Configuring SSL to SSL Bridging for Secured Websites | Microsoft SharePoint 2003 Unleashed (2nd Edition) (Unleashed)

As previously mentioned, ISA Server 2004 allows end-to-end SSL encryption to take place between client and ISA and between ISA and Exchange and back. This ensures the integrity of the transaction and keeps the data secure and encrypted across the entire path.

To set up a scenario like this, however, either a Public Key Infrastructure (PKI) must be in place locally, or a third-party company such as Verisign or Thawte can be used to create the certificate infrastructure.

Working with Third-Party Certificate Authorities

A good number of organizations rely on third-party Certificate Authorities (CAs) to issue their certificates. One advantage to this is that these third-party CAs are generally trusted on a vast majority of client machines on the Internet. This means that the connection to a web server is automatically switched to HTTPS, without any error messages popping up on the client workstation.

Installing a Local Certificate Authority and Using Certificates

For organizations that choose to manage and handle their own certificate structure, Windows includes a Certificate Server component that can be installed directly on a domain controller. By creating a private CA, issuing certificates is a breeze and costs much less.

On the flip side, client workstations do not, by default, trust an internal CA, so it must be added into their Trusted Sites list. If it is not added, an error message always appears for them when they try to connect to that website.

Modifying a Rule to Allow for End-to-End SSL Bridging

To add SSL support to an existing web publishing rule, the listener must be modified and extended to include the information on the website's particular certificate. For example, if a SharePoint server on the internal network named sharepoint.companyabc.com is set up and a certificate is associated with that site, the certificate must be exported to a PFX file, imported into the ISA Server, and then used to modify the listener via the following procedure:

1.	In the ISA Management Console, click on the Firewall Policy node.
2.	In the Details pane, double-click on the web publishing rule that will be modified.
3.	Go to the Listener tab.
4.	Under the listener for the website, click Properties.
5.	Select the Preferences tab, and check the box for Enable SSL.
6.	Under Certificate, click the Select button to select a certificate to apply.
7.	Click on the certificate that was exported and click OK.
8.	Click OK twice, click Apply, and then click OK again to save the changes.

NOTE

For a certificate to be available on the ISA Server, it must first be exported to a .pfx file from the SharePoint virtual server on the SharePoint server itself. Once exported, it can then be imported onto the ISA Server, into the local machine certificate store using the Certificates MMC snap-in.