Microsoft KB Archive/324167

From BetaArchive Wiki

Article ID: 324167

Article Last Modified on 10/29/2007


APPLIES TO

  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0


This article was previously published under Q324167

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx


IN THIS TASK

SUMMARY

This step-by-step article describes how to set up Internet Security and Acceleration (ISA) Server to host Web sites by using the Secure Sockets Layer (SSL) protocol.

NOTE: This article assumes that you have already requested and installed a certificate on your Web server. If you have not done this, see the Microsoft Internet Information Server (IIS) or Internet Information Services (IIS) Help file for information about how to request an SSL certificate from an Internet certification authority.

For efficiency, you can consider server publishing the SSL site by using the HTTPS Server protocol. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

298900 How to Publish SSL Web Sites by Using Server Publishing


back to the top

Export a Web Server Certificate

To set up ISA Server to host Web sites by using the SSL protocol, you must export the SSL certificate of the Web site with the associated key. If you do not have this key, you cannot use this certificate for SSL with ISA Server.

back to the top

Export a Web Server Certificate from IIS 5.0

  1. Open a blank Microsoft Management Console (MMC).
  2. Add the Certificates snap-in.
  3. When you are prompted, select Computer Account and Local Computer.
  4. Expand Personal, and then expand Certificates. A certificate with the name of your Web site appears in the "Issued To" column.
  5. Right-click your certificate, click All Tasks, and then click Export.
  6. In the Export window, click Next.
  7. Click Yes, export the private key, and then click Next.


NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.

  1. Select Personal Information Exchange, and then click to select the check boxes for all three options.
  2. Assign a password and confirm it.
  3. Assign a file name and location.
  4. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  5. Copy the file that you created to ISA Server.

back to the top

Export a Web Server Certificate from IIS 4.0

  1. Click Start, click Run, type keyring.exe, and then click OK.
  2. Click the key that you want to export from Key Manager. Note that Web keys are located in the Www folder.
  3. Click Key, click Export Key, click Backup File, and then click OK.

    NOTE: You must read and understand the following Key Manager warning:

    This operation places sensitive information in a file on your hard drive. While you will be required to enter a password to use it again, loss or copying this file may compromise your security.

  4. Assign a file name and location.
  5. Click Save. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  6. Copy the file that you created to ISA Server.

back to the top

Install the Certificate to ISA

Install the Certificate to ISA or IIS from IIS 5.0

To import a key file from another server, follow these steps:

  1. On ISA Server, open the MMC, and then add the Certificate snap-in.
  2. Click the Personal folder.
  3. Right-click All Tasks, and then click Import.
  4. In the Import Wizard, click Next.
  5. Make sure that your file is listed, and then click Next.
  6. Type the password for this file.
  7. Click to select the Mark the private key as exportable check box.
  8. Leave the import setting as Automatically, and then click Next.
  9. Click Finish.
  10. Under the Personal folder, when you see a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the Web computer.
  11. Right-click the certificate, and then click Properties.
  12. Examine the Intended Purposes field of the certificate. If this field is set to All instead of listing specific purposes, you must perform the following steps before ISA Server can recognize the certificate:
    1. In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
    2. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all the items, and then click Apply.

back to the top

Install the Certificate to ISA or IIS from IIS 4.0

To import a key file from another server, follow these steps:

  1. Click Start, click Programs, click Administrative Tools, and then click Internet Services Manager.
  2. Select the Web site that you want to enable SSL on.
  3. Open the properties of that Web site, and then click the Directory Security tab.
  4. Under Secure Communications, click Server Certificate to open the new Web Site Certificate Wizard.
  5. Click Next, and then select Import a certificate from a key manager backup file.
  6. Click Next.
  7. Type the location of your backup *.key file, and then click Next.
  8. Type the password that you set when you made the backup, and then click Next.
  9. Double-check the summary data to verify that this is the key that you want to import, and then click Next.

You can now use SSL on the new Web server by using the key pairs that you backed up from the old server. Make sure that you secure the old key file so that no one has access to the file.

back to the top

Configure the Certificate in ISA

Open the ISA Manager and complete the SSL installation:

  1. Right-click the server that is going to accept the incoming connection, and then click Properties.
  2. Click the Incoming Web Requests tab.
  3. Click the Internet Protocol (IP) address entry for the site that you are going to host, or the all IP addresses entry if you do not have individual IP addresses set up.
  4. Click Edit.
  5. Click to select the Use a server certificate to authenticate to web users check box.
  6. Click Select.
  7. Select your previously imported certificate.
  8. Click OK.
  9. Click to select the Enable SSL listeners check box.
  10. Expand the Publishing folder, and then click Web Publishing Rules.
  11. Double-click the Web publishing rule that will route the SSL traffic.
  12. On the Bridging tab, locate Redirect SSL requests as, and then select HTTP requests (terminate the secure channel at the proxy).
  13. Click OK.
  14. Restart ISA Server.

back to the top

REFERENCES

For additional information about ISA, Web publishing and SSL, click the article numbers below to view the articles in the Microsoft Knowledge Base:

298900 How to Publish SSL Web Sites by Using Server Publishing


313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000


305052 Configuring Web Publishing Rules to Host Multiple Web Sites with Host Headers in ISA Server


296620 The Internet Clients Cannot Access the Published Web Servers


back to the top


Additional query words: ISA SSL cert

Keywords: kbproductlink kbenv kbhowto kbhowtomaster KB324167



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/324167&oldid=178987
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki