The ISA documentation How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management has been updated with the following information:

  • The certificate requirements for clients that are members of the forest can use a certificate with a DNS SAN value, for example: DNS=computer1@contoso.com.  This means that you can deploy these certificates by using the standard Workstation Authentication certificate template and autoenrollment, which greatly simplifies client certificate deployment.  Previously, only a UPN SAN value was supported, which could not be deployed by using autoenrollment. Note that workstations that are not joined to the forest still require manual deployment and the UPN SAN value in their certificate.
  • Security references are added that explain the differences between SAN attributes and SAN extensions, and security best practices for a production environment: How to Request a Certificate With a Custom Subject Alternative Name.
  • Instructions are added for configuring ISA Server for the Internet-based software update point.  Separate instructions are required because WSUS does not support client certificates.
  • Instructions are added for configuring the HTTP methods allowed for the Internet-based management point and distribution point, to help increase security. 

Note:  HTTP methods for the Internet-based software update point are not included because the HTTP verbs used by WSUS are not documented for the latest WSUS versions.  However, previous versions document these as GET, HEAD, and POST and our preliminary testing confirms that these verbs are still used.  If you want to increase security for the Internet-based software update point by restricting the HTTP verbs that are allowed, test this configuration yourself by using the instructions "To Modify the Web Publishing Rule to Enable the required HTTP Methods" and for the HTTP methods, substitute the following HTTP verbs: GET, HEAD and POST.

If you need to manually request certificates with a version of a Certification Authority (CA) that does not support Web enrollment for the computer store, see How to Request a Certificate With a Custom Subject Alternative Name for alternative certificate request methods.

This updated documentation has been published with the Community Content footer, so that you can share additional information about this scenario configuration with other customers. 

Our thanks to Jim Harrison (Program Manager for Forefront TMG), Jason Jones (Forefront MVP), and Rachel Aldam (Technical Writer, Identify and Security Division) for their help in updating this documentation for our customers.

- Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.