Microsoft Internet Security and Acceleration Server 2000

ISA Server and Secure Sockets Layers

In ISA Server you can use Secure Sockets Layer (SSL) security features for authentication. Certification is used in two ways when a client requests an object from a server:

SSL authenticates by checking the contents of an encrypted digital identification submitted by the user's Web browser during the logon process. Server certificates contain identifying information about the server. Client certificates usually contain identifying information about the user and about the organization that issued the certificate. Users obtain client certificates from a trusted external organization.

Client Certificate

If client certificate is the selected authentication method, then ISA Server requests a client certificate from the client before allowing the request.

The ISA Server computer receives the request and sends a server certificate to the client. The ISA Server computer thereby identifies itself as the SSL Web server. The client receives the certificate, and verifies that the certificate indeed belongs to the ISA server computer.

The client then resends its request to the ISA Server computer. However, the ISA Server computer requires a certificate from the client that must have been previously issued. The ISA Server computer verifies that the certificate indeed belongs to a client that is allowed access.

The client certificate should be installed in the Microsoft Web Proxy Service certificate store on the ISA Server computer. The certificate should be mapped to the appropriate user account.

ISA Server can present client certificates only in SSL bridging scenarios.

Server certificate

When a client requests SSL objects from a server, it requests that the server authenticate itself. If the ISA Server terminates an SSL connection, then the ISA Server will have to authenticate itself to the client. You must configure and specify a server-side certificate to use when authenticating ISA Server to the client.

The server certificate should be installed in the Local Computer certificate store on the ISA Server computer. The certificate name should be identical to the name of the ISA Server (for outgoing Web requests) or to the name of the published Web servers (for incoming Web requests)