Before I go on, Prior to installing an ISA Server firewall I had no problems witht he SSL web server.

I'm trying to publish a SSL site in a DMZ behind ISA. I have successfully installed the Thawte Server certificate on the firewall, and under incoming request on the Array I have selected the certificate. I followed the instructions from the turtorial and ran the web publishing wizard, but when I go to select the certificate under the web publishing rule, it states that there are no certificates installed. And hence no SSL site. If I turn off require SSL on the web server and connect via http: everything is fine, but it needs to be SSL.

Little help..?

Try installing the certificate on the web server, and then export it. After exporting it, import it to the ISA Server. I believe some others on these boards used this technique to get it to work.

Let us know how it works!

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

May I say that I have way to many of these types of books (tech manuals) but yours is a refreshing change in that regardless of how in significant the situation...(three homed dmz) you still devoted several pages to it. Thanks again for the response and I'll let you know how I go when I get around to restructuring the network for a standard setup.

Cheers

Thanks for the kind words about the book

Let us know how it goes when you've got things reconfigured.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

Have goen back to an internal network only and followed the procedures for publishing a website and bridging SSL connections from Chapter 10. But I'm getting the following error when connecting to services that use SSL.

500 Internal Server Error - The target principal name is incorrect. (-2146893022)
Internet Security and Acceleration Server

So for http://mydomain.com/index.htm I get the page. But for https://mydomain.com/index.htm I get the error above... This is the same as when I was publishing from a DMZ...

The book doesn't show a certificate under the web publishing rule, is this correct..? I can't see a certificate from here anyway, but it seems like I may need it here..

Cheers in advance

I have seen this error before the configuration change "takes" on the ISA Server. I had to restart the services or restart the ISA Server to get it to work properly.

HTH,

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

rg

(500 Internal Server Error - The target principal name is incorrect. (-2146893022)
Internet Security and Acceleration Server)

This is the exact error that I have been receiving. http is fine but ps produces this error.

(The book doesn't show a certificate under the web publishing rule, is this correct..? I can't see a certificate from here anyway, but it seems like I may need it here..)

This is the problem I have. I am assuming that this cert under the publishing rule is acting as a personal cert if this is in use on the web server side.

rg

One thing I need to know is where is the certificate installed and where is the SSL connection being terminated?

It works both ways, but I've found that the dreaded error message that you see comes up when you terminate at the ISA Server Inbound Web Requests listener interface. I have seen the same error, which most often happens before the machines or services have been restarted. I have also seen this error on a site that was working, then I stopped it, then started it again.

I assumed, for the book, that it was a bug, and something that will be fixed with the first ISA Server service pack. But I didn't want to come right out and say that in the book, because it would be dating it

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

Does this answer your question...??

Thoughts....???

Cheers

quote:

---

Originally posted by PeterE:
I have seen this problem as well.
This Q article describes the steps you need tpo perform to use a SSL certificate on the ISA in reverse hosting. http://support.microsoft.com/support/kb/articles/q292/5/69.asp
I hope it helps
\Peter

---

Hi Peter,

Thanks for the link!

Also, check out the tutorial over at the Brainbuzz site:
http://itresources.brainbuzz.com/tutorials/categoriesX.asp?pi=S1C63

There are two article by Martin Grasdal that should be helpful there. One is how to set up a secure site, and the other is on how to transfer a certificate.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

quote:

---

Originally posted by Kb575:
Thanks for the info Peter. I can actually get this to work and have gone thru the steps in this article, however, I require client certifictaes with one of the apps on the web Server and the CA for that app is on the web server also, so I need to require client certs at the web server in order to check there validity. If I'm only running http from the isa server tot he web server, when the web server executes the request for a client certificate it's not running under ssl and fails in the code. I need to pass the ssl right thru to the server.

---

Hi Kb,

Do you have the client certificates installed on the clients that need to tunnel through the ISA Server?

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

quote:

---

Originally posted by Kb575:
Tom,
whoops... Anyway, in response to your question. The Thawte server certificate is installed on the Web server and on the Incoming requests ip for the ISA Server. It is not however able to be selected on the web publishing section. I wish the ssl connection to pass right thru to the web server as it requires client certificates to be verified on the web server. I can get ssl to work in the case where I terminate the SSL at the isa firewall, and pass http only requests to the web server, but it means I cannot require client certificates at the web server...

Does this answer your question...??

Thoughts....???

Cheers

---

Hi Kb,

As noted in this thread, you can terminate the conenction at the ISA Server by installing the certificate on the appropriate Inbound Web Requests listener and using Web Publishing Rules. Or, you can terminate the SSL connection on the web server by using Server Publishing rules.

However, you cannot use Web Publishing and terminate the SSL connection at the web server. You *can* create a *new* SSL connection between the ISA Server and the Web Server, but that represents a second secure tunnel, and not the original one from the web client and the web server.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

quote:

---

Originally posted by tshinder:
Hi Kb,

As noted in this thread, you can terminate the conenction at the ISA Server by installing the certificate on the appropriate Inbound Web Requests listener and using Web Publishing Rules. Or, you can terminate the SSL connection on the web server by using Server Publishing rules.

However, you cannot use Web Publishing and terminate the SSL connection at the web server. You *can* create a *new* SSL connection between the ISA Server and the Web Server, but that represents a second secure tunnel, and not the original one from the web client and the web server.

HTH,
Tom

---

Hi Tom,
Just one more question. What is the exact steps to set up the new SSL connection from the ISA to the internal web server then ?

You terminate the SSL connection at the ISA server with Web publishing or you can terminate it on the web server with server publishing. Again I state I haven't got this working yet, but more thru lack of effort than it not working. I have turn my attentions to other things.. If you have access to the book, the section on server publishing is very detailed and should help you get the job done. Post here with your success/failure.