Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
TSWeb Gateway Certificate invalid
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
TSWeb Gateway Certificate invalid - 5.Jun.2008 11:49:08 AM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
I've got the firewall blues! Here's my scenario:
- ISA2006 with self-signed wildcard SSL cert on one listener with SSO enabled
- 1 publishing rule for OWA using SSL cert 'webmail.domain.com' (works fine)
- 1 publishing rule for TSweb using SSL cert 'tsweb.domain.com' (problem)
Single-Sign on works fine. I can log in to both sites with no problem.
Once logged into TSweb from the Internet, clients try to use Remote Desktop, but get the following error:
This computer can't connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server's certificate is not valid. Contact your network administrator for assistance.
Internally, TSweb / RDP works fine. This error only occurs from the Internet.
I'd really like to get this working with if this is possible. Any help would be appreciated.
< Message edited by FirewallBlues -- 5.Jun.2008 11:52:01 AM >
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 12.Jun.2008 1:56:36 PM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
Yes, the certs are trusted by the client PC. I'm using HTTPS to HTTPS bridging with a wildcard cert (*.mydomain.com)on the listener.
Initially, I tried using one cert (tsweb.mydomain.com) installed on both the ISA server and the TSweb server in the publishing rule.
I was able to login to tsweb, but couldn't use remote desktop because there was a "Terminal Services Gateway server's certificate is not valid error" (probably because the cert I used was using the public FQDN: tsweb.mydomain.com, not the server's internal FQDN: tsserver.mydomain.local)
Next, I decided to issue a new cert on the tsweb server: tsserver.mydomain.local and exported it to the ISA server and imported it into the personal certificates store. So now, I have a public wildcard cert on the listener, a tsweb.mydomain.com cert in the publishing rule, AND an internal cert between the ISA server and the TS server.
After logging in through ISA the TSWEb site is no longer available. I get "500 Internal Server error. The certificate chain was issued by an authority that is not trusted."
Is this error from the client, ISA, or TS server? All three have all of the certificates imported into the trusted authorities store and local personal stores where applicable.
This SSL stuff is confusing! Should I go back to using one certificate or am I one step closer to making this work?
< Message edited by FirewallBlues -- 12.Jun.2008 2:18:23 PM >
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 12.Jun.2008 2:51:50 PM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
....continued...
Ok, I fixed the certificate chain error by intalling the tsweb server's cert in the trusted CAs store on the ISA server. So, now I can log into TSweb again.
When attempting to use Remote Desktop from TSweb, I get two login prompts. after the second login the following error occurs:
the Terminal Services Gateway server address requested and the certificate subject name do not match.
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 12.Jun.2008 9:07:15 PM
|
|
|
tshinder
Posts: 46928
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I suggest using the same certificate from end to end.
tsg.domain.com on the ISA firewall's cert common name
tsg.domain.com on the TSG cert common name
On the TO tab of the publishing rule, use tsg.domain.com as the name of the server
Make sure that name resolves to the IP address used by the TSG machine.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 16.Jun.2008 10:25:32 AM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
I am now using the same certificate from end-to-end....with the exception of a wildcard certificate.
I can log into TSweb, the certificate is trusted by the client computer, but when I try to use Remote Desktop, I get the same error I had before:
"The computer can't connect to the remote computer because the Terminal Services Gateway server address requested and te certificate subject name do not match."
Is this error because I'm using a wildcard certificate?
The ISA server resolves the tsg.domain.com domain to the internal IP address of the Gateway server.
The TSweb rule is configured as follows:
To: tsg.domain.com
Computer Name or IP address (blank)
Requests appear to come from ISA server
Public name: tsg.domain.com
There must be a way to get this to work with a wildcard cert!
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 16.Jun.2008 2:19:19 PM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
I'd really like to get this to work with a wild card certificate.
For testing purposes, I am trying to use RD (Remote Desktop) withot the wild card cert. I don't get any errors, but now when I try to use RD, I get a endlessly repeated login prompts:
These credentials will be used to connect to the following computers:
1. tsg.domain.com
2. myPC.domain.local
No matter how many times I enter my credentials (domain\username and password), the login prompt pops up again every time.
I know my credentials are good and I know RD works throught the ISA server, because I can RD to the TSG server directly. I can't allow users to logon to the TSG server. I need to get RD working through TSweb somehow.
This is really frustrating!
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 17.Jun.2008 12:53:24 PM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
I am using SSo on the ISA listener with Forms based authentication. Once authenticated, users can hit the OWA server or TSWeb server. When attempting to use the Remote Desktop from TSWeb, users are prompted with a Windows login box.
On the TSG server, I have Use HTTPS-HTTP bridging turned on. Should I turn it off?
Should I turn off SSO on the ISA server?
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 18.Jun.2008 12:05:56 PM
|
|
|
tshinder
Posts: 46928
Joined: 10.Jan.2001
From: Texas
Status: offline
|
You should be using SSL to SSL bridging, as I don't think the TSG will support SSL offload.
Also, make sure that the Web Publishing Rule that the RDP/SSL client is using does not require authentication at the ISA Firewall.
Also, that rule should be created using the Exchange Rule Wizard, using the RPC/HTTP option.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TSWeb Gateway Certificate invalid - 19.Jun.2008 6:13:28 PM
|
|
|
FirewallBlues
Posts: 7
Joined: 5.Jun.2008
Status: offline
|
Thank you for all your help Tom,
I added the exchange publishing rule for the TSweb gateway RPC site and passing authentication on to the gateway server. ( I am no longer login into ISA to get to the TSweb site).
I still had the same problem where I am repeatedly asked for credentials when trying to use Remote Desktop from TSweb.
On the RPC site, I had require SSL with Basic authentication.
I enabled Windows authentication also, and was finally able to connect!
It's too bad that credentials can't be passed by ISA (or can they?) using ISA forms authentication / SSO.
Microsoft's documentation seems to be insufficient. Do you have a step-by-step article on this topic? If not, I will post the configuration next week if I can figure it out. Perhaps, I could turn Forms Auth / SSO back on to allow users to login to both TSweb and OWA, then add another rule to redirect 3389 traffic to another IP address / Listener which will pass the authentication directly to the Gateway server.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
