As previously mentioned, ISA Server 2004 allows for end-to-end SSL encryption to take place between client and ISA and ISA and Exchange and back. This ensures the integrity of the transaction, and keeps the data secure and encrypted across the entire path.
To set up a scenario like this, however, a Public Key Infrastructure (PKI) must either be in place locally, or a third-party company such as Verisign or Thawte can be used to create the certificates infrastructure.
Working with Third-Party Certificate Authorities
A good number of organizations rely on third-party certificate authorities (CAs) to issue their certificates. A large advantage to this is that these third-party CAs are generally trusted on the vast majority of client machines on the Internet. This means that the connection to a web server is automatically switched to HTTPS, without any error messages popping up on the client workstation.
Installing a Local Certificate Authority and Using Certificates
For those organizations that choose to manage and handle their own certificate structure, Windows includes a Certificate Server component that can be installed directly on a domain controller. If a private CA is created, issuing certificates is a breeze and costs much less.
On the flip side, client workstations do not, by default, trust an internal CA, so it must be added into their Trusted Sites list. If it is not added, an error message always appears for them when they try to connect to that website.
To install and configure a PKI environment in Windows, create the CERT on the SharePoint Server, and transfer the certificate to ISA, follow the procedure in Chapter 10, "Extending ISA Server 2004 to Branch Offices with Site-to-Site VPNs," of this book, in the section titled "Configuring a PKI Infrastructure for PKI-Based Certificate Encryption."
Modifying a Rule to Allow for End-to-End SSL Bridging
If SSL support is to be added to an existing web publishing rule, the Listener must be modified and extended to include the information on the website's particular certificate. For example, if a web server on the Internal network named www.companyabc.com is set up and a certificate is associated with that site, the certificate must be exported out to a PFX file, imported into the ISA Server, and then used to modify the Listener via the following procedure: