connect to the Web enrollment service with the address https://<server>/certsrv, where <server> is the name or IP address of the stand-alone CA.

3. On the Welcome page, select Request a certificate.

4. On the Request a Certificate page, click advanced certificate request.

5. On the Advanced Certificate Request page, select Create and submit a request to this CA.

6. On the Advanced Certificate page, specify the following:

   1. Type the Internet FQDN of the Internet-based site system server in the Name box, and then complete the remaining identification fields according to your company requirements.

   2. Select Server Authentication Certificate from the Type of Certificate Needed list.

   3. Select Mark keys as exportable and Store certificate in the local computer store in the Key Options section.

   4. Type your choice of name in the Friendly Name box for easy identification of this ISA Web listener certificate.

7. Click Submit.

8. On the Certificate Pending page, you will see that your certificate request has been received but requires an administrator to issue the certificate. Make a note of the displayed Request ID, and do not exit Internet Explorer.

9. Log on to the CA and load the Certification Authority console.

10. Click Pending Requests.

11. In the results pane, you will see the requested certificate with the Request ID that was displayed on the Web enrollment page.

12. Right-click the requested certificate, click All Tasks, and then click Issue.

13. On the Internet-based computer still running Internet Explorer and connected to the Web enrollment service, on the Microsoft Certificate Services Web page, click Home on the top right side to return to the Welcome page.

14. On the Welcome page, click View the status of a pending certificate request.

15. On the View the Status of a Pending Certificate Request page, click the link that displays the certificate that you requested.

16. On the Certificate Issued Web page, click Install this certificate.

17. If you are prompted with a Potential Scripting Violation warning message, click Yes.

18. The final page should display that your new certificate has been successfully installed.

19. Close Internet Explorer.

Repeat the preceding procedure, with the following variation for step 6:

To Create the ISA Client Authentication Certificate by Using a Stand-alone CA:

• On the Advanced Certificate page, specify the following:

  1. Type the FQDN of the ISA Server computer in the Name box, and then complete the remaining identification fields according to your company requirements.

  2. Select Client Authentication Certificate from the Type of Certificate Needed list.

  3. Select Mark keys as exportable and Store certificate in the local computer store in the Key Options section.

  4. Type your choice of name in the Friendly Name box for easy identification of this ISA client authentication certificate.

To Export the Certificates From the Requesting Computer:

1. On the computer that has the certificate installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.

2. In the empty console, click File, and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Add.

4. Select Certificates from Available snap-ins, and then click Add.

5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

6. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

7. In the Add or Remove Snap-ins dialog box, click OK.

8. In the console, expand Certificates (Local Computer).

9. Expand Personal, and then click Certificates.

10. In the results pane, locate the certificate that you installed for the Web listener.

11. Right-click the certificate, click All Tasks, and then click Export.

12. In the Certificate Export Wizard, click Next.

13. On the Export Private Key page, select Yes, export the private key, and then click Next.

14. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

15. On the Export File Format page, ensure that the following option is selected: Personal Information Exchange - PKCS #12 (.PFX).

16. Optionally, select Delete the private key if the export is successful, which will ensure that the certificate cannot be used on the requesting computer after you have exported it. This will help to ensure that the certificate is used only by the ISA server computer. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.

17. On the File to Export page, specify the name of a file to contain the exported certificate, and then click Next.

18. To close the wizard, click OK in the Certificate Export Wizard dialog box.

19. Repeat steps 10 through 18 for the client authentication certificate, ensuring that you specify a different file name.

20. Store the files securely, and ensure that you can access them securely from the ISA Server computer.

To Import the Certificates to the ISA Server:

1. On the computer running ISA Server, click Start, click Run, type MMC in the Run dialog box, and then click OK.

2. In the empty console, click File, and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Add.

4. Select Certificates from Available snap-ins, and then click Add.

5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

6. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

7. In the Add or Remove Snap-ins dialog box, click Add.

8. In the Certificates snap-in dialog box, click Service Account, and then click Next.

9. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Next.

10. In the Certificates snap-in dialog box, select Microsoft Firewall as the Service account, and then click Finish.

11. Click Close, and then click OK.

12. In the console, expand Certificates (Local Computer).

13. Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Import to run the Certificates Import Wizard.

