Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SSL-Tunneling
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SSL-Tunneling - 9.Feb.2007 8:17:10 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi there,
I have a problem attempting to configure SSL-Tunneling. Please let me first describe our set up.
Windows2003 with ISA 2004 SP2 Edge Firewall solution.
A single Windows 2003 IIS 6.0 Web site hosting solution (Perimeter Network).
IIS 6 holds our *.domain.com certificates.
We have many web sites which are non SSL and are working
We have one web site using SSL on the same address but we cannot get this working.
We also have OWA on a single Exchange 2003 server on the internal network. We cannot get this working either.
I am trying to achieve a solution whereby ISA 2004 listens for www.domain.com on port 443 and forwards all traffic to an internal address. e.g. 192.168.2.2 and then allows the traffic to flow between the clients and web server. I believe this to be SSL-Tunneling.
I am also attempting to configure OWA on the Exchange server and again I would like to simply forward the traffic to our Exchange server as this server deals with the SSL traffic.
We have tested many solutions to get this working but we cannot get past varying responses. The main examples are:
i) Browser states an error using the word "Principal"
We looked this up and it states that a browser certificate does not match the published web site. We think this is connected with the use of a wildcard on our published certifcates. Apologies for not giving the full browser error message but we can only test out of hours as we need to be back in a 'live' state on our current ISA 2000 configuration. I did not write down the full error message when testing. Whoops!
ii) Failed connection attempt (protocol = SSL-Tunnel)
I'm trying to be as specific as possible here but if you need more information in order to help me, please let me know. I am very very happy to provide it as I really need a solution to these problems.
If I can solve the problem with the SSL web site, I should be able to solve the problem with OWA. I have read much documentation and confered with a colleague but we cannot get the SSL tunnel to work. This really is confusing me.
The final thing that is really causing me a problem is that when ever I set up a listener on SSL, I am prompted for a certificate. I have indeed installed the same certificate (*.domain.com) onto IIS on my ISA server and made it availble through a web listener. When I apply this web listener, this is when we receive the browser error message stating the word 'Principal'. The thing I can't get out of my mind is, why do I need to use a certificate for all SSL web listeners? I would have expected to use a certificate when using bridging but not SSL-Tunneling. This is one of the reasons I cannot get OWA to work.
I have also read (I'm going on a bit now, sorry!), in one of the forum posts, that internal clients may need direct access to the web servers in order to return the web sites. I'm not sure how to configure this and if this is the case, we may have actually stumbled on the solution without knowing.
Please could someone spare the time to possibly address this issue for me? I know I've mentioned quite a lot of stuff here, but believe me, we have been struggling through this for many many hours of the previous days.
Thank you.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 9.Feb.2007 10:18:15 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi there,
I really do need some help with this. Is there anyone out there that could possibly help in anyway at all?
I would really appreciate any assistance that can be given.
Thank you.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 13.Feb.2007 6:32:14 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi there,
Is there anyone that can confirm if I have the SSL-Tunelling theory correct please?
Thank you.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 15.Feb.2007 3:23:50 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi,
I have actually made some excellent progress with this, now that I have a test scenario!
I have obtained a test certificate from Verisign which does not include a wildcard and is specific to our subdomain. e.g. subdomain.domain.com. I have successfully set up all of the scenarios that I now about. SSL-Tunnelling (No certificate at the ISA 2004 firewall), and each possible SSL-bridging scenario too. This appears to be working fine as expected.
The set up I had included a simple ISA 2004 server with a single external facing network card, no internal network and IIS 6.0 with a single website local to the ISA server. I am just about to move onto having a perimeter network as I have sourced a second server to test with. I will update and advise how progress.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 17.Feb.2007 5:59:22 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Phil,
quote:
I have successfully set up all of the scenarios that I now about. SSL-Tunnelling (No certificate at the ISA 2004 firewall), and each possible SSL-bridging scenario too.
To avoid any confusion, I suggest you use the more common ISA terminology instead. Thus, SSL-Tunneling = Server publishing and SSL-Bridging = Web publishing.
HTH,
Stefaan
|
|
|
|
|
RE: SSL-Tunneling - 19.Feb.2007 2:02:04 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Phil,
1. a server publishing rule should work in any case because no certs are involved at the ISA level.
2. the limitation of the wildcard certs are removed in ISA 2006 (http://www.isaserver.org/pages/newsletters/december2006.asp).
HTH,
Stefaan
|
|
|
|
|
RE: SSL-Tunneling - 26.Feb.2007 11:52:04 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi again,
On Friday evening we managed to get secure server publishing working on our ISA 2004 firewall (SSL Tunnel). We did this by adding host entries on our web server, creating a new server publishing rule for a repeated number of times (I've lost count how many) and adding a knowledge base article update to the (http://support.microsoft.com/kb/916106/).
There was a large pause after applying the update and a lot of clicking around before we tried the repeated rule. When we attempted a browser connection, it suddenly worked. I actually think the knowldege base update was the miraculous solution as we tried everything else on many separate occasions.
This is working now but not using secure web publishing. I know this will not work from the documents I have read as we are using wild card certificates. I am very surprised that Microsoft haven't told me this yet but maybe they will soon.
The next stage of this ever so frustrating story is to configure ISA so that OWA allows connections. This NEEDS to use bridging but it will mean that the wildcard certficate at the ISA 2004 end needs to utilised as the secure part of the bridge. The accepted traffic should then be forwarded to our e-mail server but not over SSL (We do not have a certificate on this server). We are going to troubleshoot this at 17:00 (UK time) this evening. Let's hope that microsoft can give me a magic solution this evening and that we can also get a definitive answer from them on the secure web publishing we are trying to achieve.
I hope this update is helpful for felow posters.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 28.Feb.2007 3:34:37 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
The latest update in the saga is as follows:
On Monday evening our aim was to configure OWA. When we made our ISA 2004 server live and took our ISA 2000 server offline (Disabled and re-enabled the network cards), we found that the secure server publishing rule was no longer working.
The only changes we had made since taking the server offline were pertaining to rules to allow OWA.
Microsoft support in the US have now taken this call due to time zone restrictions.
We have now deleted the secure server publishing rule and any rules that were similar even though they were disabled. We have also removed a disabled network rule as it wasn't being used.
I raised some questions to the Microsoft support person with regard to ISA 2006. He advised that Microsoft recommend this as a solution over ISA 2004. I guess this isn't a suprising answer in itself. I've asked for permission to upgrade to ISA 2006 immediately once we have a solution with ISA 2004. This way we will avoid any similar headaches that we have observed recently.
I will update when we finally get this working.
Phil.
|
|
|
|
|
RE: SSL-Tunneling - 5.Mar.2007 11:58:51 AM
|
|
|
philcollins99
Posts: 44
Joined: 27.Sep.2006
Status: offline
|
Hi Stefan,
I'm sure you will be very very pleased to hear that we managed to get our ISA 2004 server working. In fact we are live now!!!
The final step in the saga was quite a strange one to be honest as my testing had been successful with pretty much an exact replica of the live set up. The only thing that was very obviously different was the certificates having valid CA's in the live set up (The certificates in the testing environment were self certified).
Anyway the final steps were to clear out the host file entries on the ISA server and on the web servers and the magical piece of troubleshooting was to UNIINSTALL IIS. I am still not 100% convinced that this was 100% necessary but these things combined solved the problems I had been experiencing. I also cleared the cache on my servers (ipconfig /flushdns).
Thank you for all of your help Stefan and I really have learned so much from this post.
Phil.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
)
