Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing SSL OWA Site 500 internal error problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing SSL OWA Site 500 internal error problem - 10.Jan.2008 11:59:05 AM
|
|
|
robh
Posts: 44
Joined: 4.Oct.2002
From: UK
Status: offline
|
I've just got a free certificate from strartssl.com after a little effort and soul searching I thought I had everything setup.
Now when I try to access my SSL Outlook Web Access site I get the following error:-
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
If I try to connect without SSL ie http://domain/exchange I get the error I would expect.
- HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)
Can anybody shed any light on this and how I might fix it?
Thanks in advance
< Message edited by robh -- 10.Jan.2008 12:00:24 PM >
|
|
|
|
|
RE: Publishing SSL OWA Site 500 internal error problem - 10.Jan.2008 4:19:37 PM
|
|
|
Rotorblade
Posts: 973
Joined: 27.Feb.2007
Status: offline
|
Hi,
Sounds like you did not import correctly into ISA?
Did you place a copy of the imported certificate in ISA's Trusted root certification store?
Quoted from -> http://www.microsoft.com/technet/isa/2004/plan/tscerts.mspx
quote:
I receive an error message: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted.
ISA Server must trust the certificate from the published Web server. Ensure that the CA certificate is in the ISA Server Trusted Root Certification Authorities certificate store.
Clients must trust the SSL server certificates presented to them. Server certificates are trusted by client browsers when the root certificate of the CA that issued the certificate is present in the Trusted Root Certification Authorities store on the client computer. Ensure the following:
•
The SSL server certificate sent by ISA Server to authenticate itself to external clients must be trusted by those external clients. This is usually a certificate issued by a commercial CA. By default, client browsers such as Internet Explorer have root certificates installed for common commercial CAs.
•
In an HTTPS to HTTPS scenario, ISA Server must trust the CA that issued the certificate that is used by the published Web server to authenticate to the ISA Server computer. If an internal enterprise CA issued the certificate, and ISA Server is located in the same domain as the enterprise CA, the CA root certificate will automatically be installed in the ISA Server Trusted Root Certification Authorities store. If you obtain a certificate for the Web server from an internal stand-alone CA, or ISA Server is not in the same domain as the enterprise CA, you must install the root certificate from the CA in the Trusted Root Certification Authorities store on the ISA Server computer.
Also see -> http://isaserver.org/tutorials/pubowa2003part4.html
HTH
RB
|
|
|
|
|
RE: Publishing SSL OWA Site 500 internal error problem - 11.Jan.2008 11:11:07 AM
|
|
|
robh
Posts: 44
Joined: 4.Oct.2002
From: UK
Status: offline
|
Thanks for that I looked at the first Microsoft article and also read Dr Shinders book.
I think the problem is the FQDN and the Internal Netowrk name. These are different as mentioned in this section from the article
"In an HTTPS to HTTPS Web publishing scenario (requiring a server certificate on both the ISA Server computer and on the published Web server), the name of the certificate on the IIS Web site of the published server must match the name by which ISA Server identifies the Web server. (This is the name specified on the To tab of the Web publishing rule properties.) " - Microsoft
The Web/Mail server is on one domain (.local) and has a meaningless name which does not reflect the Domain name used on the cert and when people try to access the web mail.
When I point the listener to the Server it's Servername not servername.domain.local and none of these reflect the external Domain name!
Is there any way round this I'm stuck as to what to do next.
Thanks
|
|
|
|
|
RE: Publishing SSL OWA Site 500 internal error problem - 11.Jan.2008 3:45:58 PM
|
|
|
Rotorblade
Posts: 973
Joined: 27.Feb.2007
Status: offline
|
That would be a problem if the FQDN does not match. Configuring an "Split-DNS" infrastructure would be the answer to your problems. Host Headers can be configured to support the public FQDN on the internal server. The other option is not bridge SSL back to Exchange.
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
HTH
RB
|
|
|
|
|
RE: Publishing SSL OWA Site 500 internal error problem - 11.Jan.2008 5:57:47 PM
|
|
|
robh
Posts: 44
Joined: 4.Oct.2002
From: UK
Status: offline
|
The problem is I don't publish DNS to External Clients.
The External Domain is domain.net I also use that internally for clients on the network. (I was wrong earlier about different Domains - so used to using the NetBios name that I forgot if I'd used local net etc etc - Test domains running caused confusion)
The ISA Server isn't however using the internal DNS and has a cahcing only DNS running and resolves the name server.domain.net as tyhe Public IP instead of the Private IP so doesn't work with the cert.
I think I have something fundamentally wrong with my setup - all previous Web Publishing I've done I've done via Internal IP on the Publish rule not Internal DNS name.
NOW I'M EVEN MORE CONFUSED!!!
|
|
|
|
|
RE: Publishing SSL OWA Site 500 internal error problem - 11.Jan.2008 11:18:24 PM
|
|
|
Rotorblade
Posts: 973
Joined: 27.Feb.2007
Status: offline
|
quote:
The problem is I don't publish DNS to External Clients.
Ok, you don't have too. "Split DNS" has nothing to do with publishing DNS; it has a lot to do with supporting like "private" Internal and "Public" external FQDN's.
quote:
The ISA Server isn't however using the internal DNS and has a cahcing only DNS running and resolves the name server.domain.net as tyhe Public IP instead of the Private IP so doesn't work with the cert.
Well that’s problem #1! ISA needs to be configured to resolve internally by configuring your internal DNS server as a forwarder to resolve external DNS requests.
Problem # 2 is, if you’re using the public IP internally, your internal clients are looping-back through ISA. That is not good.
Very simple; If both the public and Internal domains are the same name, all you need to do is configure your Internal DNS zone records to resolve to the private IP’s not the public IP. External clients will resolve to the public IP when querying the public DNS server and Internal clients will query the internal DNS server and resolve to the servers private IP. ISA should never be configured with an external DNS server!
http://blogs.isaserver.org/shinder/2006/07/09/never-put-an-external-dns-server-address-on-an-isa-firewall-nic/
http://blogs.isaserver.org/shinder/2006/10/19/dns-best-practices/
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx
HTH
RB
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