14. Follow the wizard instructions to import the file that contains the exported ISA Web listener certificate.

15. In the console, expand Certificates - Service (Microsoft Firewall) on Local Computer, right-click fwsrv\Personal, click All Tasks, and then click Import to run the Certificates Import Wizard.

16. Follow the wizard instructions to import the file that contains the exported ISA client authentication certificate. Ensure that fwsrv\Personal is selected as the certificate store on the Certificate Store page.

Configuring ISA Server for Web Publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server

The following procedure configures ISA Server 2006 for the Web publishing of a Configuration Manager Internet-based server that is configured for an Internet-based management point and an Internet-based distribution point. If you are running ISA Server 2004, the steps are slightly different because of the differences in the console navigation. The equivalent steps for ISA Server 2004 are listed in Appendix C.

The steps required to configure ISA Server for Web publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server are as follows:

• Create the Web listener.

• Modify the Web listener.

• Create the Web publishing rule.

• Modify the Web publishing rule certificate validation.

• Modify the Web publishing rule to enable the required HTTP methods, also known as HTTP verbs.

• Save the changes to ISA policies.

To Create the Web Listener:

1. On the ISA Server computer, load the ISA Server management console.

2. Select Firewall Policy by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the task pane, click the Toolbox tab.

4. Click Network Objects, click New, and then click Web Listener.

5. On the Welcome to the New Web Listener Wizard page, type a name for the new Web listener, such as ConfigMgr Web Listener for Management Point and Distribution Point, and then click Next.

6. On the Client Connection Security page, ensure that Require SSL secured connections with clients is selected, and then click Next.

7. On the Web Listener IP Addresses page, select the networks where you want this Web listener to operate.

   Note

   If your ISA Server is using a single network adapter template (unihomed), you must choose the Internal network.

8. If you want the Web listener to operate on a specific IP address within the selected network (recommended), perform the following actions:

   1. Select the required network, and then click Select IP Address.

   2. On the <Network Name> Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.

   3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this Web listener.

9. Click OK, and then click Next.

10. On the Listener SSL Certificates page, select Use a single certificate for this web listener, and then click Select Certificate.

11. On the Select Certificate dialog box, select the ISA Server Web listener certificate, click Select, and then click Next.

12. On the Authentication Settings page, select SSL Client Certificate Authentication from the Select how clients will provide credentials to ISA Server list.

13. Click Next, click Next, and then click Finish.

14. If you are prompted to enable the system policy that allows CRL downloads, click Yes.

To Modify the Web Listener:

1. In the ISA Server management console right pane, click the Toolbox tab.

2. Click Network Objects, and then expand Web Listeners.

3. Double-click the new Web Listener.

4. On the <Web Listener Name> Properties dialog box, click the Authentication tab, and then click Advanced.

5. On the Advanced Authentication Options dialog box, click the Client Certificate Trust List tab.

6. Click Only accept client certificates trusted by the Root Certification Authorities selected below, and then select the Certification Authorities that will issue certificates for the Configuration Manager Internet-based computers.

7. Click OK, and then click OK to close the Web listener properties.

To Create the Web Publishing Rule:

1. In the ISA Server management console middle pane, click the rule that you want to be ordered immediately after the new Web publishing rule. Alternatively, you can reorder the new Web publishing rule after it is created.

2. In the left pane, right-click Firewall Policy, click New, and then click Web Site Publishing Rule.

3. On the Welcome to the New Web Publishing Rule Wizard page, type a name for the Web publishing rule, such as ConfigMgr Publishing for Management Point and Distribution Point, and then click Next.

4. On the Select Rule Action page, ensure that Allow is selected, and then click Next.

5. On the Publishing Type page, ensure that Publish a single Web site or load balancer is selected, and then click Next.

6. On the Server Connection Security page, ensure that Use SSL to connect to the published web server or server farm is selected, and then click Next.

7. On the Internal Publishing Details page, specify the following, and then click Next:

   1. Type the Internet FQDN in the Subject name of the certificate that is being used by the Internet-based site system server.

   2. Click Use a computer name or IP address to connect to the published server.

   3. Specify the Configuration Manager Internet-based site system server by entering the IP address.

8. On the second Internal Publishing Details page, type /* in the Path (optional) box, and then click Next.

9. On the Public Name Details page, specify the following, and then click Next:

   1. Ensure that This domain name (type below) is selected.

   2. Type the Internet FQDN of the Internet-based site system server in the Public name box.

   3. Ensure that /* is displayed in the Path (optional) box.

10. On the Select Web Listener page, select the Web listener created for Internet-based clients, and then click Next.

11. On the Authentication Delegation page, ensure that No delegation, but client may authenticate directly is selected, and then click Next.

