One feature that occasionally causes some confusion among ISA Administrators is the option to “Use a certificate to authenticate to the SSL Web server” which is on the Bridging tab of a Web Publishing Rule. Some people mistakenly believe that this has to be checked for ISA Server to communicate securely with the published resource. As long as you have the “Redirect requests to SSL port” checked on the Bridging tab of the Publishing Rule you do not need to go the extra step of using a client certificate. The communication between ISA and your Web Server will still be done using SSL Bridging.
So why would you want to go to the extra trouble of using a client certificate for communication between ISA and your Web Server? It may be possible, in some environments, that the published resource requires client certificates to connect to it. This may have been a decision made by the administrators of the web resource possibly to comply with their Information Security policy.
Note: for a quick briefing on how this is accomplished in IIS please see this article by our dear friend, Dr. Tom Shinder. http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html
For this resource to be published in ISA Server you would need the following.
1) A Client Certificate issued to the ISA Server by a CA that the web server trusts.
2) The Client Certificate will need to be installed in the Certificate Store for the Microsoft Firewall Service (fwsrv\Personal), see Figure 1.
Figure 1. Certificates MMC showing the certificate issued to ISA Server installed in the Personal certificate store of the Microsoft Firewall Service
Now this certificate should show up as a choice when you click Select on the Bridging tab, see Figure 2:
Figure 2. Certificate issued to ISA Server now shows up as a choice on the Bridging tab of the publishing rule
There are some limitations to keep in mind when using this feature. ISA Server will always present the same certificate for all connections to the published resource. This is different than using client certificates for user authentication.
In this article I described a feature in ISA Server that is often misunderstood by ISA Administrators. Although it is not needed for SSL Bridging, using a client certificate on ISA Server may be desirable or required in certain situations.
4. Additional Reference
Here some additional references on this subject:
Troubleshooting SSL Certificates in ISA Server Publishing
Digital Certificates on ISA Server
Security Support Engineer – ISA/IAG Team
Microsoft – Charlotte
Technical ReviewersBilly Price
Yuri DiogenesSecurity Support Engineer – ISA/IAG Team
Microsoft – Texas
SCCM IBCM publishing is a good example of when you do need to use a client auth cert from ISA itself:
NEWS Download the Urgent Security Update for Windows http://www.microsoft.com/protect/computer/updates/bulletins/200810_oob.mspx