Publishing Windows SharePoint Services with Microsoft Internet Security and Acceleration (ISA) Server 2004

This paper describes how to configure Microsoft® Internet Security and Acceleration (ISA) Server 2004 to publish Microsoft Windows® SharePoint® Services. Topics include an overview of configuring Windows SharePoint Services and known limitations, configuring secure Web publishing rules for Secure Sockets Layer (SSL) bridging, and information about configuring certificates.

With Windows SharePoint Services, organizations can take file sharing and collaboration to a new level by helping to improve process efficiency and information worker productivity, increase business agility, and reduce operations costs. For an introduction and overview, see Making Collaboration the Engine of Team Productivity.

Where you want to expose SharePoint sites to Internet users, ISA Server can help make these sites available to external users without compromising the security of your organization’s network. ISA Server protects internal content by intercepting incoming requests for Web servers, and responding on their behalf.

ISA Server Web publishing rules allow you to allow or deny requests based on defined access policies. You can restrict access to specified users, computers, or networks, require user authentication, and configure Hypertext Transfer Protocol (HTTP) filtering to keep HTTP traffic secure. Content caching allows ISA Server to cache Web content and to respond to user requests from the cache, rather than contacting the Web server. ISA Server allows you to publish content securely, and provides bridging to forward incoming Secure Hypertext Transfer Protocol (HTTPS) requests over HTTPS to Web servers. In such a scenario, the ISA Server application layer filter inspects packets before forwarding to the Web server.

On This Page

• Scenarios
• Summary
• Appendix A: Configure Client Authentication
• Appendix B: Obtain and Configure Certificates from a Commercial CA
• Appendix C: Set Up a Local CA

Scenarios

Windows SharePoint Services relies on absolute hyperlinks. A Uniform Resource Locator (URL) correction approach, such as ISA Server link translation, does not provide a complete solution. Some of the absolute URLs used by Windows SharePoint Services are easy to find and fix. For example, it is fairly easy to get something simple like the home page of a SharePoint site to render and function correctly. However, other absolute URLs are more difficult to find and fix. For example, there are absolute URLs in Microsoft ActiveX® controls, form post bodies, URL parameters, and Simple Object Access Protocol (SOAP) messages. These absolute URLs can be outbound from Windows SharePoint Services, inbound from client applications, or round-trip from Windows SharePoint Services to the client and back. Furthermore, the absolute URLs can be encoded when used as a parameter. For example, the URL https://server_name can look like http%2f%3a%3aserver_name in the form post body.

Taking into account these limitations, the following sections describe two ISA Server publishing scenarios that work with Windows SharePoint Services:  

• Web publishing Windows SharePoint Services with host-header forwarding. In host-header forwarding, ISA Server translates the IP address of the page that the client requests into the IP address of the page that the server returns.
• Secure Web publishing Windows SharePoint Services with host-header forwarding. Use HTTPS-to-HTTPS bridging with two separate SSL connections—one between the client and ISA Server, and one between ISA Server and the published Windows SharePoint Services server. If you want to publish your Windows SharePoint Services server over a secure connection, you must use HTTPS-to-HTTPS bridging.

Web Publishing with Host-Header Forwarding

In a Web publishing scenario, the client sends HTTP requests to ISA Server as if it were the Web server. With host-header forwarding enabled, ISA Server then forwards the HTTP packets to the actual Web server while preserving the host header in the HTTP packets. On the Web server, Windows SharePoint Services uses the host header information to generate hyperlinks on pages that will be reachable by the client. The Web server then sends HTTP responses through ISA Server to the client. The following figure shows an example of a host-header forwarding configuration.

Figure 1   Host-header forwarding

The configuration process is as follows:

