Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 3

If you want to check out the other articles from this series:

Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 1

Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 2

Introduction

This is the last part of a three parts articles about how to extend ISA’s functionality to inspect outbound SSL requests. In the first two, I presented what ISA Server Toolkit is and how we can benefit from one of it’s components, SSL Decoder. I also explained how it works, advantages and disadvantages and how to configure it to inspect HTTPS requests, when using ISA as an edge firewall scenario.

In this third part, I will cover the final steps to start use SSL Decoder to inspect outbound SSL requests and test it using a PoC (Proof-of-Concept).

Create an Access Rule to Allow ISA firewall download certificates

First thing we need to do is create an access rule allowing ISA firewall itself to access the internet, because ISA now needs to download objects and copy SSL certificates from websites on the internet, so it can impersonate website’s certificate to the client.

Redline Software support recommends the access rule to be applied to “All Authenticated Users” for security reasons. They will look like these:

ssldecoderaccessrule

After that the setup is done. When I trying to access a secure website (HTTPS), if you followed this article step-by-step, then you will get a warning like the following:

IE6_warning

[Internet Explorer 6 warning]

ie78_warning

[Internet Explorer 7 and 8 warning]

ie_warning

[Internet Explorer 9 RC warning]

This message appears because the certificate created for SSL Decoder is Self-Signed and the client machine does trust on it, by default. To make the warnings disappear, you must import the certificate created for SSL Decoder component into client’s Trusted Root Certificates Authorities store.

One thing really important to mention here is that SSL Decoder only works with Web Proxy clients. This means, if you configure your machine either as SecureNAT or TMG client (former Firewall client), ISA Server (SSL Decoder, in this case) will not be able to inspect outbound encrypted requests.

There you go! Your ISA firewall is ready to inspect outbound SSL requests!

Testing SSL Decoder inspection

Now it’s time to prove if ISA firewall really can “see” inside a SSL tunnel. First test we are going to try is to block a secure website (HTTPS).

I created a URL Set to block http://mail.google.com

deny_gmail_url

[ISA Logging message for URL Set]

deny_gmail_url_xp

[Client access denied message for URL Set]

I also created a domain name set to block Gmail. Here’s the result:

deny_gmail_domain

[ISA Logging message for Domain Name Set]

deny_gmail_domain_xp

[Client access denied message for Domain Name Set]

Conclusion

In this last part article we finished the configuration of ISA Server to work with SSL Decoder. Created proper access rule and made a PoC (Proof-of-Concept) blocking some secure websites. I hope this will help many ISA admins out there to protect against threats that may be inside SSL tunnels and better control traffic from inside the network, since many of you have not migrated to Forefront Threat Management Gateway (TMG) 2010.

Advertisements
This entry was posted in Computers and Internet, ISA Server, Security and tagged , , , , , . Bookmark the permalink.

2 Responses to Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 3

  1. resimleri says:

    Spot on with this write-up, I truly think this website needs much more consideration. I’ll probably be again to read much more, thanks for that info.

  2. Abadia says:

    Olá Paulo,
    Tenho um windows server 2003 com o ISA Server 2006. Tentei seguir este tutorial mas o não obtive o resultado esperado… continua como se o SSL Decoder não estivesse instalado. Há alguma dica para detectar o por que?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s