Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unsigned certificates on isa server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unsigned certificates on isa server - 21.Nov.2003 9:26:00 AM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
** Please help a poor nearly bald admin **
I have a small network that I maintain for an engineering company. They have a cisco router connecting to the net via a static ip adsl line. Behind the router is an ISA server that is running in cache mode with two interfaces - one goes to the router and one goes to a large switch. This company runs a web based database on a machine inside the network connected to the switch. Users are only allowed out via the isa server. The router has a substandard port set up to forward external web page requests to the above web sever. A while ago somebody managed to get the username and password of a user and scrubed half the database. I suspect that the information was sniffed as the web server only supports http and not https. The company have now asked me to set up a https connection to the web server for external access. They do not want to purchase an ssl certificate as only company users will access the server from outside.
My problem is that I cannot get isa server to see the certificate. I made a self signed certificate using certificate server on another 2000 server box. The isa server is a member server. I have imported the cert and the private key to the isa server machine but isa refuses to see it. I have followed both your walkthoughs and all the microsoft ones but can get no further. I suspect it may be due to the fact the the cert is self signed.
When I go into the isa server consol and try to add a listener ISA complains that there are no certificates installed dispite the fact the cert shows on the certificates snap in under personal.
My apologies for the long post but I wanted to make sure I got all the details down.
I would be very very greatfull for any help with resolving this.
Thanks.
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:22:00 AM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi Stu the pot,
When you are looking at the certificate snapin are you looking at the user account or the computer account. The certificate needs to be under the personal folder of the computer account.
HTH.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:24:00 AM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
Hi pinball
When I added the snap in to the mmc I selected computer account. The cert is under the personal folder.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:27:00 AM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi Stu,
Have you rebooted the server since importing the certificate?
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:29:00 AM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
yes m8
I restarted the services first and then rebooted.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:37:00 AM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi Stu,
When you imported the certificate, did you 'Mark the private key as exportable'?
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:43:00 AM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
Hi Pinball
Yes I did, I have followed the guided carefully. Everything seems to be in the
right place but isa refuses to see the certificate.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:49:00 AM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi Stu,
As you say everything seems to have been done right, the only other thing that I can think of when you created the certificate, did you include Server Authentication in the Intended Purposes, you can check this using the certificate snapin.
If you did I am stumped, sorry.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 11:56:00 AM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
when the cert was created it had all functions enabled. When I imported it I selected all the options as per the advice from microsoft.
I am convinced that I am having a blond moment and missing something real simple. Isa is in cache mode and not firewall or infr. you dont think that this is anything to do with it do you?
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 12:05:00 PM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi Stu,
Using Cache Mode may be the cause of the problem, however I have never installed/used ISA Server in Cache Mode, so I cant be certain.
Anyway hope you get it sorted.
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 12:15:00 PM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
Thanks Pinball
If you do have any other ideas let me know.
Thanks for your help.
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 9:32:00 PM
|
|
|
jmunyan
Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
|
I haven't done much at all with importing certs to isa or otherwise registering them in a local store. My solutions to these situation is to take the certificate (no matter how it is generated, etc) and import it to the webserver itself. This can easily be done either with the Certserver way, or the way I prefer gen an request use the free verisign enrollment and complete it that way (though you will probably prefer the Cert Server route since it is trusted for cert issuane I suppose and won't prompt clients). Then bridge the connection through isa. Probably not the solution you are looking for, but it is the way I handle these situations.
John
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 9:37:00 PM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
Thanks jmunyan
But my main problem is that the web server they are using is not compatable with https. This is why piping the https requests via isa server seemed the ideal solution.
It doesnt bother me that the cert is not signed as the site is only for company staff anyway.
I can get everything in isa working and configured apart from this certificate problem.
Thanks jmunyan
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 9:38:00 PM
|
|
|
jmunyan
Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
|
How is the webserver not compliant with https? You can't just go into it and install a cert local?
|
|
|
|
|
RE: Unsigned certificates on isa server - 21.Nov.2003 9:42:00 PM
|
|
|
stuartbe
Posts: 14
Joined: 21.Nov.2003
From: Luton
Status: offline
|
No - its a customer written web server - more an sql server realy and it was only written to support http 1.0
:-(
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