1. Install and configure Windows SharePoint Services. Install and configure your Windows SharePoint Services server farm and sites as required. For more information about installation requirements, see Installation Considerations for Windows SharePoint Services in the Administrator’s Guide for Windows SharePoint Services. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services. ISA Server can authenticate client requests using either Integrated Windows authentication or Basic authentication. Consider authentication requirements:
   • In Basic authentication, plaintext credentials are encoded (not encrypted) and can be easily decoded (BASE 64). Basic authentication should be used in conjunction with an HTTPS connection.
   • If ISA Server policy requires user authentication, Basic authentication must be configured on both the server running Windows SharePoint Services, and ISA Server. The Web publishing rule must be configured to delegate Basic authentication credentials. Basic authentication with delegation first authenticates the user at the ISA Server computer, before forwarding client credentials to the Web server for authentication. If you configure Basic authentication on the ISA Server computer and on the internal Web server without delegating credentials, external users will be presented with multiple logon prompts. Authentication will not be successful because ISA Server consumes the credentials before the internal Web server receives them. Delegating credentials ensures that users are first authenticated at the ISA Server computer before the request is forwarded. It also provides a means of logging user credentials in the ISA Server logs, and a single sign-on mechanism between ISA Server and the Web server. Note that there may still be instances in which users are prompted for credentials after initial authentication. For example, this may happen when trying to open an Office document from the site. To delegate Basic authentication credentials on the ISA Server computer, you must configure authentication on the Web listener, and then configure the Web publishing rule to delegate Basic authentication credentials.
   • Integrated Windows authentication is more secure than Basic authentication. No user name and domain is sent across the wire. Integrated Windows authentication makes use of Kerberos or built-in NTLM. This type of authentication may cause some issues for users running early browser versions.
   • If ISA Server policy does not require user authentication, you can use either Basic authentication or Integrated Windows authentication on the Windows SharePoint Services computer. Note that you can configure Integrated Windows authentication on the ISA Server computer or on the Web server, but not both. If you choose to authenticate only on the Web server, ISA Server uses pass-through authentication. (Kerberos cannot be used.) The disadvantage of authenticating only on the Windows SharePoint Services server is that it does not provide the protection that ISA Server provides. When you configure authentication on the ISA Server computer, you ensure that any unauthenticated, anonymous requests are dropped before forwarding to the published server.
   • By default, virtual Web sites created in IIS Manager are configured for Basic and Integrated Windows authentication. For instructions on modifying authentication settings on the Web server running Windows SharePoint Services, see Configure Authentication on the Web Server in this document.  
2. Allow Windows SharePoint Services to connect to the Internet. Configure ISA Server to allow the Windows SharePoint Services server to make connections to the Internet when necessary. For example, the Web Capture Web Part and the online Web Part gallery require access to the Internet. Do this as follows:
   1. Create a computer set containing the Windows SharePoint Services server.
   2. Create an access rule to allow the computer set to access the External network (Internet).
   3. On the Windows SharePoint Services server, edit the Web.config file for access to the Internet.
3. Create a public DNS entry. After setting up Windows SharePoint Services on your server farm, you must create an external (public) Domain Name System (DNS) entry to resolve the fully qualified domain name (FQDN) that external clients specify in a Web request to the IP address of the external interface of the ISA Server computer publishing the Web site. If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:
   • Host1.Contoso.com    10.11.111.11
   • Host2.Contoso.com    10.11.111.11
     Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:
   • *.Contoso.com    10.11.111.11
     For more information, see Server Farm with Multiple Host Names Deployment in the Administrator’s Guide for Windows SharePoint Services.
4. Back up your current configuration. We recommend that you use the backup functionality of ISA Server to back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous configuration.
5. Create a Web listener. All incoming Web requests to ISA Server should be received by a Web listener. Multiple Web publishing rules can use a single listener. When you configure a Web listener, you specify the network that corresponds to the adapter on which ISA Server will listen for incoming requests. For example, if you want to allow access to the SharePoint site from the Internet (External network), you should select the External network for the Web listener. The listener can listen on all IP addresses associated with a network, or specific IP addresses. You also configure the port number that will listen for requests on the selected network IP addresses.
6. Create a Web publishing rule. Create a Web publishing rule to publish SharePoint sites, and to forward client requests, complete with host headers, from ISA Server to the published server.
7. Configure the HTTP filter. After creating the Web publishing rule, you must change the HTTP security filter setting. The HTTP filter screens all incoming Web requests to the ISA Server computer, and only allows requests that comply with the restrictions configured in ISA Server. For example, the Verify Normalization feature (enabled by default) specifies that requests with URLs that contain escape characters after normalization will be blocked. Escaped characters include, but are not limited to, the percent sign (%) and space character ( ). If this feature is enabled, Windows SharePoint Services document libraries will fail. URLs for document libraries and files uploaded and downloaded include non-standard characters such as the percent sign (%).
8. Test the connection:
   • From an internal client. After configuring the Windows SharePoint Services server, check that it can be accessed from an internal client computer. In Internet Explorer, type the URL or IP address for the SharePoint site, and the workspace should appear. For Basic authentication, you will be prompted for credentials. For Integrated Windows authentication, you will not receive an authentication prompt. If you specify a URL rather than an IP address, the internal computer will need to be able to resolve the name of the Windows SharePoint Services computer, either using an internal DNS server, or with a hostname entry in the client computer’s Hosts file.
   • From an external client. Open Internet Explorer, enter the external FQDN of the published SharePoint Web site (the external IP address of the ISA Server computer) in the address box, and press Enter. If you configured Basic authentication, you should be prompted for your account credentials. Enter a user name (without the domain prefix to test the default domain setting in IIS) and password, and click OK. If you configure Integrated Windows authentication, you will not be prompted for credentials.  

Allow Windows SharePoint Services to Connect to the Internet

To allow an outbound connection from the published Windows SharePoint Services server to the Internet, you will create a computer set, create an access rule, and then edit the Web.config file.

Create a computer set

This procedure presumes that the Windows SharePoint Services computer is located in the Internal network. To create a computer set, perform the following steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the scope pane, click the plus sign next to the server name and then click the plus sign next to Configuration.
3. Click Networks, on the Networks tab right-click Internal, and then click Properties.
4. On the Web Proxy tab, verify that the Enable Web Proxy clients and Enable HTTP check boxes are selected. Then click OK.
5. In the scope pane, click Firewall Policy.
6. In the task pane, on the Toolbox tab, click Network Objects. Click New, and then click Computer Set.
7. In the Name box, type a descriptive name for your server environment such as Windows SharePoint Services servers.
8. Click Add, and then click AddressRange.
9. In the New Address Range Rule Element dialog box, in the Name box, type a descriptive name for the Windows SharePoint Services computer.
10. In the Start Address and End Address boxes, enter the IP address range of your servers running Windows SharePoint Services. For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:
    • Start Address: 192.168.1.1
    • End Address: 192.168.1.3
11. Click OK to close the New Address Range Rule Element dialog box.
12. Click OK to close the New Computer Set Rule Element dialog box.
13. Click Apply to apply changes.

Create an access rule

To create an access rule to allow the computer set to access the Internet, perform the following steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the scope pane, right-click Firewall Policy, point to New, and then click Access Rule.
3. In the New Access Rule Wizard, in the Access rule name box, type an access rule name such as Allow Web servers access to Internet, and then click Next.
4. Under Action to take when rule conditions are met, click Allow, and then click Next.
5. In the This rule applies to box, select Selected protocols, and then click Add.
6. In the Add Protocols dialog box, click the plus sign next to Web, click HTTP, and then click Add.
7. Click HTTPS, click Add, and then click Close.
8. Click Next.
9. In the Access Rule Sources dialog box, under This rule applies to traffic from these sources, click Add.
10. In the Add Network Entities dialog box, click the plus sign next to Computer Sets, select the computer set you created earlier, and then click Add.
11. Click Close to close the Add Network Entities dialog box.
12. Click Next.
13. Under This rule applies to traffic sent to these destinations, click Add.
14. In the Add Network Entities dialog box, click the plus sign next to Network Sets, select All Networks, and then click Add.
15. Click Close.
16. Click Next.
17. Click Next again, click Finish, and then click Apply to save the changes and update the configuration.

