As previously mentioned, ISA Server 2004 allows end-to-end SSL encryption to take place between client and ISA and between ISA and Exchange and back. This ensures the integrity of the transaction and keeps the data secure and encrypted across the entire path. To set up a scenario like this, however, either a Public Key Infrastructure (PKI) must be in place locally, or a third-party company such as Verisign or Thawte can be used to create the certificate infrastructure. Working with Third-Party Certificate AuthoritiesA good number of organizations rely on third-party Certificate Authorities (CAs) to issue their certificates. One advantage to this is that these third-party CAs are generally trusted on a vast majority of client machines on the Internet. This means that the connection to a web server is automatically switched to HTTPS, without any error messages popping up on the client workstation. Installing a Local Certificate Authority and Using CertificatesFor organizations that choose to manage and handle their own certificate structure, Windows includes a Certificate Server component that can be installed directly on a domain controller. By creating a private CA, issuing certificates is a breeze and costs much less. On the flip side, client workstations do not, by default, trust an internal CA, so it must be added into their Trusted Sites list. If it is not added, an error message always appears for them when they try to connect to that website. Modifying a Rule to Allow for End-to-End SSL BridgingTo add SSL support to an existing web publishing rule, the listener must be modified and extended to include the information on the website's particular certificate. For example, if a SharePoint server on the internal network named sharepoint.companyabc.com is set up and a certificate is associated with that site, the certificate must be exported to a PFX file, imported into the ISA Server, and then used to modify the listener via the following procedure:
NOTE For a certificate to be available on the ISA Server, it must first be exported to a .pfx file from the SharePoint virtual server on the SharePoint server itself. Once exported, it can then be imported onto the ISA Server, into the local machine certificate store using the Certificates MMC snap-in. |