12. On the Users Sets page, click Add.

13. On the Add Users dialog box, click New to run the New User Set wizard.

14. On the Welcome to the New User Set Wizard page, type a name, such as Internet-based computers, and then click Next.

15. On the Users page, click Add, and then click Windows users and groups.

16. On the Select Users or Groups dialog box, specify the security group that you created previously to contain the computer accounts of the Internet-based computers, and click OK.

17. Click Next, and then click Finish.

18. On the Add Users dialog box, select the new user group, click Add, and then click Close.

19. On the Completing the New Web Publishing Rule Wizard page, click Finish.

To Modify the Web Publishing Rule Certificate Validation:

1. In the ISA Server management console middle pane, double-click the new Web Publishing rule.

2. On the <Web Publishing Rule Name> Properties dialog box, click the Bridging tab.

3. Click Use a certificate to authenticate to the SSL Web server, and then click Select.

4. On the Select Certificate dialog box, select the ISA client certificate that you imported into the Microsoft Firewall personal certificate store, and then click Select.

5. On the <Web Publishing Rule Name> Properties dialog box, click OK.

To Modify the Web Publishing Rule to Enable the required HTTP Methods:

1. In the ISA Server management console middle pane, right-click the Web Publishing rule, and then select Configure HTTP.

2. On the Methods tab, select Allow only specified methods, and then click Add.

3. On the Method dialog box, type an HTTP method in the Method box, and then click OK. Repeat this step to allow the following HTTP methods:

   • HEAD

   • CCM_POST

   • BITS_POST

   • GET

   • PROPFIND

4. On the Configure HTTP policy for rule dialog box, click OK.

To Save the Web Publishing Changes to ISA Policies:

1. Click Apply when it displays in the middle pane of the ISA Server management console.

2. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.

Configuring ISA Server for the Web Publishing of a Configuration Manager Internet-based Software Update Point Site System Server

The following procedure configures ISA Server 2006 for a Configuration Manager software update point that is using the WSUS Administration custom Web site. If you are running ISA Server 2004, the steps are slightly different because of the differences in the console navigation. The equivalent steps for ISA Server 2004 are listed in Appendix D.

The steps required to configure ISA Server for Configuration Manager software update point are as follows:

• Create the Web listener for the software update point.

• Modify the Web listener you created for software update point.

• Create the Web publishing rule for the software update point.

• Modify Bridging Parameters of the Web publishing rule you created for software update point.

• Save the software update point changes to ISA policies.

To Create the Web Listener for the Software Update Point:

1. On the ISA Server computer, load the ISA Server management console.

2. Select Firewall Policy by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the task pane, click the Toolbox tab.

4. Click Network Objects, click New, and then click Web Listener.

5. On the Welcome to the New Web Listener Wizard page, type a name for the new Web listener, such as ConfigMgr Web Listener for Software Update Point, and then click Next.

6. On the Client Connection Security page, ensure that Require SSL secured connections with clients is selected, and then click Next.

7. On the Web Listener IP Addresses page, select the networks where you want this Web listener to operate.

   Note

   If your ISA Server is using a single network adapter template (unihomed), you must choose the Internal network.

8. If you want the Web listener to operate on a specific IP address within the selected network (recommended), perform the following actions:

   1. Select the required network, and then click Select IP Address.

   2. On the <Network Name> Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.

   3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this Web listener.

9. Click OK, and then click Next.

10. On the Listener SSL Certificates page, select Use a single certificate for this web listener, and then click Select Certificate.

11. On the Select Certificate dialog box, select the ISA Server Web listener certificate, click Select, and then click Next.

12. On the Authentication Settings page, select No Authentication from the Select how clients will provide credentials to ISA Server list.

13. Click Next, click Next, and then click Finish.

14. If you are prompted to enable the system policy that allows CRL downloads, click Yes.

To Modify the Software Update Point Web Listener:

1. In the ISA Server management console right pane, click the Toolbox tab.

2. Click Network Objects, and then expand Web Listeners.

3. Double-click the new Web Listener.

4. Click the Connections tab, and then, in Enable SSL (HTTPS) connections on port, change the port number to the port number of the WSUS Administration custom Web site, by default port 8531. To verify the port number, check the SSL port number setting on the Internet-Based tab in the Software Update Point Component Properties.