Edit the Web.config file

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where https://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface:

<system.net>

<defaultProxy>

<proxy proxyaddress="https://myproxy:8080" bypassonlocal="true" />

</defaultProxy>

</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server in your server farm.

Back Up Your Current Configuration

To back up your current configuration, perform the following steps:

1. In ISA Server Management, right-click the name of the ISA Server computer, and click Back Up.
2. In Backup Configuration, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2004.
3. Click Back Up. If you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.
4. When the backup operation is complete, click OK.

Create a Web Listener

To create a Web listener, perform the following steps:

1. In ISA Server Management, click Firewall Policy.

2. In the task pane, on the Toolbox tab, click Network Objects, click New, and then select Web Listener.

3. In the Web listener name box, type a name for the Web listener, for example, WSS_Listener.
   

4. Click Next.

5. In the Listen for requests from these networks box, select the check boxes for the networks that you want the listener to listen on. For example, select the External check box to listen for requests from the Internet.
   

6. Click Next.

7. On the Port Specification page, under HTTP, select the Enable HTTP check box, and then in the HTTP port box, type 80.

   Note

   If the virtual server running IIS that you will publish is configured to listen on a different port, you should configure the ISA Server Web listener to use the same port.

   

8. Click Next, and then click Finish.

9. Click Apply to save the changes and update the configuration.

Create a Web Publishing Rule

To create a Web publishing rule, perform the following steps:

1. In ISA Server Management, right-click the Firewall Policy node, point to New, and then click Web Server Publishing Rule.
2. In the New Web Publishing Rule Wizard, type a name for the new rule. For example, Publish SharePoint for external access.
   
3. Click Next.
4. Under Action to take when rule conditions are met, click Allow, and then click Next.
5. On the Define Website to Publish page, in the Computer name or IP address box, type the IP address or name of the computer running the SharePoint site. Remember that if you specify a name, you will need an internal DNS entry to resolve the name to an IP address.
6. Select the Forward the original host header instead of the actual one (specified above) check box to ensure that the host header contains the original external DNS name typed in the URL.
7. In the Path box, type /*.
   
8. Click Next.
9. On the Public Name Details page, in the Accept requests for box, select Any domain name to forward requests to the published SharePoint site without checking for the domain name, or select This domain name, and in the Public name box, specify the external FQDN that users will specify in their browser to reach the site.
   
10. Click Next.
11. On the Select Web Listener page, in the Web listener box, select the Web listener that you created previously.
    
12. Click Next.
13. Click Next again, and then click Finish.
14. Click Apply to save the changes and update the configuration.

Configure the HTTP Filter

To configure the HTTP filter, perform the following steps:

1. Right-click the Web publishing rule you created, and select Configure HTTP.

2. On the General tab, clear the Verify normalization check box.

3. If you are using a language containing high bit characters (for example, the umlaut mark in German) you should also clear the Block high bit characters check box.
   

   Note

   The Verify normalization and Block high bit characters options are meant to address potential security exploits. When you disable these features, you are potentially creating an opening for malicious users.

Web Publishing with Host-Header Forwarding over a Secure Connection

ISA Server HTTPS-to-HTTPS bridging allows stateful inspection of SSL connections, and prevents attackers from hiding exploits inside the SSL channel. ISA Server decrypts the packets, inspects them for attack code, and then encrypts them. The encrypted packets are forwarded to the secure SSL Web server on the corporate network.

Although ISA Server also enables HTTPS-to-HTTP bridging, this is not supported when publishing Windows SharePoint Services. Windows SharePoint Services uses absolute URLs, and the URL from the client and the URL sent to the server must match. To keep the URL sent from the client to ISA Server the same as the URL sent from ISA Server to the Web server, a new SSL connection must be established between ISA Server and the Web server.

The following figure shows an SSL bridging (HTTPS-to-HTTPS) configuration.

Figure 2   Secure Sockets Layer (SSL) bridging

The configuration process is as follows:

