+ Reply to Thread
Results 1 to 5 of 5
  1. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #1

    Default ISA - http to https redirection

    Just a quick verification

    Scenario: Web server sitting on an internal network behind an ISA 2006 firewall, the web application is published in ISA to the External network to allow http and https, with the listener configured to redirect all http requests to https. Both the web server and the ISA policy are configured to use basic authentication.

    When I connect to the published url http://server.domain.com/, does the redirection to https occur before the credentials are passed to ISA, or after (meaning they are transmitted in clear text)?
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  2. SS -->
  3. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #2
    How are you forcing the redirection to HTTPS?

    It should be happening before any authentication (but I have seen people do it using ASP and such where it wouldn't be).
    Reply With Quote Quote  

  4. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #3
    There isn't any ASP involved in the redirection, just the setting for the web listener in ISA to redirect HTTP requests to HTTPS
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  5. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #4
    Then it would be before authentication so you're all good. If you can, force HTTPS on the web server to make sure its happening as you expect it to.
    Reply With Quote Quote  

  6. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #5
    So typically what I do is force http to https re-direction the listener itself. Any communication client to server is re-directed over https immediately. Now keep in mind, that because of this, the authentication method will be over https. How to know for sure? Well the client still has to authenticate using forms based, basic, etc... The client will be re-directed to https://FQDN and will be presented the form. This form will be in https. This pretty much tells you that client to ISA is authenticated, even with other authentication methods.

    So now that piece is not the pre-authentication. That's the client to listener authentication. Now after the client authenticates, the listener uses its directory authentication lookup. If ISA is a domain member, you can use AD, if it's not a domain member, you can use Radius, LDAP, LDAPs. So this is the part that ensures that the pre-authentication piece is encrypted. If it's not a domain member, make sure you do a secure method such as LDAPS which requires a certificate with server authentication EKU on the DC that you point it to and is listening on port 636 (LDAPS).

    So now your client to ISA is SSL, ISA to AD is Secure, and now your rule dictates what authentication method is being used. If you look at your rule, there's a bridging tab. This allows you to choose http/https and port for each for ISA to published Server. One of these tabs is also authentication delegation. This is the method that the published server is used. For example, if the internal web server uses integrated auth, you can use ntlm delegation. You can even go to the computer account of ISA in AD, allow ISA to delegate credentials on behalf of other users, and use kerberos constrained delegation so your ISA to Published Server authentication is as secure as possible (only possible when domain member).

    Hope that helps. I work a lot on ISA so feel free to ask away.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks