Welcome to ISAserver.org

Isa and CSS on same machine in workgroup

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> Installation and Planning >> Isa and CSS on same machine in workgroup

Page: [1]

Message

<< Older Topic Newer Topic >>

Isa and CSS on same machine in workgroup - 23.Aug.2007 3:36:42 AM

anusumesh

Posts: 32
Joined: 19.Jun.2007
Status: offline

Hi

I am installing Isa server EE 2006 and CSS on same machine.Isa server is in workgroup. I want to change the authentication method between isa server and CSS to "Authentication over SSL channel" rather that "Windows Authentication". But when i m trying to do this its giving message that "Certificate with the name of CSS should be installed on CSS".
I m unable to solve this problem.
can anyone tell me how to check which certificate is installed on CSS?
Remember CSS and ISA Server are on same machine..
Plz help me for this issue.

Thanks in advance.
Anu

Post #: 1

Featured Links*

RE: Isa and CSS on same machine in workgroup - 23.Aug.2007 9:59:47 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

If the CSS is on the same machine, why would you need a certificate?

BTW -- you should join the ISA Firewall to the domain, it's an ISA Firewall best practice and more secure.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to anusumesh)

Post #: 2

RE: Isa and CSS on same machine in workgroup - 24.Aug.2007 1:28:31 AM

anusumesh

Posts: 32
Joined: 19.Jun.2007
Status: offline

Hi,

Thanks for reply.
Actually i am joining one more ISA Server 2006 to existing Array on the machine having CSS and ISA on same and all are in workgroup.
I installed same certificate(as of CSS machine) on 2nd ISA server also.
In this case, it always failed to synchronize 2nd ISA Server with CSS.
When i checked in Alert tab, its showing error due to Authentication Problem only.

Is it possible to join isa server to another array on css when both are in workgroup?
If yes then what is the exact procedure to do this successfully.
If no then whats the reason?
r u aware of Celestix MSA Security Appliance?

Thanks
Anu

(in reply to tshinder)

Post #: 3

RE: Isa and CSS on same machine in workgroup - 27.Aug.2007 9:58:41 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

OK, if you have more than one member in the array, you need a server certificate on the machine with the CSS on it.

Remember that the workgroup configuration as serious security and redundancy issues. I always join the ISA Firewall array to the domain in order to fully utilize the ISA Firewall array's security and reliability features.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to anusumesh)

Post #: 4

RE: Isa and CSS on same machine in workgroup - 28.Aug.2007 1:40:19 AM

anusumesh

Posts: 32
Joined: 19.Jun.2007
Status: offline

Hi Tom,

Thanks for Reply.
I know its better to join the domain always. But we are testing ISA Server for different options available.
Actually in Celestix MSA ISA Server Box, Certificate is created automatically when we install the CSS and ISA Server 2006.
I am exporting that CSS certificate one with Private Key and one Without Private Key.
And then certificate with Private Key is imported on its local ISA Server (means which is on the CSS machine) and Certificate without Private key is imported on another ISA Server.
After that i am trying to join the another ISA server to exisiting Array on CSS.
After configuration, it is showing in Monitoring Tab that both ISA server are synched with CSS.
But when i rebooted the Main(CSS) machine, after that for second ISA Server its showing error "Unable to retrieve data from server"

Can u please suggest me at what point i am doing wrong?
Thanks.

Anu

(in reply to tshinder)

Post #: 5

RE: Isa and CSS on same machine in workgroup - 28.Aug.2007 10:26:10 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

The non-CSS boxes don't need server certificates, they just need to trust the CA that issued the server certificate to the CSS machine.

Most likely your internal DNS isn't resolving the names correctly for each array member based on array member settings you configured in the ISA Firewall console.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to anusumesh)

Post #: 6

RE: Isa and CSS on same machine in workgroup - 29.Aug.2007 8:11:27 AM

anusumesh

Posts: 32
Joined: 19.Jun.2007
Status: offline

Hi Tom

Its all about ISA Server 2006 Enterprise edition.
If CSS and ISA Server are on same machine and in Domain. and array named "main" is created which is having one local ISA server.
I want to add one more ISA Server (in domain)with Windows authentication to an existing array (main)on CSS and
one more ISA Server with SSL authentication(not in Domain) to an existing array(main) on CSS

Is this scenario possible?
If yes then how what we have to do for this?
Plz help me.

Thanks
Anu

(in reply to tshinder)

Post #: 7

RE: Isa and CSS on same machine in workgroup - 30.Aug.2007 10:32:30 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

You can't mix non-domain members with domain members in the same CSS.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to anusumesh)

Post #: 8

RE: Isa and CSS on same machine in workgroup - 31.Aug.2007 8:46:43 AM

anusumesh

Posts: 32
Joined: 19.Jun.2007
Status: offline

Hi Tom,

Thanks for ur help. Its really helpful for me.

Today i tried for another configuration.
I install CSS on one machine and create one array there.
Then i joined one ISA Server (in workgroup) 'n'
another ISA Server (in domain) to existing array.
(means 2 servers under one array).
But array authentication is "SSL Authentication" for both.
I installed the Server certificate on CSS and root certificate on both ISAs.

After that all is working fine.

Now my doubt is:
If i have CSS and ISA on same machine(in domain) and then i try to join 2nd ISA in workgroup following the same procedure as above(means using "SSL Authentication"). Then it wil work or not?
or I have to create two arrays (each for diff ISA Server)?

thanks in advance.

Anu

(in reply to tshinder)

Post #: 9

RE: Isa and CSS on same machine in workgroup - 3.Sep.2007 10:08:21 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

You should be able to join a second machine to the array.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to anusumesh)

Post #: 10

RE: Isa and CSS on same machine in workgroup - 13.Sep.2007 3:50:22 AM