I was able to join domain as well as logon from my server located in perimeter. But I'm still got an error when trying to running DCDIAG especially on the FSMOCHECK. Furthermore I could not run DOMAINPREP for Exchange 2k3 installation.
Finally after I check into the error message, it seems I could not have a difference between Suffix name of computer name and domain name (AD) where the computer member of. I change the computer name and re-tested.. and it worked.
BTW, I have another problem...
I implementing back to back DMZ with configuration as follows :
External Firewall : Cisco router 2811 series with firewall feature
First thing, you can have a ROUTE relationship between DMZ to Internal and have a NAT relationship between Internal to DMZ. The reason for this is that if you Route from DMZ to Internal, that automatically means you have a ROUTE relationship between Internal to DMZ -- since Route relationships are reciprocal.
Try removing the ROUTE relationship first, and test it that way, so that there is a NAT relationship between Internal to DMZ.
My question is about part 3 http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part3.html (Note on certificate deployment) Specifically about Publishing OWA with SSL: The certificate for the ISA firewall is owa.msfirewall.org and the one for the FE Exchange Server is feexchange.msfirewall.org - I understand they are diferent certificates On your previous article Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1 you used the same certificate (owa.msfirewall.org) for both, IIS on the Exchange server and the ISA firewall. Why don't use the same certificate for the FE and ISA? on part 3 as we did it on your Publishing OWA sites... article? Or I kind of understood the certificated should be the same (exact name) for the SSL channel between Exchange and ISA to work properly. I will appreciate a short explanation. Thank you for all the hard work you do
The reason why I do this is because we can only bind a single certificate to the FE Exchange Server's Web site. This isn't a problem when we publish only the OWA site, since the same certificate can be used on the FE Exchange site and on the Web listener used by the Web Publishing Rule used to publish the OWA site.
HOWEVER, since we also want to publish the RPC/HTTP and OMA/ActiveSync sites, we have to create a second (and even third if we wanted to) to support those connections. We can't use the same Web listener because we want to enable OWA FBA on the ISA firewall. This means the second Web listener needs to listen for connections to a different FQDN, and that FQDN must be on the certificate, for example:
owa.msfirewall.org for the OWA connections rpc.msfirewall.org for the RPC/HTTP connections oma.msfirewall.org for the OMA/ActiveSync connections
The common names on the certificates must be the same as the name used to access the site, so we would require three certificates in this example with the common names:
However, for each of the listeners used in each of the rules, we can forwarded the connection to the same server using the same name, such as feexchange.msfirewall.org, which is the name used on the TO tab of each of the Web publishing rules.
I always wanted to show that you didn't have to use the same name from end to end, which is what I do in all my articles and all my deployments, but some people don't want to or can't do the same.
The SSL channel between the clients and the external ISA IP (OWA listener) is thanks to the owa.msfirewall.org certificate, the SSL channel between ISA and the FEE is thanks to the fe.msfirewall.org certificate that should match the Published server name (TO). Thank you again