As represented in the figure 1, we chose to install the Microsoft ISA Server 2006 as a front end firewall. This configuration devises space on two different networks: an internal one, which represents the corporation local area network, and an external network (Internet).
We will now describe the access rules that must be created in order to manage mobile user’s access.
Rule creation
Launch the ISA Server Management,
Figure 42 - Firewall Policy
• In the Microsoft Internet Security and Acceleration Server node, select Firewall Policy (isawi).
30 Configure the IAS
Figure 43 - Create Access Rule
• In the Tasks tab, click on Publish Web Sites,
• The New Web Publishing Rule Wizard will appear,
Figure 44 - New Web Publishing Rule Wizard
• In Web publishing rule name, enter the access rule name,
• Click on Next,
31
Figure 45 - Publishing Type
• In the Publishing Type window, select the type that meet your enterprise infrastructure,
Note: In our laboratory, we chose Publish a single web site or load balancer.
Click on Next,
32 Configure the IAS
Figure 46 - Server Connection Security
• Select Use SSL to connect to the published Web server or server farm, Click on Next,
33
Figure 47 - Internal Publishing Details
• In Internal Site name, enter the Web site name,
Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem.
Figure 48 - Setting Public Name Details
34 Configure the IAS
• In Accept requests for, select Any domain name.
• In Public name, enter the site name,
Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem.
Figure 49 - Selecting Web Listener
• Click on New...
35
Figure 50 - Web Listener Name
• In Web listener name, enter a name,
Note: In our laboratory, we chose Web Interface listener as listener name.
Figure 51 - Client Connection Security
• Select Require SSL secured connections with clients,
• Click on Next.
36 Configure the IAS
Figure 52 - Web Listener IP Addresses
• In Web Listener IP Addresses window, Check External,
• Check ISA Server will compress content sent to clients through this Web Listener[…],
• Click on Next.
Figure 53 - Listener SSL Certificates
37
• Check Use a single certificate for this Web Listener,
• Click on Select Certificate…
Figure 54 - Select Certificate
• Select the valid web certificate that meets your configuration,
• Click on Select.
Note: The web certificate must be installed in Local Computer Certificate Store to be considered as valid. In our laboratory, the web certificate was issued to wi.w2k3.gemsafe.gem.
38 Configure the IAS
Figure 55 - Listener SSL Certificates
• Click on Next.
Figure 56 - Authentication Settings
• In Select how clients will provide credentials to ISA Server, select HTML Form Authentication.
• In Select how ISA Server will validate client credentials, select Radius OTP.
39
• Click on Next .
Figure 57 - Single Sign On Settings
• In the Single Sign On Setting window, check Enable SSO for Web sites published with this Web listener,
• In SSO domain name, type your enterprise domain name, Note: In our laboratory, the domain name was w2k3.gemsafe.gem.
40 Configure the IAS
Figure 58 - Completing the New Web Listener Wizard
• Click on Finish.
Figure 59 - Select Web Listener
• Click on Next.
41
Figure 60 - Authentication Delegation
• In Select the method used by ISA Server […], select Kerberos constrained delegation,
• In Type the Service Principal Name (SPN) […], enter your Web Interface.
Note: In our laboratory, the SPN was http:/wi.w2k3.gemsafe.gem.
• Click on Next.
Figure 61- User Sets
42 Configure the IAS
• In the User Sets window, make sure that the All Authenticated Users item is selected,
• Click on Next.
Figure 62 - Completing the New Web Publishing Rule Wizard
• Click on Finish.
Figure 63 - Kerberos Constrained Delegation
Note: This window refers to the Domain Controller configuration step. We must allow the Kerberos Constrained Delegation to ISA 2006 Server. Please refer to the Domain Controller Configuration part.
Authentication server configuration
After you create the Web publishing rule, you need to set up the authentication server. The Gemalto strong authentication solution is based on the RADIUS Protocol. This section describes the configuration steps that need to be done on the ISA 2006 Server.
• On the Firewall Policy Rules, right-click on the Citrix Web Interface rule,
• Select Properties.
43
Figure 64 - Web Listener properties
• On the Citrix Web Interface window, select Listener tab,
• Click on Properties,
Figure 65 - Authentication Properties
• On the Web Interface Listener Properties window, select Authentication tab,
44 Configure the IAS
• Click on Configure Validation Servers…
Figure 66 - Authentication Servers
• On the Authentication Servers window, select RADIUS Servers tab,
• Click on Add…
Figure 67 - Adding RADIUS Server
45
• In Server name, enter the IAS server name or <IP IAS address>,
• In Server description, enter a description,
• In Shared secret Click on Change…
Figure 68 - Shared Secret
• Enter the RADIUS shared secret,
• Click on OK twice.
Figure 69 - IAS server
• Click on OK twice.
46 Configure the IAS
Saving the rule changes and restarting the firewall service
Figure 70 - Applying changes
• Click on Apply to save the changes.
Figure 71 - Saving Configuration Changes
• Click on OK.
To restart the Microsoft ISA 2006 Server service proceed as follows,
Figure 72 - Monitoring
• In the Microsoft Internet Security and Acceleration Server tree, select Monitoring,
47
Figure 73 - Stopping the Firewall service
• Right-click on Microsoft Firewall,
• Click on Stop.
Figure 74 - Starting the Firewall service
• Right-click on Microsoft Firewall,
• Click on Start.
48 Configure the IAS