1. Install and configure Windows SharePoint Services. Install and configure your Windows SharePoint Services server farm and sites as required. For more information about installation requirements, see Installation Considerations for Windows SharePoint Services. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your client, server, and proxy environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services. ISA Server can support either Integrated Windows authentication or Basic authentication. Consider authentication requirements:
   • In Basic authentication, plaintext credentials are encoded (not encrypted) and can be easily decoded (BASE 64). Basic authentication should be used in conjunction with an HTTPS connection.  
   • If ISA Server policy requires user authentication, Basic authentication must be configured on both the server running Windows SharePoint Services, and ISA Server. The Web publishing rule must be configured to delegate Basic authentication credentials. Basic authentication with delegation first authenticates the user at the ISA Server computer, before forwarding client credentials to the Web server for authentication. If you configure Basic authentication on the ISA Server computer and on the internal Web server without delegating credentials, external users will be presented with multiple logon prompts. Authentication will not be successful because ISA Server consumes the credentials before the internal Web server receives them. Delegating credentials ensures that users are first authenticated at the ISA Server computer before the request is forwarded. It also provides a means of logging user credentials in the ISA Server logs, and a single sign-on mechanism between ISA Server and the Web server. Note that there may still be instances in which users are prompted for credentials after initial authentication. For example, this may happen when trying to open an Office document from the site.
   • Integrated Windows authentication is more secure than Basic authentication. No user name and domain is sent across the wire. Integrated Windows authentication makes use of Kerberos or built-in NTLM. This type of authentication may cause some issues for users running early browser versions.
   • If ISA Server policy does not require user authentication, you can use either Basic authentication or Integrated Windows authentication on Windows SharePoint Services. Note that you can configure Integrated Windows authentication on the ISA Server computer or on the Web server, but not both. If you choose to authenticate only on the Web server, ISA Server uses pass-through authentication. (Kerberos cannot be used.) The disadvantage of authenticating only on the Windows SharePoint Services server is that it does not provide the protection that ISA Server provides. When you configure authentication on the ISA Server computer, you ensure that any unauthenticated, anonymous requests are dropped before forwarding to the published server.
   • By default, virtual Web sites created in IIS Manager are configured for Basic and Integrated Windows authentication.
2. Allow Windows SharePoint Services to connect to the Internet. Configure ISA Server to allow the Windows SharePoint Services server to make connections to the Internet when necessary. For example, the Web Capture Web Part and the online Web Part gallery require access to the Internet. Do this as follows:
   1. Create a computer set containing the Windows SharePoint Services server.
   2. Create an access rule to allow the computer set to access the External network (Internet).
   3. On the Windows SharePoint Services server, edit the Web.config file for access to the Internet.
3. Create a public DNS entry. After setting up Windows SharePoint Services on your server farm, you must create an external (public) DNS entry to resolve the FQDN that external clients specify in a Web request to the IP address of the external interface of the ISA Server computer publishing the Web site. If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:
   • Host1.Contoso.com    10.11.111.11
   • Host2.Contoso.com    10.11.111.11
4. Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:
   • *.Contoso.com    10.11.111.11
     For more information, see Server Farm with Multiple Host Names Deployment.
5. Back up your current configuration. We recommend that you use the backup functionality of ISA Server to back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous configuration.
6. Configure SSL certificates. For publishing over a secure connection, use HTTPS-to-HTTPS bridging. This requires a certificate on both the ISA Server computer and the Windows SharePoint Services site.
7. Create a secure Web listener. All incoming Web requests to ISA Server should be received by a Web listener. Multiple Web publishing rules can use a single listener. When you configure a Web listener, you specify the network that corresponds to the adapter on which ISA Server will listen for incoming Windows SharePoint Services requests. For example, if you want to allow access to the SharePoint site from the Internet (External network), you should select the External network for the Web listener. The listener can listen on all IP addresses associated with a network, or specific IP addresses. You also configure the port number that will listen for requests on the selected network IP addresses. By default, ISA Server listens for SSL requests on port 443.
8. Create a secure Web publishing rule. Create a Web publishing rule to publish SharePoint sites, and to forward client requests, complete with host headers, from ISA Server to a published server.
9. Configure the HTTP filter. After you have created the Web publishing rule, you must change the HTTP security filter setting. The HTTP filter screens all incoming Web requests to the ISA Server computer, and only allows requests that comply with the restrictions configured in ISA Server. For example, the Verify Normalization feature (enabled by default) specifies that requests with URLs that contain escape characters after normalization will be blocked. Escaped characters include, but are not limited to, the percent sign (%) and space character ( ). If this feature is enabled, Windows SharePoint Services document libraries will fail. URLs for document libraries and files uploaded and downloaded include non-standard characters such as the percent sign (%).
10. Test the connection:
    • From an internal client. After configuring the Windows SharePoint Services server, check that it can be accessed from an internal client computer. In Internet Explorer, type the URL or IP address for the SharePoint portal site, and the workspace should appear. For Basic authentication, you will be prompted for credentials. For Integrated Windows authentication, you will not receive an authentication prompt. If you specify a URL rather than an IP address, the internal computer will need to be able to resolve the name of the Windows SharePoint Services computer, either using an internal DNS server, or with a hostname entry in the client computer’s Hosts file.
    • From an external client. Open Internet Explorer, enter the external FQDN of the published SharePoint Web site (the external IP address of the ISA Server computer) in the address box, and press Enter. If you configured Basic authentication, you should be prompted for your account credentials. Enter a user name (without the domain prefix to test the default domain setting in IIS) and password, and click OK. If you configure Integrated Windows authentication, you will not be prompted for credentials.  

Allow Windows SharePoint Services to Connect to the Internet

To allow an outbound connection from the published Windows SharePoint Services server, you will create a computer set, create an access rule, and edit the Web.config file.

Create a computer set

This procedure presumes that the Windows SharePoint Services computer is located in the Internal network. To create a computer set, perform the following steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the scope pane, click the plus sign next to the server name and then click the plus sign next to Configuration.
3. Click Networks, on the Networks tab right-click Internal, and then click Properties.
4. On the Web Proxy tab, verify that the Enable Web Proxy clients and Enable HTTP check boxes are selected. Then click OK.
5. In the scope pane, click Firewall Policy.
6. In the task pane, on the Toolbox tab, click Network Objects. Click New, and then click Computer Set.
7. In the Name box, type a descriptive name for your server environment such as Windows SharePoint Services servers.
8. Click Add, and then click AddressRange.
9. In the New Address Range Rule Element dialog box, in the Name box, type a descriptive name for the Windows SharePoint Services computer.
10. In the Start Address and End Address boxes, enter the IP address range of your servers running Windows SharePoint Services. For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:
    • Start Address: 192.168.1.1
    • End Address: 192.168.1.3
11. Click OK to close the New Address Range Rule Element dialog box.
12. Click OK to close the New Computer Set Rule Element dialog box.
13. Click Apply to apply changes.

Create an access rule

To create an access rule to allow the computer set to access the Internet, perform the following steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the scope pane, right-click Firewall Policy, point to New, and then click Access Rule.
3. In the New Access Rule Wizard, in the Access rule name box, type an access rule name such as Allow Web servers access to Internet, and then click Next.
4. Under Action to take when rule conditions are met, click Allow, and then click Next.
5. In the This rule applies to box, select Selected protocols, and then click Add.
6. In the Add Protocols dialog box, click the plus sign next to Web, click HTTP, and then click Add.
7. Click HTTPS, click Add, and then click Close.
8. Click Next.
9. In the Access Rule Sources dialog box, under This rule applies to traffic from these sources, click Add.
10. In the Add Network Entities dialog box, click the plus sign next to Computer Sets, select the computer set you created earlier, and then click Add.
11. Click Close to close the Add Network Entities dialog box, and then click Next.
12. Under This rule applies to traffic sent to these destinations, click Add.
13. In the Add Network Entities dialog box, click the plus sign next to Network Sets, select All Networks, and then click Add.
14. Click Close, and then click Next.
15. Click Next again, click Finish, and then click Apply to save the changes and update the configuration.

Edit the Web.config file

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where https://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface:

<system.net>  

<defaultProxy>  

<proxy proxyaddress="https://myproxy:8080" bypassonlocal="true" />  

</defaultProxy>  

</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server in your server farm.

Back Up Your Current Configuration

To back up your current configuration, perform the following steps:

1. In ISA Server Management, right-click the name of the ISA Server computer, and click Back Up.
2. In Backup Configuration, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2004.
3. Click Back Up. If you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.
4. When the backup operation is complete, click OK.

Configure SSL Certificates

HTTPS-to-HTTPS bridging requires a certificate on both the ISA Server computer and the Windows SharePoint Services site. All of the SSL certificates must meet the following criteria:

• The Issued to name on the certificate must match the internal DNS name you specify when you create the Web publishing rule.
• The certificate must not be expired.
• ISA Server must trust the certification authority (CA) that issued the SSL certificate on the servers running Windows SharePoint Services.

The following scenarios show you how to configure the certificates.

Scenario 1: You already have a commercial SSL Server certificate installed on the published server

On the ISA Server computer. Either export the existing certificate or obtain a new one, as follows:

• Export the existing certificate from your Web server to ISA Server. For instructions, see Export a Certificate from the Web Server to the ISA Server Computer in this document. If you do not want to use the name on the existing commercial certificate, you must purchase a new one.
• Alternatively, if you do not want to use the existing commercial certificate, you can leave the existing commercial certificate on the Web server, and request and install a new commercial certificate for the ISA Server computer. For procedures, see Appendix B: Obtain and Configure Certificates from a Commercial CA in this document.

On the published server. Choose whether to leave a copy of the existing certificate on the Web server, or obtain a new one, as follows:

• Leave a copy of the existing certificate on the Web server. For this to work, the name on the To tab of the Web publishing rule must match the name on the certificate, the published name. Otherwise an error is generated when ISA Server sends an HTTPS request.

• Alternatively, request and install a new commercial certificate for the Web server. For instructions, see Create a Certificate Request from a Commercial CA, and then Submit a Certificate Request File in this document. The name on the certificate (Common Name or CN) must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule. If it does not match, you may encounter issues outlined in the article Clients may receive an "Error Code 500 Internal Server Error" error message.

  Note

  Instead of a new commercial certificate, you can obtain a certificate from a local certification authority (CA) for the published server. This certificate will be used for the ISA Server computer to Web server connection. This saves the cost of a second commercial certificate, and the root certificate from the local CA can be stored on the ISA Server computer. To set up such a certificate, follow the procedures in Appendix C: Set Up a Local CA in this document.

Scenario 2: You do not have a commercial SSL certificate installed on the published server

On the ISA Server computer. Obtain a certificate for ISA Server, as follows:

• Generally, for external sites, you obtain a certificate from a commercial CA (such as Verisign or Thawte). You create a certificate request from a commercial CA using the IIS Web Server Certificate Wizard, and submit the request file. Because IIS is typically not installed on the ISA Server computer, you will request the certificate from the Web server, and export it to the ISA Server computer. For instructions, see Appendix B: Obtain and Configure Certificates from a Commercial CA in this document. Note that the name you use to publish the Web site in the Web publishing rule must match the name on the certificate. Currently there is no way to request an SSL server certificate from ISA Server 2004 to the CA directly.

On the published server. Choose whether to leave a copy of the new certificate you obtained and exported to ISA Server, or obtain another commercial or local CA certificate, as follows:

• Leave a copy of the existing certificate on the Web server, so that both the ISA Server computer and the Web server use the same certificate. The name on the To tab of the Web publishing rule must match the name on the certificate.

• Alternatively, request and install a new commercial certificate for the Web server. For instructions, see Appendix B: Obtain and Configure Certificates from a Commercial CA in this document. The name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule.

  Note

  Instead of obtaining another new commercial certificate, you can obtain a certificate from a local CA for the ISA Server computer to Web server connection. This would save you the cost of a second commercial certificate, and the root certificate from the local CA can be stored on the ISA Server computer. To do this, follow the procedures in Appendix C: Set Up a Local CA.

Create a Secure Web Listener

To create a secure Web listener, perform the following steps:

1. In ISA Server Management, click Firewall Policy.
2. In the task pane, on the Toolbox tab, select Network Objects, click New, and then select Web Listener.
3. Specify a name for the Web listener. For example WSS_Listener.
   
4. Then click Next.
5. In IP Addresses, select the check box for the networks that you want the listener to listen on. For example, select the External check box to listen to requests from the Internet.
   
6. Click Next.
7. On the Port Specification page, under HTTP, clear Enable HTTP. Under SSL, select the Enable SSL check box, and then in SSL port, type 443.
8. Click Select to choose the server certificate you will use for the SSL authentication process. In the Select Certificate dialog box, select the required certificate. Then click OK.
   
9. Click Next, and then click Finish to complete the wizard.
10. Click Apply to apply changes.

Create a Secure Web Publishing Rule

To create a secure Web publishing rule to specify how ISA Server handles HTTPS requests for the Windows SharePoint Services Web server, and how it responds on behalf of the Web server, perform the following steps:

1. In ISA Server Management, right-click the Firewall Policy node, point to New, and then click Secure Web Server Publishing Rule.
   
2. In the SSL Web Publishing Wizard, type a name for the new rule, and then click Next.
   
3. On the Publishing Mode page, select SSL Bridging, and then click Next.
   
4. On the Select Rule Action page, select Allow, and then click Next.
5. On the Bridging Mode page, to forward HTTPS requests from the ISA Server computer to the Web server over HTTPS, select Secure connection to clients and Web server. Then click Next.
   