5. Click OK, and then click OK to close the Web listener properties.

To Create the Web Publishing rule for Software Update Point:

1. In the ISA Server management console middle pane, click the rule that you want to be ordered immediately after the new Web publishing rule. Alternatively, you can reorder the new Web publishing rule after it is created.

2. In the left pane, right-click Firewall Policy, click New, and then click Web Site Publishing Rule.

3. On the Welcome to the New Web Publishing Rule Wizard page, type a name for the Web publishing rule, such as ConfigMgr Publishing for Software Update Point, and then click Next.

4. On the Select Rule Action page, ensure that Allow is selected, and then click Next.

5. On the Publishing Type page, ensure that Publish a single Web site or load balancer is selected, and then click Next.

6. On the Server Connection Security page, ensure that Use SSL to connect to the published web server or server farm is selected, and then click Next.

7. On the Internal Publishing Details page, specify the following, and then click Next:

   1. Type the Internet FQDN in the Subject name of the certificate that is being used by the Internet-based software update point site system server.

   2. Click Use a computer name or IP address to connect to the published server.

   3. Specify the Configuration Manager Internet-based software update point site system server by entering the IP address.

8. On the second Internal Publishing Details page, type /* in the Path (optional) box, and then click Next.

9. On the Public Name Details page, specify the following, and then click Next:

   1. Ensure that This domain name (type below) is selected.

   2. Type the Internet FQDN of the Internet-based software update point site system server in the Public name box.

   3. Ensure that /* is displayed in the Path (optional) box.

10. On the Select Web Listener page, select the Web listener created for Internet-based clients, and then click Next.

11. On the Authentication Delegation page, ensure that No delegation, but client may authenticate directly is selected, and then click Next.

12. On the Users Sets page, click Next.

13. On the Completing the New Web Publishing Rule Wizard page, click Finish.

To Modify Bridging Parameters of the Software Update Point Web Publishing Rule:

1. In the ISA Server management console middle pane, double-click the new Web Publishing rule.

2. On the <Web Publishing Rule Name> Properties dialog box, click the Bridging tab.

3. In the Redirect request to SSL port text box, type the WSUS SSL server port number. The default port for the WSUS Administration custom Web site is 8531.

4. On <Web Publishing Rule Name> Properties dialog box, click OK.

To Save the Web Publishing Changes for Software Update Point to ISA Policies:

1. Click Apply when it displays in the middle pane of the ISA Server management console.

2. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.

Appendixes

These appendixes contain additional information relating to configuring ISA Server for Configuration Manager Internet-based client management:

• Appendix A: Deploying an Internet-based Client Certificate with a UPN SAN by Using an Enterprise CA.

• Appendix B: Deploying an Internet-based Client Certificate with a DNS SAN by Using an Enterprise CA.

• Appendix C: Configuring ISA Server 2004 for Web Publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server.

• Appendix D: Configuring ISA Server 2004 for the Web Publishing of a Configuration Manager Internet-based Software Update Point.

• Appendix E: Configuring ISA Server for Server publishing of a Configuration Manager Internet-based Server.

Appendix A: Deploying an Internet-based Client Certificate with a UPN SAN by Using an Enterprise CA

The following procedures provide an example deployment of the Configuration Manager Internet-based client certificate that has a UPN SAN by using Windows Server 2003 Enterprise Edition with an enterprise CA and a customized certificate template.

To Create the Customized Certificate Template for the Client Certificate with a UPN SAN:

1. On the server running Microsoft Certificate Services, load the Certification Authority console.

2. Expand the name of your CA, and then click Certificate Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console (certtmpl – [Certificate Templates]).

4. In the results pane, right-click the entry that displays Workstation Authentication in the Template Display Name column, and then click Duplicate Template.

5. In the Properties of New Template dialog box, on the General tab, enter a template name for the Internet-based client certificate template, such as ConfigMgr Client Authentication.

6. Click the Subject Name tab, and then select Supply in the request.

7. Click the Security tab, click Add, specify the security group that contains the computer accounts of your Configuration Manager Internet-based clients, click OK, and then click Enroll.

