As using Split DNS, the internal FQDN for OWA points to the Virtual IP Address of the Internal ISA Interface.
However, when it comes to creating the Web Listener we can't bind the Private SSL Certificate to the Virtual IP of the Internal interface.
In the Web Listener Configuration -> "Select Certificate" it lists 2 identical certificates issued by the internal CA.
Selecting the first certificate it says "corrrectly installed on ISA-Server-1" but the certificate can't be found on ISA-Server-2. Selecting the second certificate it says "correctly installed on ISA-Server-2" but the certificate can't be found on ISA-Server-1.
As a result we can't bind a valid certificate to the Virtual IP of the Internal Network. Using the 2 primary IP Addresses of the ISA Server rather then the Virtual IP works and we can bind the certificate installed to the corresponding ISA Server.
However, we need to bind the certificate to the Virtual IP used in NLB rather than to the Server individually.
Hi, 1. you must install the internal and external cert to all ISA Nodes. 2. carefull with the cn Name in the UCC SAN Cert. 2. make tow listener and 3 roles for internal and 3 for external (copy and change the listener)
> 1. you must install the internal and external cert to all ISA Nodes. Yes, I've done that using the internal ca for the private cert (http://server/certsrv)
> 2. carefull with the cn Name in the UCC SAN Cert. Okay, I've got the correct entry/order here...
> 3. make tow listener and 3 roles for internal and 3 for external (copy and change the listener) I've created a listener for the Internal Interface which is used in the OWA publishing rule.
However, this works fine if I bind the private certificate to the primary IP Address of the ISA Server but I still can't bind it to the ISA NLB Virtual IP.
The Virtual IP is actually the one I would like to use as you would set up DNS to point to owa.domain.com (= Virtual IP of Internal NLB) rather than creating 2 records in DNS pointing to the ISA Server directly.