6. On the Define Website to Publish page, in Computer name or IP address, type the IP address or name of the computer running the SharePoint Web site. Remember that if you specify a name, you will need an internal DNS entry to resolve the name to an IP address.
7. Select Forward the original host header instead of the actual one (specified above) to ensure that the host header contains the original external DNS name typed in the URL. Some Windows SharePoint Services features require the external DNS name. Click Next.
   
8. On the Public Name Details page, in Accept requests for, select Any domain name to forward requests to the published SharePoint site without checking for the domain name, or select This domain name, and in the Public name dialog box that appears, specify the external FQDN that users will specify in their browser to reach the site. Then click Next.
   
9. On the Select Web Listener page, in Web listener, select the Web listener for the network on which you want to listen for requests to the SharePoint site. Click New to create a new listener if you have not previously defined one. Then click Next.
10. On the User Sets page, specify the users from whom the listener will accept requests. To accept requests from all users, leave the default All Users. To limit users, click Add and then select the user set. On the Add Users page, click New to create a new user set. Then click Next. Then click Finish to complete the wizard.
    

Configure the HTTP Filter

To configure the HTTP filter, perform the following steps:

1. Right-click the Web publishing rule you created, and select Configure HTTP.
2. On the General tab, clear Verify normalization.
3. If you are using a language containing high bit characters (for example, the umlaut mark in German) you may want to clear Block hit bit characters.
   

Summary

Microsoft Internet Security and Acceleration (ISA) Server 2004 can help you securely publish your Windows SharePoint Services Web resources to the Internet. Web publishing rules prevent disclosure of internal information, and control access so that only authorized traffic reaches internal servers. There are a number of limitations, in particular the way in which Windows SharePoint Services uses hidden absolute URLs that cannot be found by ISA Server. When publishing the server over Secure Sockets Layer (SSL), this will be particularly problematic in an HTTPS-to-HTTP bridging scenario, and this configuration is not recommended.

The main drawback of the recommended HTTPS-to-HTTPS configuration is the overhead of SSL processing on the server running Internet Information Services (IIS). Connection time may be lengthy, and ISA Server does not support HTTP compression to shorten this overhead. For example, when HTTPS-to-HTTPS bridging is configured, the initial SSL connection time involves active content JScript files being downloaded to the client. When a client connects directly to a Windows SharePoint Services server, this connection time is improved by activating HTTP compression in IIS. (Although this does not work for JScript files by default in IIS, the IIS metabase can be edited to make this work. For details, see Using HTTP Compression.) This becomes an issue with ISA Server, because although ISA Server can pass compressed content, no content inspection is done, and no caching occurs. With IIS, it is up to the client to request the use of compression, and when ISA Server makes a request as a client, it is unable to do this. One solution to performance issues may be the use of an SSL accelerator card. For more information, see Secure Sockets Layer Acceleration and Key Management Partners.

There may also be some issues with Office integration on the Windows SharePoint Services server when using SecurID authentication in ISA Server. Downloading and editing files in Office applications may be problematic.

Appendix A: Configure Client Authentication

This appendix shows how to configure authentication on the Web server, configure authentication on the Web listener, and delegate Basic authentication credentials.

Configure Authentication on the Web Server

On the Web server running Windows SharePoint Services, do the following:

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Click to expand the server name that contains the virtual server you want to configure.
3. Right-click the virtual server, and then click Properties.
4. On the Directory Security tab, under Authentication and access control, click Edit.
5. In the Authentication Methods dialog box, view the enabled authentication method. To enable Integrated Windows authentication, select Integrated Windows Authentication. To enable Basic authentication, select Basic authentication (password is sent in clear text). If you only enable Basic authentication, a warning will appear informing you of the consequences of Basic authentication. Ensure that anonymous authentication is disabled.
6. In the IIS Manager warning message, click Yes.
7. In the Default domain text box, enter the name of the Windows domain, or click the Select button and select the domain name. Configuring a domain name will make it unnecessary for external clients to enter the domain name along with their account name (for example, Internal\UserName).
8. Click OK to close the Authentication Methods dialog box.
9. Click OK again to the close the Properties dialog box.

Configure Authentication on the Web Listener

To specify the type of client authentication required on the ISA Server computer, do the following:

1. In the console tree of ISA Server Management, click Firewall Policy.
2. On the Toolbox tab, in Network Objects, expand Web Listeners, and right-click the Web listener that will listen to requests for the SharePoint Web site. Select Properties.
3. On the Preferences tab, click Authentication.
4. In the authentication method list, select the required authentication method. If you select Basic authentication only, you will receive a warning message.
5. Select Require all users to authenticate.
6. The default domain used for authentication is the domain in which ISA Server is located. Click Select Domain to change the domain used.
7. Click OK.
8. Click Apply to apply changes.

Delegate Basic Authentication Credentials

If you want to authenticate users with Basic authentication, and then pass credentials so that users can be authenticated with Basic authentication on the Web server, do the following:

1. In the console tree of ISA Server Management, click Firewall Policy.
2. In the details pane, click the Web publishing rule that publishes the Windows SharePoint Services Web server.
3. On the Tasks tab, click Edit Selected Rule.
4. On the Users tab of the rule, select Forward Basic authentication credentials (Basic delegation).

Appendix B: Obtain and Configure Certificates from a Commercial CA

This appendix shows how to create a certificate request from a commercial certification authority (CA), submit a certificate request file, install a certificate on the Web server, export a certificate from the Web server to the ISA Server computer, install the exported certificate on the ISA Server computer, and remove a certificate.

Create a Certificate Request from a Commercial CA

Perform the following procedure to generate a new certificate request to be sent to a CA for processing. Note that procedures vary slightly in different versions of IIS. These procedures are based on IIS 6.0. Perform the following steps:

1. Open the Internet Services Manager as follows. Click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS) Manager (or open your custom MMC containing the IIS snap-in).

2. Expand the local computer node and the Web Sites node. Right-click the Web site and select Properties.

3. Click the Directory Security tab.

4. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard.

