If you want to check out the other articles from this series:
This is the last part of a three parts articles about how to extend ISA’s functionality to inspect outbound SSL requests. In the first two, I presented what ISA Server Toolkit is and how we can benefit from one of it’s components, SSL Decoder. I also explained how it works, advantages and disadvantages and how to configure it to inspect HTTPS requests, when using ISA as an edge firewall scenario.
In this third part, I will cover the final steps to start use SSL Decoder to inspect outbound SSL requests and test it using a PoC (Proof-of-Concept).
Create an Access Rule to Allow ISA firewall download certificates
First thing we need to do is create an access rule allowing ISA firewall itself to access the internet, because ISA now needs to download objects and copy SSL certificates from websites on the internet, so it can impersonate website’s certificate to the client.
Redline Software support recommends the access rule to be applied to “All Authenticated Users” for security reasons. They will look like these:
After that the setup is done. When I trying to access a secure website (HTTPS), if you followed this article step-by-step, then you will get a warning like the following:
[Internet Explorer 6 warning]
[Internet Explorer 7 and 8 warning]
[Internet Explorer 9 RC warning]
This message appears because the certificate created for SSL Decoder is Self-Signed and the client machine does trust on it, by default. To make the warnings disappear, you must import the certificate created for SSL Decoder component into client’s Trusted Root Certificates Authorities store.
One thing really important to mention here is that SSL Decoder only works with Web Proxy clients. This means, if you configure your machine either as SecureNAT or TMG client (former Firewall client), ISA Server (SSL Decoder, in this case) will not be able to inspect outbound encrypted requests.
There you go! Your ISA firewall is ready to inspect outbound SSL requests!
Testing SSL Decoder inspection
Now it’s time to prove if ISA firewall really can “see” inside a SSL tunnel. First test we are going to try is to block a secure website (HTTPS).
I created a URL Set to block http://mail.google.com
[ISA Logging message for URL Set]
[Client access denied message for URL Set]
I also created a domain name set to block Gmail. Here’s the result:
[ISA Logging message for Domain Name Set]
[Client access denied message for Domain Name Set]
In this last part article we finished the configuration of ISA Server to work with SSL Decoder. Created proper access rule and made a PoC (Proof-of-Concept) blocking some secure websites. I hope this will help many ISA admins out there to protect against threats that may be inside SSL tunnels and better control traffic from inside the network, since many of you have not migrated to Forefront Threat Management Gateway (TMG) 2010.