ISA - http to https redirection

Just a quick verification

Scenario: Web server sitting on an internal network behind an ISA 2006 firewall, the web application is published in ISA to the External network to allow http and https, with the listener configured to redirect all http requests to https. Both the web server and the ISA policy are configured to use basic authentication.

When I connect to the published url http://server.domain.com/, does the redirection to https occur before the credentials are passed to ISA, or after (meaning they are transmitted in clear text)?

Find more posts tagged with

Comments

astorrs

How are you forcing the redirection to HTTPS?

It should be happening before any authentication (but I have seen people do it using ASP and such where it wouldn't be).

blargoe

There isn't any ASP involved in the redirection, just the setting for the web listener in ISA to redirect HTTP requests to HTTPS

astorrs

Then it would be before authentication so you're all good. If you can, force HTTPS on the web server to make sure its happening as you expect it to.

royal

So typically what I do is force http to https re-direction the listener itself. Any communication client to server is re-directed over https immediately. Now keep in mind, that because of this, the authentication method will be over https. How to know for sure? Well the client still has to authenticate using forms based, basic, etc... The client will be re-directed to https://FQDN and will be presented the form. This form will be in https. This pretty much tells you that client to ISA is authenticated, even with other authentication methods.

So now that piece is not the pre-authentication. That's the client to listener authentication. Now after the client authenticates, the listener uses its directory authentication lookup. If ISA is a domain member, you can use AD, if it's not a domain member, you can use Radius, LDAP, LDAPs. So this is the part that ensures that the pre-authentication piece is encrypted. If it's not a domain member, make sure you do a secure method such as LDAPS which requires a certificate with server authentication EKU on the DC that you point it to and is listening on port 636 (LDAPS).

So now your client to ISA is SSL, ISA to AD is Secure, and now your rule dictates what authentication method is being used. If you look at your rule, there's a bridging tab. This allows you to choose http/https and port for each for ISA to published Server. One of these tabs is also authentication delegation. This is the method that the published server is used. For example, if the internal web server uses integrated auth, you can use ntlm delegation. You can even go to the computer account of ISA in AD, allow ISA to delegate credentials on behalf of other users, and use kerberos constrained delegation so your ISA to Published Server authentication is as secure as possible (only possible when domain member).

Hope that helps. I work a lot on ISA so feel free to ask away.