5. On the Welcome page, click Next.

6. On the Server Certificate page, select Create a New Certificate, and then click Next.

7. On the Delayed or Immediate Request page, select Prepare the Request now, but Send it later, and then click Next.

8. On the Name and Security Settings page, choose a friendly name for the site. This name is not critical to the functioning of the certificate, so pick a name that is easy to refer to and to remember.

9. Select the bit length of the key you want to use and whether you want to use a cryptographic service provider (CSP), and then click Next.

10. On the Organization Information page, provide your Organization and your Organizational Unit. For example, if your company is called Fabrikam, Inc. and you are setting up a Web server for the Sales department, you would enter Fabrikam for the Organization and Sales for your Organizational Unit. Click Next.

11. On the Your Site’s Common Name page, provide the common name (CN) for your site. Note that if this certificate will be exported to the ISA Server computer, the name on the certificate must match the name you use to publish the Web site in the Web publishing rule. If this certificate will remain on the Web server, the name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule. After the naming considerations have been resolved, click Next.

12. On the Geographical Information page, enter your information in Country/Region, State/province, and City/locality. It is important that you do not abbreviate the names of the state/province or city/locality. Click Next.

13. On the Certificate Request File Name page, provide a name for the certificate request file that you are about to create. This file will contain all the information that you included in this procedure, as well as the public key for your site. This creates a .txt file when the procedure steps are completed. The default name for the file is Certreq.txt. Click Next.

14. On the summary page, verify that all of the information is correct, and then click Next.

15. On the Completing the Web Server Certificate page, click Finish.

16. Click OK to close the Web Site Properties dialog box.

    Important

    The common name of the certificate must match the fully qualified internal DNS name of the server running IIS or Windows SharePoint Services, or the CN that the ISA Server computer uses to access the Web server through the Web publishing rule. In our example, this would be sps-server.internal.com.

Submit a Certificate Request File

For the certificate to be used on the Internet, submit the request file to a CA (online authority). The CA will generate a certificate response file, which contains your public key and which is digitally signed by the commercial CA. Follow the instructions provided by the commercial CA to submit the request file. The CA will respond with a certificate response, which you will use to install the certificate. Note that to submit a request you need access to the CA’s Web site. We recommend that you copy the request file from the Web server to a computer with Internet access, and then submit it according to the CA’s instructions. Alternatively, you can allow connectivity from your Web server to the commercial CA by creating an ISA Server access rule on the protocols used by the CA. Make the rule as specific as possible. For example, if you require access on HTTP, create an allow rule from a computer set containing only the Web server, to a URL set containing only the CA’s Web site, and allowing only HTTP traffic.

Install a Certificate on the Web Server

After you receive your response file from the CA, install it on the Web server. A certificate that will be exported to the ISA Server computer must first be installed on the Web server for which the certificate was requested. To install the certificate on the Web server, perform the following steps:

1. Open Internet Services Manager.
2. Expand Internet Information Services, and expand Web Sites. Select the Web site that has a pending certificate request.
3. Right-click the Web site, and then click Properties.
4. Click the Directory Security tab.
5. In Secure Communications, click Server Certificate.
6. In the Web Site Certificate Wizard, click Next.
7. Select Process the Pending Request and Install the Certificate and click Next.
8. Type the location of the certificate response file (you may also browse to the file), and then click Next.
9. On the SSL Port page, select the SSL port that the Web site will use. By default, this is port 443.
10. On the Certificate Summary page, review the information to ensure that you are processing the correct certificate, and then click Next.
11. On the Completing the Web Server Certificate Wizard page, click Finish.
12. Verify that the server certificate was properly installed. From the Start menu, click Run. Type MMC, and then click OK.
13. In MMC, click File, and then click Add/Remove Snap-in.
14. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certificates, and then click Add.
15. In Certificates snap-in, select Computer account, and then click Next. In Select Computer, verify that Local computer (the default) is selected, and then click Finish. Click Close, and then click OK.
16. In MMC, expand Certificates (local computer), expand the Personal node, click Certificates, and double-click the new server certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that says This certificate is OK.
17. Close MMC. Save the console settings with a descriptive name, such as LocalComputerCertificates.msc.

Export a Certificate from the Web Server to the ISA Server Computer

Use the following procedure to export a certificate from the Web server to the ISA Server computer:

1. In the MMC console you saved, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.

2. Select Certificates, click Add, select Computer account, and then click Next.

3. In Select Computer, verify that Local computer (the default) is selected, and then click Finish. In the Add Standalone Snap-in dialog box click Close, and in the Add/Remove Snap-in dialog box, click OK.

4. Expand the Certificates node, expand Personal, and then click Certificates. A certificate with the name of your Web site appears in the Issued To column in the right pane.

5. Right-click your certificate, click All Tasks, and then click Export. This opens the Certificate Export Wizard.

6. On the Welcome page, click Next.

7. On the Export Private Key page, select Yes, export the private key, and then click Next.

   Note

   If you do not have the option to click Yes in the Export Private Key page, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on the ISA Server computer. You must request a new certificate for ISA Server for this Web site.

8. On the Export File Format page, select Personal Information Exchange. Maintain the default setting for all three check boxes. Click Next.

9. On the Password page, assign a password to protect the exported file, and then confirm the password. Click Next.

10. On the File to Export page, provide a file name and location for the export file, and then click Save. Click Next.

11. On the wizard completion page, click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.

12. Copy the file that you created to the ISA Server computer.

Install the Exported Certificate on the ISA Server Computer

Use the following procedure to install a certificate on the ISA Server computer:

1. Click Start, and then click Run. In Open, type MMC, and then click OK.

2. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.

3. Select Certificates, click Add, select Computer account, and then click Next.

4. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.

5. Expand the Certificates node, and right-click the Personal folder.

6. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.

7. On the Welcome page, click Next.

8. On the File to Import page, browse to the file that you created previously when you exported the certificate, and then click Next.

9. On the Password page, type the password for this file, and then click Next.

   Note

   The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA Server computer, do not select this option.

