Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
DNS & Certificates confusion
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
DNS & Certificates confusion - 27.May2008 7:04:01 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Single Exchange 2003 & ISA 2006.
Our external domain is company.com but our internal domain with the exchange server is (for historic reasons) internal.company.com. I would like users to be able to access OWA at mail.company.com regardless of where they are. Can this be done? I've read up on split DNS & certificates but am still unclear of the actual setup I need. Can anyone clarify this for me? Thanks.
|
|
|
|
|
RE: DNS & Certificates confusion - 27.May2008 9:52:52 AM
|
|
|
tshinder
Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi J,
This requires a simple split DNS. In this case, you would create what I call the "parallel" split DNS. You just create a zone with the same name as your external zone on your internal DNS server, and then create A records with the internal addresses of the servers you want the internal users to connect to.
Certificate names are easy. Just create certificates with the names that you want internal users to use.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DNS & Certificates confusion - 27.May2008 11:38:07 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Tom,
Thanks for taking time to reply. I've tried this setup but still get the server 500 error. Just to double check if I may:
- internal parallel split DNS for company.com with CNAME for mail.company.com pointing to exchangeserver.internal.company.com.
Publishing rule:
- To site: mail.company.com
- To IP: blank (as above resolves)
- To forward original header: checked
- Public name: mail.company.com
Listener
- External & Internal networks
- Single certificate: mail.company.com (created on exchangeserver.internal.company.com and imported to the Computer store on ISAserver.internal.company.com along with private key).
Thanks,
Jon
|
|
|
|
|
RE: DNS & Certificates confusion - 28.May2008 9:04:22 AM
|
|
|
tshinder
Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jon,
Don't use CNAME records. Create a Host (A) record for mail.company.com in the company.com zone on the internal network.
Public name: mail.company.com GOOD
To: mail.company.com GOOD
Same certificate on both the Web listener and the Exchange Server GOOD
How does the ISA firewall resolve the name mail.company.com?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DNS & Certificates confusion - 30.May2008 10:54:02 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
I've change to using an A record for the mail host, however I still get the error 500 when I try to log in to OWA.
The ISA firewall can resolve mail.company.com as it uses DNS servers on the internal network (which use a parallel route out onto the internet that I'm in the process of replacing).
Any ideas appreciated!
Thanks,
Jon
|
|
|
|
|
RE: DNS & Certificates confusion - 1.Jun.2008 9:19:39 AM
|
|
|
tshinder
Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi John,
What client is getting the 500 error? The external or internal host?
The 500 error indicates a certificate name mismatch.
Best and easiest way to get this resolved is to download the lastest version of the ISA firewall Best Practices Analyzer.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DNS & Certificates confusion - 2.Jun.2008 10:26:21 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Hi Tom,
It's the external client getting the error. The internal clients go direct to the exchange server and are fine. The error alert I get in ISA (and in the BPA) is "The number of HTTP requests per minute from one IP address exceeded the configured limit."
I can't see anything wrong with the certs:
The exchange server (which is also the CA and a DC - we're not a big setup) has: it's CA root certs; a DC cert for exchangeserver.internal.company.com and a Web Server cert for mail.company.com.
The Web Server cert is bound to the Default Web Site in IIS. It is also this cert that has been exported along with it's private key to the Computer/Personal store on the ISA server and bound to the OWA listener.
External clients can get as far as the ISA/OWA logon form (although this takes a bit longer to come up than I would expect). Then after a few minutes trying you get the error.
While trying the ISA server logs the following over and over:
1: ISA local IP to Exchange IP - HTTPS - Initiated Connection
2: Client IP to Exchange IP - https - Allowed Connection - OWA Rule
3: ISA local IP to Exchange IP - HTTPS - Closed Connection
If there's any other info that would help please let me know.
Thank you for your time & patience. Much appreciated.
Jon
|
|
|
|
|
RE: DNS & Certificates confusion - 12.Jun.2008 5:19:36 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Hi Tom,
Yes, under the To: 'This rule applies to this published site' I have mail.company.com and the certificate bound to the Default Web Site in IIS Manager on the Exchange server is issued to mail.company.com (although this server's actual identity is exchangeserver.internal.company.com).
Jon
|
|
|
|
|
RE: DNS & Certificates confusion - 13.Jun.2008 4:52:58 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Hi Tom,
FBA is on on the Exchange server.
Jon
|
|
|
|
|
RE: DNS & Certificates confusion - 16.Jun.2008 11:34:00 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
I'd just got there! Thanks so much for your help.
Jon
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