8. Click OK, and close the Certificate Templates management console.

9. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

10. In the Enable Certificate Templates dialog box, select the name of the certificate template that you created in step 5 (for example, ConfigMgr Client Authentication), and then click OK.

To Request the Client Certificate with UPN SAN:

1. Log on to an Internet-based computer by using an account that has both local administrator access and domain administrator access.

2. Load Internet Explorer, and connect to the Web enrollment service with the address https://<server>/certsrv, where <server> is the name or IP address of the CA.

3. On the Welcome page, select Request a certificate.

4. On the Request a Certificate page, click advanced certificate request.

5. On the Advanced Certificate Request page, select Create and submit a request to this CA.

6. On the Advanced Certificate Request page, select the name of your certificate template that you created in step 5 of the previous procedure (for example, ConfigMgr Client Authentication), and then specify the following:

   1. Type the FQDN of the requesting computer in the Name box, and then complete the remaining identification fields according to your company requirements.

   2. Select Store certificate in the local computer store In the Key Options section.

   3. Type SAN:upn=<hostname>$@<domain.tld> in the Attributes: box, where <hostname> is the unqualified name of the Internet-based computer and <domain.tld> is the Active Directory domain suffix where the Internet-based computer account is located. For example, if the computer name is client1 and the computer belongs to the contoso.com domain, type san:upn=client1$@contoso.com in the Attributes: text box.

   4. Type your choice of name in the Friendly Name box for easy identification of this client authentication certificate.

7. Click Submit, and then click Yes to confirm that you want to request the certificate.

8. On the Certificate Issued Web page, click Install this certificate.

9. If you are prompted with a Potential Scripting Violation warning message, click Yes.

10. The final page should display that your new certificate has been successfully installed.

11. Close Internet Explorer.

Appendix B: Deploying an Internet-based Client Certificate with a DNS SAN by Using an Enterprise CA

The following procedure provides an example of creating the Configuration Manager Internet-based client certificate that has a DNS SAN by using Windows Server 2003 Enterprise Edition with an Enterprise CA and the Workstation Authentication certificate template.

After you create the certificate template, client computers can automatically request the certificate, via Group Policy. For more information, see Certificate Autoenrollment in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=184780).

To Create the Certificate Template for the Client Certificate with a DNS SAN:

1. On the server running Microsoft Certificate Services, load the Certification Authority console.

2. Expand the name of your CA, and then click Certificate Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console (certtmpl – [Certificate Templates]).

4. In the results pane, right-click the entry that displays Workstation Authentication in the Template Display Name column, and then click Duplicate Template.

5. In the Properties of New Template dialog box, on the General tab, enter a template name for the Internet-based client certificate template, such as ConfigMgr Client Authentication.

6. Click the Security tab, click Add, specify the security group that contains the computer accounts of your Configuration Manager Internet-based clients, click OK, and then click Autoenroll.

7. Click OK, and close the Certificate Templates management console.

8. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

9. In the Enable Certificate Templates dialog box, select the name of the certificate template that you created in step 5 (for example, ConfigMgr Client Authentication), and then click OK.

Appendix C: Configuring ISA Server 2004 for Web Publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server

The following procedure configures ISA Server 2004 for the Web publishing of a Configuration Manager Internet-based server that is configured for an Internet-based management point and an Internet-based distribution point.

The steps required to configure ISA Server for Web publishing of a Configuration Manager Internet-based Management Point and Distribution Point Site System Server are as follows:

• Create the Web listener.

• Modify the Web listener.

• Create the Web publishing rule.

• Modify the Web publishing rule certificate validation.

• Modify the Web publishing rule to enable the required HTTP methods, also known as HTTP verbs.

• Save the changes to ISA policies.

To Create the Web Listener:

1. On the ISA Server computer, load the ISA Server management console.

2. Select Firewall Policies by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the task pane, click the Toolbox tab.

4. Click Network Objects, right-click Web Listeners, and then select New Web Listener.

5. On the Welcome to the New Web Listener Wizard page, type a name for the new Web listener, such as ConfigMgr Web Listener for Management Point and Distribution Point, and then click Next.

6. On the IP Addresses page, select the networks where you want this Web listener to operate.

   Note

   If your ISA Server is operating using a single network adapter template (unihomed), you must choose the internal network.