10. On the Certificate Store page, verify that the selection Place all certificates in the following store and Certificate Store are set to Personal (the default settings), and then click Next.

11. On the wizard completion page, click Finish.

12. Verify that the server certificate was properly installed. Open the MMC console that you created previously. From the Start menu, point to All Programs, point to Administrative Tools, and select LocalComputerCertificates.msc (or the name that you provided when creating the certificates console).

13. Expand Certificates (local computer), expand the Personal node, click Certificates, and double-click the new server certificate. On the General tab, there should be a note that shows You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that shows This certificate is OK.

Remove a Certificate

If there is a certificate bound to the Web site and you do not want SSL enabled on the Web site (HTTPS-to-HTTP), unbind the Web site certificate.

To unbind the certificate from the IIS Web site, perform the following steps:

1. On the Web server, open Internet Services Manager.
2. Expand the server node and select the Default Web Site node. Click Properties.
3. Click the Directory security tab. In Secure Communications, click Server Certificate. This starts the New Web Site Certificate Wizard.
4. On the Welcome page, click Next.
5. On the Modify the Current Certificate Assignment page, select Remove the current certificate and click Next.
6. On the Remove a Certificate page, click Next.
7. On the wizard completion page, click Finish.
8. Close Internet Services Manager.

If you have simply used the Web server as a method of installing the certificate on the ISA Server computer, or no longer require a certificate on the Web server, you may want to delete the certificate from the Web server, as follows.

To delete the certificate from the computer, perform the following steps:

1. Open the MMC console that you created previously. From the Start menu, point to All Programs, point to Administrative Tools, and select LocalComputerCertificates.msc (or the name that you provided when creating the certificates console).
2. Expand Certificates (local computer), expand the Personal node, click Certificates, and right-click the certificate. Click Delete, and then click OK on the warning dialog box.

Appendix C: Set Up a Local CA

You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, negating the need to purchase a commercial certificate. This appendix shows how to set up a CA, install a local server certificate, and install a root certificate.

Set Up a CA

This procedure is performed on a computer running Microsoft Windows Server™ 2003 or Windows® 2000 Server. For a stand-alone root CA, this can be any computer. An enterprise root CA must be installed on a server that is a member of a domain.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.

To set up a CA, perform the following steps:

1. Open the Control Panel.
2. Double-click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Double-click Application Server.
5. Double-click Internet Information Services (IIS).
6. Double-click World Wide Web Service.
7. Select Active Server Pages.
8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.
9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.
10. On the CA Type page, choose one of the following, and then click Next:
11. Enterprise-rootCA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).
12. Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.
13. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.
14. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.
15. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

Note that to allow access to the CA Web site, you must publish it. To limit access, you can publish only specific folders needed to a specific set of users. For more information about Web publishing, see Publishing Web Servers Using ISA Server 2004.

Install a Local Server Certificate

This procedure is performed on the computer that requires the digital certificate. In the case of Web publishing, this will be the ISA Server computer, at a minimum, and may also include the Web server. In the case of server publishing, this will be only the server that you are publishing. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.

To install a local server certificate, perform the following steps:

1. Open Internet Explorer.
2. From the menu, select Tools, and then select Internet Options.
3. Select the Security tab, and in Select a Web content zone to specify its security settings, click Trusted Sites.
4. Click the Sites button to open the Trusted sites dialog box.
5. In Add this Web site to the zone, provide the certificate server Web site name (https://IP address of certification authority server/certsrvname) and click Add.
6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.
7. Browse to: https://IP address of certification authority server/certsrv.
8. Request a certificate.
9. Select Advanced Certificate Request.
10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).
11. Complete the form and select Server Authentication Certificate from the Type drop-down list. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the published server name, as follows:
    • For Web publishing, for a certificate on the ISA Server computer, type the fully qualified host name or URL that external clients will type in their Web browser to access the Web site, for example news.adatum.com.
    • For Web publishing, if you are also installing a server certificate on the Web server in addition to the certificate required on the ISA Server computer, the common name is the name that the ISA Server computer uses to access the Web server through the Web publishing rule. This should be the fully qualified domain name (FQDN) of the Web server, such as webserver1.adatum.com.
12. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.
13. If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.
14. Go to the Microsoft Management Console (MMC) Certification Authority snap-in. Click Start, point to All Programs, point to Administrative tools, and then select Certification Authority.
15. Expand the CAName certificates node, where CAName is the name of your certification authority.
16. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.
17. On the ISA Server computer, return to the Web page https://IP address of certification authority server/certsrv, and then click View status of a pending request.
18. Click your request and choose Install this certificate.
19. Verify that the server certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Personal node, click Certificates, and double-click the new server certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK.

Note that on an ISA Server computer running Windows Server 2003 or Windows 2000 Server, the server certificate obtained from a CA must be stored in the Personal Certificate store of the ISA Server computer. The root certificate for the CA must be stored in the Trusted Root Certificate Authorities store of the ISA Server computer

Install a Root Certificate

For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. Follow this procedure on any client computer that requires the root certificate. Note that you can also transfer the root certificate on a medium such as a disk, and then install it on the client computer.

To install a root certificate, follow these steps:

1. Open Internet Explorer.

2. From the menu, select Tools, and then select Internet Options.

3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

   Note

   Certificate installation is not possible when the security setting is set to High.

4. Browse to: https://IP address of certification authority server/certsrv.

5. Click Download a CA Certificate, Certificate Chain, or CRL (the text used by Windows Server 2003) or Retrieve the CA certificate or certificate revocation list (the text used by Windows 2000 Server). On the next page, click Download CA Certificate. This is the trusted root certificate that must be installed on the ISA Server computer. In the File Download dialog box, click Open.

6. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

7. On the Welcome page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next.

8. On the summary page, review the details and click Finish.

9. Verify that the root certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

   Note

   You can also install certificates on a computer from the MMC Certificates (Local Computer) snap-in. This only provides access to CAs on the same domain.