Connecting the world…

web

Windows CA template – web server and private key export

Creating a web server certificate request is very easy when using a Windows CA server. There is one disadvantage. The requested certificate is directly stored in the user store (by default) or the local computer store, if specified during the request. The disadvantage is that you cannot export the requested certificate including the private keys. During the request the option to Mark keys as exportable is grayed out.

There is a way to mark the keys as exportable when using a Windows CA server. You need to create a new Web Server Certificate template. You can use the existing Web Server Certificate Template as default and copy the current settings. To do so, you just:

  • run certtmpl.msc, which will open the Certificate Template snap-in;
  • click the Web Server certificate template;
  • choose Action – Duplicate Template;
  • configure a unique template name;
  • choose the tab Request Handling;
  • enable the option Allow private key to be exported;

That is all you need to do. You can now request a new certificate with the newly create certificate template. After the certificate is issued and installed on the user or local computer store, you can export the certificate including the private key.

Duplicate certificate template

Allow private key to be exported

Citrix Web Interface 5.3: An error occurred while making the requested connection

I tried to configure a Citrix Web Interface 5.3 server in conjunction with Citrix Presentation Server / XenApp 4.0 and a NetScaler. It is possible to login, but I cannot launch an application. When trying to launch an application I receive the following error message:

An error occurred while making the requested connection

I found an related article on the Citrix website. This article applies to Web Interface 5.2, but also works for Web Interface 5.3 The symptoms in the EventViewer for Web Interface 5.3 are different, but gives me more specifications about the problem. In the event log of the Web Interface 5.3 server you will receive the following error message.

webinterface_launch_reference

After changing the RequireLaunchReference parameter in \inetpub\wwwroot\Citrix\XenApp\Conf\WebInterface.conf applications can be launched without any problems.

Add On: if the above solution doesn’t work, then a second solution for this problem can be found here

ISA 2006 Web Chaining

ISA Web Chaining rules define how traffic will be handled by the proxy server. Web request to specific destination can be handled in different ways by ISA:

  1. Retrieve directly from the destination / internet;
  2. Forward to an upstream proxy server;
  3. Redirect the request to a specific server / web page;

The most popular use for Web Chaining is to chain branch office ISA firewalls with main office ISA firewalls. But also combining two ISP connections is a commonly used scenario for Web Chaining. I often use Web Chaining from ISA server with some kind of upstream proxy server. A lot of organizations use ISA as proxy server and some kind of dedicated appliance (maybe in DMZ environment) as content scanner.

With Web Chaining you can forward all request to the upstream proxy server, which will retrieve the specified destination from the internet. Specific website could have problems with being forwarded to the upstream server. I normally use Web Chaining to directly retrieve these website from the internet without being forwarded to the upstream proxy.

To create a Web Chaing Rule, open the ISA Management Console and navigate to Networks. In the center of the Management Console you will find a tab called Web Chaining. The default Web Chaining rule is configured to forward all request to an upstream proxy server.

The following screenshots tell you how to configure an additional Web Chaining rule to directly retrieve the destination (www.4ip.nl) from the internet.

create_wct Start the creation of a Web Chaining rule by clicking on Task – Create new Web Chaining rule.

This will start the New Web Chaining Rule Wizard.

Enter a valid name for the newly created Web Chaining Rule.

destination_wct Select the destination to which this Web Chaining Rule will apply.

I configured an URL set containing the URL: http://www.4ip.nl/*

action_wct On the Request Action page, you configure how you want the Web requests to that particular destination routed by the ISA firewall.

The default setting is to route the request directly to the destination Web site. This is exactly what I would like to accomplish.

The last step is Finishing the New Web Chaining Rule Wizard.

The newly created Web Chaining Rule is placed above the Default Web Chaining rule in the Web Chaining tab. The rules are matched sequentially, so now all traffic matching the configured URL set will be retrieved directly from the internet. All other traffic will be forwarded to the upstream proxy server.

Exchange 2007 with ISA 2006

Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.

Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.

A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.

The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.

I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).