7. If you want the Web listener to operate on a specific IP address within the selected network (recommended), perform the following actions:

   1. Select the required network, and then click Address.

   2. On the <Network Name> Listener IP Selection page, select Specified IP address on the ISA Server computer in the selected network.

   3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this Web listener.

8. Click OK, and then click Next.

9. On the Port Specification page, perform the following actions:

   1. Click Enable SSL, and then click Select.

   2. On the Select Certificate dialog box, select the imported ISA Server Web listener certificate, and then click OK.

10. Click Next¸ and then click Finish.

To Modify the Web Listener:

1. In the ISA Server management console right pane, click the Toolbox tab.

2. Click Network Objects, expand Web Listeners, and then double-click the new Web Listener.

3. On the <Web Listener Name> Properties dialog box, click the Preferences tab, and then click Authentication.

4. On the Authentication dialog box, select SSL certificate, clear Integrated, click OK to dismiss the prompt, and then click OK.

5. Click Apply, and then click OK.

To Create the Web Publishing Rule:

1. In the ISA Server management console middle pane, click the rule that you want to be ordered immediately after the new Web publishing rule. Alternatively, you can reorder the new Web publishing rule after it is created.

2. In the left pane, right-click Firewall Policy, click New, and then click Web Server Publishing Rule.

3. On the Welcome to the New Web Publishing Wizard page, type a name for the Web publishing rule, such as ConfigMgr Publishing for Management Point and Distribution Point, and then click Next.

4. On the Select Rule Action page, click Allow, and then click Next.

5. On the Define Website to Publish page, specify the following, and then click Next:

   1. Type the Internet FQDN in the Subject name of the certificate that is being used by the Internet-based site system server.

   2. Type /* in the Path box.

6. On the Public name page, specify the following, and then click Next:

   1. Ensure that This domain name (type below) is selected.

   2. Type the Internet FQDN of the Internet-based site system server in the Public name box.

7. On the Select Web Listener page, select the Web listener created for Internet-based clients, and then click Next.

8. On the Users Sets page, click Add.

9. On the Add Users dialog box, click New to run the New User Set wizard.

10. On the Welcome to the New User Set Wizard page, type a name, such as Internet-based computers, and then click Next.

11. On the Users page, click Add, and then click Windows users and groups.

12. On the Select Users or Groups dialog box, specify the security group that you created previously to contain the computer accounts of the Internet-based computers, and click OK.

13. Click Next, and then click Finish.

14. On the Add Users dialog box, select the new user group, click Add, and then click Close.

15. On the User Sets page, select All Users, click Remove, click Next.

16. On the Completing the New Web Publishing Rule Wizard page, click Finish.

To Modify the Web Publishing Rule Certificate Validation:

1. In the ISA Server management console middle pane, double-click the new Web Publishing rule.

2. On the <Web Publishing Rule Name> Properties dialog box, click the Bridging tab.

3. Click Redirect requests to SSL port, click Use a certificate to authenticate to the SSL Web server, and then click Select.

4. On the Select Certificate dialog box, select the ISA client certificate that you imported into the Microsoft Firewall personal certificate store, and then click OK.

5. On <Web Publishing Rule Name> Properties dialog box, click OK.

To Modify the Web Publishing Rule to Enable the required HTTP Methods:

1. In the ISA Server management console middle pane, right-click the Web Publishing rule, and then select Configure HTTP.

2. On the Methods tab, select Allow only specified methods, and then click Add.

3. On the Method dialog box, type an HTTP method in the Method box, and then click OK. Repeat this step to allow the following HTTP methods:

   • HEAD

   • CCM_POST

   • BITS_POST

   • GET

   • PROPFIND

4. On the Configure HTTP policy for rule dialog box, click OK.

To Save the Changes to ISA Policies:

1. Click Apply when it appears in the middle pane of the ISA Server management console.

2. Wait for the policy update process to be complete, and then click OK in the Saving Configuration Changes dialog box.

Appendix D: Configuring ISA Server 2004 for the Web Publishing of a Configuration Manager Internet-based Software Update Point

The following procedure configures ISA Server 2004 for the Configuration Manager software update point that is using the WSUS Administration custom Web site.

The steps required to configure ISA Server for Configuration Manager software update point are as follows:

• Create the Web listener for the software update point.

• Modify the Web listener you created for software update point.

• Create the Web publishing rule for the software update point.

• Modify Bridging Parameters of the Web publishing rule you created for software update point.

• Save the software update point changes to ISA policies.

To Create the Web Listener for the Software Update Point:

1. On the ISA Server computer, load the ISA Server management console.

2. Select Firewall Policy by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the task pane, click the Toolbox tab.

4. Click Network Objects, right-click Web Listeners, and then select New Web Listener.

5. On the Welcome to the New Web Listener Wizard page, type a name for the new Web listener, such as ConfigMgr Web Listener for Software Update Point, and then click Next.

6. On the IP Addresses page, select the networks where you want this Web listener to operate.

   Note

   If your ISA Server is using a single network adapter template (unihomed), you must choose the Internal network.

7. If you want the Web listener to operate on a specific IP address within the selected network (recommended), perform the following actions:

   1. Select the required network, and then click Address.

   2. On the <Network Name> Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.

   3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this Web listener.

8. Click OK, and then click Next.

9. On the Port Specification page, perform the following actions:

   1. Click Enable SSL, and then, in SSL port, change the port number to the port number of the WSUS Administration custom Web site, by default port 8531. To verify the port number, check the SSL port number setting on the Internet-Based tab in the Software Update Point Component Properties.

   2. Click Select. On the Select Certificate dialog box, select the imported ISA Server Web listener certificate, and then click OK.

10. Click Next, and then click Finish.

11. If you are prompted to enable the system policy that allows CRL downloads, click Yes.

To Modify the Software Update Point Web Listener:

1. In the ISA Server management console right pane, click the Toolbox tab.

2. Click Network Objects, expand Web Listeners, and then double-click the new Web Listener.

3. On the <Web Listener Name> Properties dialog box, click the Preferences tab, and then click Authentication.

4. On the Authentication dialog box, clear Integrated, click OK to dismiss the prompt, and then click OK.

5. Click Apply, and then click OK.

To Create the Web Publishing Rule for the Software Update Point:

1. In the ISA Server management console middle pane, click the rule that you want to be ordered immediately after the new Web publishing rule. Alternatively, you can reorder the new Web publishing rule after it is created.

2. In the left pane, right-click Firewall Policy, click New, and then click Web Server Publishing Rule.

3. On the Welcome to the New Web Publishing Rule Wizard page, type a name for the Web publishing rule, such as ConfigMgr Publishing for Software Update Point, and then click Next.

4. On the Select Rule Action page, click Allow, and then click Next.

5. On the Define Website to Publish page, specify the following, and then click Next:

   1. Type the Internet FQDN in the Subject name of the certificate that is being used by the Internet-based software update point site system server.

   2. Type /* in the Path box.

6. On the Public Name page, specify the following, and then click Next:

   1. Ensure that This domain name (type below) is selected.

   2. Type the Internet FQDN of the Internet-based software update point site system server in the Public name box.

7. On the Select Web Listener page, select the Web listener created for Internet-based clients, and then click Next.

8. On the Users Sets page, click Next.

9. On the Completing the New Web Publishing Rule Wizard page, click Finish.

To Modify Bridging Parameters of the Software Update Point Web Publishing Rule:

1. In the ISA Server management console middle pane, double-click the new Web Publishing rule.

2. On the <Web Publishing Rule Name> Properties dialog box, click the Bridging tab.

3. In the Redirect request to SSL port text box, type the WSUS SSL server port number. The default port for the WSUS Administration custom Web site is 8531.

4. On <Web Publishing Rule Name> Properties dialog box, click OK.

To Save the Web Publishing Changes for Software Update Point to ISA Policies:

1. Click Apply when it displays in the middle pane of the ISA Server management console.

2. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.

Appendix E: Configuring ISA Server for Server publishing of a Configuration Manager Internet-based Server

Use the following procedures to publish the Internet-based site systems by using server publishing, rather than Web publishing. This solution uses SSL tunneling rather than SSL bridging and is a less secure configuration option but imposes fewer configuration changes (none of the other procedures provided in this document are required) and is also required when ISA Server is not a member of an Active Directory domain.

These steps are appropriate for ISA Server 2006 and ISA Server 2004.

