• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Certificate Issuance

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Certificate Issuance Page: [1]
Login
Message << Older Topic   Newer Topic >>
Certificate Issuance - 19.Dec.2011 3:48:04 PM   
MilesG

 

Posts: 2
Joined: 14.Dec.2011
Status: offline
Hello,

I'm trying to setup an ISA 2006 machine in our DMZ for OWA. I have a Cisco 5510 as our firewall.
No internal users will be using OWA, just for external users.

The ISA server is currently in a workgroup and attached to the internal network, not yet in the DMZ. It's being setup using the Single Network Adapter template.

Our internal domain name is xyz.local.
My exchange front-end server is named ExFE and sits in the internal network.
We have a domain name registered for my company called abcd.org, and a static IP address for it at Register.com.
I want my users to access email from outside by typing in https://mail.abcd.org.

When configuring the request for the certificate, what value do I enter for "Your Site's Common Name"?
Do I use the exchange front-end name (ExFE.xyz.local)?
Do I put in mail.abcd.org? If so, how would it match anything in our network?

I've read this:
"
On the Your Site’s Common Name page, enter the common name of the site. The common name is the name that external and internal users will use to access the site. For example, if users will enter https://owa.msfirewall.org into the browser to access the OWA site, you would make the common name owa.msfirewall.org. In our current example, we will enter owa.msfirewall.org into the Common name text box. This is a critical setting. If you do not enter the correct common name, you will see errors when attempting to connect to the secure OWA site
"

but I'm unsure as to how it would apply to me, as we have one name internally and another name externally.

Thanks in advance,

MilesG
Post #: 1
RE: Certificate Issuance - 20.Dec.2011 12:00:30 PM   
hadideveloper

 

Posts: 156
Joined: 20.Jun.2011
Status: offline
Hi,
it's better to use your internal site name but it is not mandatory. if you publish your exchange with the isa you should know that the public name of a site is a fake name and isa use it as a fake. if your certificate server is in your lan then it's better to use internal name, if your certificate name is in external it's better to use your external name
here is some urls
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/publishing-exchange-client-access-isa-2006-complete-solution-part3.html
http://technet.microsoft.com/en-us/library/bb794751.aspx
http://technet.microsoft.com/en-us/library/cc756120%28WS.10%29.aspx

(in reply to MilesG)
Post #: 2
RE: Certificate Issuance - 20.Dec.2011 12:11:15 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
1. Make it a domain member or you are half wasting your time

2. The Common Name,...Public Name,...HostHeader,...FQDN are you a bunch of words that effectively all mean the same thing. The Name is the FQDN that the users out in internet land are going to type into their browser to get to the OWA site

3. You need to properly setup Split-DNS so that the FQDN resolves correctly to the LAN IP of the Exchange OWA machine. Throughout all the settings in the Publishing Rule you must identify the Exchange OWA machine by the same FQDN. Never ever ever identify it via an IP# or Netbios Name.

4. The certificate must be requested, purchased, installed at the Exchange OWA machine. Then aftewards export it from there as a PFX File with Private Key. Then import the PFX file into the Certificate Store on the ISA using the Certificates MMC.

< Message edited by pwindell -- 20.Dec.2011 12:12:49 PM >


_____________________________

Phillip Windell

(in reply to MilesG)
Post #: 3
RE: Certificate Issuance - 20.Dec.2011 12:15:30 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It needs to be a domain member before the ISA software is installed. If not then you have to export the ISA config,...uninstall ISA,...join the machine,...install ISA,...import the config back in.

The ISA Installation routines needs to "see" the machine is a domain member while it is installing.

Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)
http://www.isaserver.org/articles/2004tales.html

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 4
RE: Certificate Issuance - 21.Dec.2011 4:02:50 PM   
MilesG

 

Posts: 2
Joined: 14.Dec.2011
Status: offline
Thank you for the links, and the tips.

Wish I'd known about installing ISA on a machine that was ALREADY joined to our network. Caused some grief there before I discovered the issue.

- MilesG

(in reply to pwindell)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Certificate Issuance Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts