February 8, 2008

Different Types of Authentication in ISA server

There are four types of authentication methods supported by ISA server.

  1. Client certificates and server certificates
  2. Basic authentication
  3. Digest authentication
  4. Integrated authentication

Client certificates and server certificates

A server certificate is sent to the client when the server authenticates itself, the server requests identification from the client. The client then needs to send the appropriate client certificate to the server. During the logon process the user’s web browser submits encrypted identification (or the certificate) for inspection by SSL server. Certificates are used to verify that the users of the server are who they claim to be. The certificate includes all of the credential information linked to that organization or client that is need.Client certificate (in SSL bridging scenarios)
This authentication method is used when ISA Server requests a client certificate from the client machine, before allowing the resource request to be processed.
The client sends a request to the ISA server and the server sends a certificate to the client.
The ISA server then performs the role of the SSL web server computer.
When the client receives the certificate it is able to verify that the certificate indeed belongs to the ISA server.
A resource request is then sent to the ISA server by the client
The ISA server checks the certificate to verify it is identical to the one it sent to the client in the beginning of the process. (this protects the client making sure no one is spoofing)
ISA server checks to see if the client is allowed access to the resource requested.

Basic authentication

Basic Authentication is the same as the http process of authentication. All transactions are in clear text, but usernames and passwords are encoded. No encryption is used = low overhead on system.
The user is prompted by the application they are using for a username and password
The user fills these credentials in correctly remembering that the password is case sensitive.
The application (this could be the web browser) encodes or prearranges the credentials and sends it to the server
The server compares these credentials to its own list of accounts locally, in the domain or trusted domain, and then grants access to the resources that the client has been configured access for.

Digest authenticatio

This method of Authentication will only function in windows 2000 domains.This method of authentication is safer than basic authentication as the user credentials are hashed or encrypted; where as basic authentication sends the credentials over the wire in clear text.
Authentication that is processed in the Digest manner involves the user credentials passing through a one-way process, also known as hashing.
This hashing process results in a message digest (hash) and the original credentials can not be deciphered from the hash string sent to the ISA Server. Unique data is added to the credentials (normally the password) before the hashing process takes place so no other users can sniff the packets with a packet capturer and try to attempt to be an imposter (or spoof).
Data is added to the hash string that identifies the originating computer, username and domain where the user account belongs. Time stamps are also added to the string to provide better password security.

Integrated authentication

Using an IE browser later that 5.5 would be strongly recommended when dabbling with this type of authentication. Using other lower versions or browsers might result in no access to the resource.This form of authentication is secure, no username or password is sent across the wire at any point. Integrated authentication makes use of Kerbros or the built in (NTLM) Challenge/response authentication protocol.

Pass-through authentication

Pass-through authentication is when ISA Server passes a client's authentication information to the server where the resource requested resides. ISA Server supports this authentication method for both outgoing and incoming Web requests

February 4, 2008

How to Create Web Chaining in ISA server 2006

Web Chaining Rules allow you to chain downstream ISA firewalls to upstream ISA firewalls, or even non-ISA firewall-based Web proxy servers. Web proxy chaining allows you to configure a hierarchical caching solution. In contrast, a multi-server ISA firewall array allows you to create a parallel caching solution. You can combine hierarchical and parallel caching solutions to significantly improve performance and reduce the total amount of bandwidth used on Internet links, WAN links, and even on the intranet.
The most popular use for Web Chaining is to chain branch office ISA firewalls with main office ISA firewalls

To create a Web Chaining Rule, click the Networks node in the left pane of the ISA firewall console and then click the Web Chaining Rules tab in the middle pane. Then perform the following steps to create the Web Chaining Rule:

1. Click the Tasks tab in the Task Pane and then click the Create New Web Chaining Rule link.

2. On the Welcome to the New Web Chaining Rule Wizard page, enter a name for the rule in the Web chaining rule name text box.

3. On the Web Chaining Rule Destination page, click the Add button. In the Add Network Entities dialog box, select the destinations to which this Web Chaining Rule will apply. Since we want all requests for Web content regardless of where that Web content is located to be forwarded to the main office array, we’ll select the All Networks (and Local Host) entry in the Add Network Entities dialog box. Click Close in the Add Network Entities dialog box and then click Next.
4. On the Request Action page, you configure how you want the Web requests to that particular destination routed by the ISA firewall. The default setting is to route the request directly to the destination Web site. However, in a Web Chaining configuration, you want the request forwarded to another Web proxy device. In this case, you would select the Redirect requests to the specified upstream server option. When you select this option, the next page of the wizard will ask you for details regarding the upstream Web proxy. Select this option and click Next.

5. On the Primary Routing page, enter the name of the upstream ISA firewall array. You can leave the default ports in place if you haven’t changed them on the upstream array. Click Next on the Primary Routing page.

6. On the Backup Action page you select how Web requests are routed when the upstream ISA firewall Web proxy . Click Next .

7. Click Finish on the Completing the New Web Chaining Rule Wizard page.