- If using manually created Certificates, install Certificate Services on the IIS Server.
- Configure Certificate Services using the internet published Domain name.
- On Web Site Properties and Web Site tab, ensure the site has the correct IP address of the Server and the correct SSL port 443.
- In Directory Security, select Edit under Authentication and access control. In Authentication Methods ensure only Integrated Windows Authentication is selected.
- On the folder and files containing the web site ensure the appropriate user group has Read & Execute (Domain users, Domain Staff etc.) permissions.
- Ensure the web server is setup with a Default Gateway IP address of the ISA sever.
Microsoft ISA Server 2006 configuration
1. Import the SSL Certificate onto the ISA Server that was created on the IIS Server.
2. Publish a secure web site with Microsoft ISA 2006.
3. Ensure the sections of the published secure web site firewall policy rule are:
- General tab – name and enabled.
- Action tab – Allowed and Log requests matching this rule.
- From tab – the traffic from these sources – Anywhere.
- To tab – published site – The public domain name of the site. (The public domain name is registered to the internal IP address of web site by the HOSTS file. – see later in the guide.)
Forward the original host header and also select Requests appear to come from the ISA Server. - Traffic tab – The following protocol should be HTTPS, do not select Require 128-bit encryption and Require SSL Client Certificate.
- Listener tab – Select Properties
i. Networks tab – External selected (All IP Addresses)
ii. Connections tab – only Enable SSL (HTTPS) on port 443
Leave Advanced setting to default – unlimited.
iii. Certificates tab – Use a single certificate for this Web Listener and select the correct Certificate.
iv. Authentication tab – client Authentication method select HTML Form Authentication and Authentication Validation Method as Windows (Active Directory)
Click Advanced – select Require all users to authenticate, SSL Client Certificate timeout – 300s and Validate credentials every – 300s.
Select the correct Domain Name.
v. Forms tab – Deselect Use customized HTML forms, in Display the HTML form in this language select Match user browser settings, deselect both password management settings. Click Advanced.Leave the defaults.
vi. SSO tab – Do not enable Single Sign On. - Public Name tab – This rule applies to: select Requests for the following Web sites.
In the Web site box enter in the public domain name. - Paths tab – External Path should be
, Internal Path should be /* - Authentication Delegation tab – select NTLM authentication.
- Application Settings tab – do not select Use customized HTML forms, in Logon type provided to the Exchange server – select As selected by user (public or private.)
- Bridging tab – Ensure Web server is selected and Redirect requests to SSL port: 443.
- Users tab – ensure the user set is All Authenticated Users is selected.
- Schedule tab – the schedule should be Always.
- Link Translation tab – do not select Apply link translation to this rule.
4. In the Network configuration – Web Chaining, setup a bypass rule to retrieve requests directly from the specified destination. In the To tab add in the Internal Domain Name and website IP address.
5. Edit the ISA servers HOSTS file (C:\WINDOWS\system32\drivers\etc\hosts)Add a line at the bottom with the Internal IP address of the IIS Web server and the host name of the publicly registered domain name. (This is the public domain name that the ISA publishing rule uses.) – You may need to repair the network connection, or restart the server.
No comments:
Post a Comment