Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
500 Internal Server Error - SSL
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
500 Internal Server Error - SSL - 15.Aug.2008 8:11:00 AM
|
|
|
hcookies1
Posts: 3
Joined: 15.Aug.2008
Status: offline
|
Hi
I have a problem with ISA Server 2004 and it is driving me mad. Basically, I upgraded from ISA Server 2000 last November. I have two websites running on IIS6, the Default website and my own company website. In IIS, the company website has TCP port 80 and SSL port 444.
Under ISA server 2000, I found a way of having a secure certificate on the company website that worked. I remember that I used SSL Bridging.
Anyway, since I upgraded to ISA Server 2004, I have attempted to get the secure certificate back on the company website, but I can't do it. The main reason seems to be SBS Web Listener.
The SBS web listener is listening on port 80 and port 443. Port 443 has the publishing.xxx.local certificate on it. I can only use this web listener for my company website, as you cannot create 2 web listeners on port 80 - it produces an error message. So, I attach this web listener to my website and try to forward SSL to port 444 using my company secure certificate. However, when I go to the website I get the 500 Internal Server Error. The target principal name is incorrect. (-2146893022) error message and the certificate is showing as the publishing.xxx.local certificate.
I have read various articles on the internet about this error, but I still can't get it to work. Please can anyone suggest what the problem might be. Can I not do this with ISA Server 2004, as it used to work with ISA Server 2000?
Many thanks
|
|
|
|
|
RE: 500 Internal Server Error - SSL - 15.Aug.2008 3:05:32 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Hi,
I’m not well versed with SBS but what I can tell you is that in IIS, the SSL socket is based on the IP that it’s bound to the IIS virtual server instance. For both sites to use SSL, you would either need to add another IP and bind it to the 444 port on the other web instance or change the port to use something other than 444 and 443 for the second site. (You can’t use 443 because ISA needs socket access)
With ISA 2004, you will also need to add another virtual IP to the external NIC, create a second web listener and bind the other SSL certificate to its associated web listener and IP. You can’t have two SSL certificates bound to the same web listener and IP. (ISA 2004 only)
quote:
you cannot create 2 web listeners on port 80 - it produces an error message.
Very true, requires second IP and you don’t need to if SSL is not required, host headers can be used.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: 500 Internal Server Error - SSL - 15.Aug.2008 4:43:15 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I don't know squat about SBS and Rotoblade may be onto something there,... I do know that with forward HTTPS requests they must remain on 443 unless you hack the Tunnel Port Range with a script,...I don't know if it is the same with web publishing (reverse https requests).
But anyway...
The error "The target principal name is incorrect. (-2146893022)" means something to me,...I think anyway.
It means the name in the URL has not remained consistant all the way from the Address Bar in the user's browser to the final data sent from the ISA to the actual web site. If it is www.MySbsSite.org then it has to stay www.MySbsSite.org all the way through the entire process.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 500 Internal Server Error - SSL - 16.Aug.2008 6:43:45 AM
|
|
|
hcookies1
Posts: 3
Joined: 15.Aug.2008
Status: offline
|
Hi
Thanks for your replies. So, from what you are saying it sounds like I would probably need to create a virtual IP on the external network card. At the moment the publishing.xxx.local certificate for OWA is sitting on the port 80 (SBS web listener).
So, excuse me for being stupid, but how do I create a virtual IP on the external network card. Can you point me in the right direction. I do have some spare IPs so I can use one of them.
Many thanks
|
|
|
|
|
RE: 500 Internal Server Error - SSL - 16.Aug.2008 9:44:08 AM
|
|
|
hcookies1
Posts: 3
Joined: 15.Aug.2008
Status: offline
|
Hi
I have an update, and I know this is going off the original question. Someone actually helped me set up the IIS originally (I'm a programmer), and for some reason we kept the default website and added the company website as a separate website.
I have now stopped the default website, and put the company website to listen on port 443. I have changed the SBS web listener so that the secure company certificate is now sitting on port 443 and everything is now working.
What I really want to know is this. Is it ok to stop the default website. What is it actually there for and am I damaging anything. I am aware that OWA sits on that default website. My company doesn't use this, as we use port forwarding through ISA server so that people access their computers remotely so have no need for OWA. However, knowing the company I work for, they will suddenly decide they need OWA.
Can I use my secure company certificate to set up OWA, or does OWA always sit on the default website.
Sorry if all this sounds daft but I'm quite inexperienced in IIS and ISA Server 2004. People have told me to get rid of ISA as it is too difficult to use, but I am determined to soldier on, as I have been able to resolve all problems I have been confronted with so far.
Many thanks again
|
|
|
|
|
RE: 500 Internal Server Error - SSL - 18.Aug.2008 9:21:11 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Thanks for your replies. So, from what you are saying it sounds like I would probably need to create a virtual IP on the external network card. At the moment the publishing.xxx.local certificate for OWA is sitting on the port 80 (SBS web listener).
If a Certificate is involved then it is not port 80, it is 443. But if it is port 80, then there is no certificate involved.
So, excuse me for being stupid, but how do I create a virtual IP on the external network card. Can you point me in the right direction. I do have some spare IPs so I can use one of them.
There is no virtual IP#. I don't even know why you are asking.
I have an update, and I know this is going off the original question. Someone actually helped me set up the IIS originally (I'm a programmer), and for some reason we kept the default website and added the company website as a separate website.
That is a normal practice.
What I really want to know is this. Is it ok to stop the default website. What is it actually there for and am I damaging anything. I am aware that OWA sits on that default website. My company doesn't use this, as we use port forwarding through ISA server so that people access their computers remotely so have no need for OWA. However, knowing the company I work for, they will suddenly decide they need OWA.
I think OWA needs it. You'd have to re-enable it for OWA.
Also, since this is SBS,...you pretty much have to do everything via one of SBS's many "Wizards" and will not do things manually "the old fashioned way".
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