The following sections provide detailed information about the steps required to support ISA SSL-to-SSL bridging for Configuration Manager Internet-based client management via server publishing:

• Configuring ISA Server for Server Publishing of a Configuration Manager Internet-based Management Point and a Distribution Point Site System Server

• Configuring ISA Server for the Server Publishing of a Configuration Manager Internet-based Software Update Point Site System Server

Configuring ISA Server for Server Publishing of a Configuration Manager Internet-based Management Point and a Distribution Point Site System Server

The following procedure configures ISA Server 2006 or ISA Server 2004 for the Server publishing of a Configuration Manager Internet-based server that is configured for an Internet-based management point and an Internet-based distribution point.

To Configure ISA Server for Server Publishing of Configuration Manager Internet-based Management Point and a Distribution Point Site System Server:

1. From the ISA Server computer, load the ISA Server management console.

2. Click Firewall Policy by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the middle pane, click the rule that you want to be ordered immediately after the new server publishing rule. Alternatively, you can reorder the new server publishing rule after it is created.

4. In the left pane, right-click Firewall Policy, click New, and then click Non-Web Server Protocol Publishing Rule.

5. On the Welcome to the New Server Publishing Rule Wizard page, type a name for the new rule, such as ConfigMgr Server Publishing for Management Point and Distribution Point, and then click Next.

6. On the Select Server page, type the IP address of the Configuration Manager Internet-based server, and then click Next.

7. On the Select Protocol page, select HTTPS Server from the Selected protocol list, and then click Next.

8. On the Network Listener IP Addresses page, select the networks that will listen for connections from Internet-based client computers.

9. If you want this server publishing rule to use a specific IP address within the selected networks (recommended), perform the following actions for each network selected for this server publishing rule:

   1. Select the required network, and then click Address.

   2. On the <Network Name> Listener IP Selection page, click Specified IP address on the ISA Server computer in the selected network.

   3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this server publishing rule.

10. Click OK, click Next, and then click Finish.

11. To save the server publishing changes, click Apply when it displays in the middle pane of the ISA Server management console.

12. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.

Configuring ISA Server for the Server Publishing of a Configuration Manager Internet-based Software Update Point Site System Server

The following procedure configures ISA Server 2006 or ISA Server 2004 for the Server publishing of a Configuration Manager software update point that is using the WSUS Administration custom Web site.

To Configure ISA Server for Server publishing of a Configuration Manager Internet-based Software Update Point Site System Server:

1. From the ISA Server computer, load the ISA Server management console.

2. Click Firewall Policy by using the method that applies to your edition of ISA Server:

   • For Standard Edition: In the left pane, expand <Array Name>, and then select Firewall Policy.

   • For Enterprise Edition: In the left pane, expand Arrays, then expand <Array Name>, where <Array Name> is the array in which you want to create the publishing rule, and then select Firewall Policy.

3. In the middle pane, click the rule that you want to be ordered immediately after the new server publishing rule. Alternatively, you can reorder the new server publishing rule after it is created.

4. In the left pane, right-click Firewall Policy, click New, and then click Non-Web Server Protocol Publishing Rule.

5. On the Welcome to the New Server Publishing Rule Wizard page, type a name for the new rule, such as ConfigMgr Server Publishing, and then click Next.

6. On the Select Server page, type the IP address of the Configuration Manager Internet-based server, and then click Next.

7. On the Select Protocol page, select HTTPS Server from the Selected protocol list, and then click Ports.

8. In the Ports dialog box, under Published Server Ports, select Send requests to this port on the published server, and then enter 8531 in the box. Click OK, and then, on the Select Protocol page, click Next.

   Note

   By default, the port number of the WSUS Administration custom Web site is 8531. To verify the port number, check the SSL port number setting on the Internet-Based tab in the Software Update Point Component Properties.

9. On the Network Listener IP Addresses page, select the networks that will listen for connections from Internet-based client computers.

10. If you want this server publishing rule to use a specific IP address within the selected networks (recommended), perform the following actions for each network selected for this server publishing rule:

    1. Select the required network, and then click Address.

    2. On the <Network Name> Listener IP Selection page, click Specified IP address on the ISA Server computer in the selected network.

    3. Select the required IP address, and then click Add. Repeat steps a through c for each network selected for this server publishing rule.

11. Click OK, click Next, and then click Finish.

12. To save the server publishing changes, click Apply when it displays in the middle pane of the ISA Server management console.

13. Wait for the policy update process to complete, and then click OK in the Saving Configuration Changes dialog box.