Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web certificate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web certificate - 7.Sep.2006 6:04:33 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
ISA 2k4 and Exchange 2k3 are on 2 different boxes. I want to publish Ex
through ISA using OWA. To secure connections, I would install a certificate
but only on ISA. Thus client-ISA connection is secure but ISA-Ex connection
is not. Is this technichally possible? If yes, what authentication on Ex
IIS to use, basic? What about Integrated, possible?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 8.Sep.2006 2:25:35 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
It is possible, but I NEVER recommend this unsecure configuration.
Why don't you want to use secure SSL to SSL bridging? Is this a pen-test setup?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web certificate - 9.Sep.2006 2:45:35 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
Thanks Tom. Two things:
1 - The reason for me to leave ISA-Ex comms unsecure is that I'm uncertain how my LAN Outlook users may be affected. If nothing more is required on Outlook, then I will certianly install the cert on Ex then ISA, as recommended.
2 - I was planning to install certificate services on either ISA or Exchange boxes so to make either a CA. Then, someone recommended buying a known CA certificate as it would be easier to recognize on those hotel or internet cafes PCs, when my away users need OWA. What do you think?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 9.Sep.2006 4:56:29 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Y,
Inline...
1 - The reason for me to leave ISA-Ex comms unsecure is that I'm uncertain how my LAN Outlook users may be affected. If nothing more is required on Outlook, then I will certianly install the cert on Ex then ISA, as recommended.
TOM: There will be no effect at all on the Outlook clients.
2 - I was planning to install certificate services on either ISA or Exchange boxes so to make either a CA. Then, someone recommended buying a known CA certificate as it would be easier to recognize on those hotel or internet cafes PCs, when my away users need OWA. What do you think?
TOM: Install it on the Exchange Server and make it an enterprise CA. If you're not requiring security, you can use a commercial certificate and not force authentication.
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web certificate - 9.Sep.2006 6:28:44 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Well Tom,
Can you elaborate a bit on your second reply. Here is what I miss:
If I want to save a remote user the annoyance of the popping up CA certificate mistrust dialogue, why would I make my own unknown CA? And, why Enterprise, since I only need a web certificate? Moreover, in what way a commercial certificate is less secure than my own?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 9.Sep.2006 7:53:54 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
Are assuming here that the remote PC is a domain member, such as laptops. If so, that is not the case. My intention is to allow any of my users to be able to access OWA from any PC over internet. So, again, is it local CA or known CA?
Thanks
Yba
BTW, what is that HTH you usually end your posts with?
|
|
|
|
|
RE: Web certificate - 13.Sep.2006 3:41:28 AM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
I installed Certificate Services in the Exchange server and thus made it a CA (Stand-alone). Everything went smooth. When I created a Cert management console, in the Local Computer Trusted Root CA certificates store, I found TWO certificates for the CA. For me, they seemed identical.
I understand that something might have gone wrong for this to happen. What happened? Does that represent any potential source of a problem? Can I simply delete one and which?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 13.Sep.2006 2:04:48 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Y,
HTH = Hope This Helps
If you want anyone to connnect from anywhere, and you don't want the users to be prompted because they don't trust your CA, then you should install a commercial Web site certificate to the ISA firewall. If you don't care about that warning dialog box, then you're good.
If the two CA certificates are exactly the same, then you can delete one of them.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web certificate - 13.Sep.2006 3:09:26 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
YID: Yes It Does!
Further questions, if you may, please:
1 - From Exchange server point of view, what is the difference between a web certificate and server authentication certificate? That is, when issuing an Exchange certificate from a local CA to secure OWA, which type of certificate is issued?
2 - If a web certificate is issued to a user and stored in his Current User certificate store, what is the roaming boarder for that certificate? That is, using another machine in the same domain, will the user need to download the certificate again? What about a machine from another domain or workgroup?
3 - In Directory Security of Exchange 2003 IIS default web site, in what way a certificate request using that Directory Security is different from a certificate request using web browser?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 15.Sep.2006 2:09:54 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Yba,
1 - From Exchange server point of view, what is the difference between a web certificate and server authentication certificate? That is, when issuing an Exchange certificate from a local CA to secure OWA, which type of certificate is issued?
TOM: You should bind a Web site certificate to the OWA site, using the Web Site Certificate Wizard integrated into IIS
2 - If a web certificate is issued to a user and stored in his Current User certificate store, what is the roaming boarder for that certificate? That is, using another machine in the same domain, will the user need to download the certificate again? What about a machine from another domain or workgroup?
TOM: The Web site certificate is issued to a machine, not a user. The machine name is the common/subject name on the certificate, and it does not need to match the NetBIOS name of the machine. Users only need the CA certificate, and that is installed in the user machines' Trusted Root Certificate Authorities *machine* certificate store (not user store)
3 - In Directory Security of Exchange 2003 IIS default web site, in what way a certificate request using that Directory Security is different from a certificate request using web browser?
TOM: The integrated tool can use either on online CA or offline CA -- the wizard will walk you through the process
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web certificate - 15.Sep.2006 9:16:29 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
Thanks Tom, I am much better with that knowledge now. I guess it would be more useful if we are able to rate replies.
Thanks.
Yba
|
|
|
|
|
RE: Web certificate - 17.Sep.2006 2:51:54 AM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
Hi Yba,
1 - From Exchange server point of view, what is the difference between a web certificate and server authentication certificate? That is, when issuing an Exchange certificate from a local CA to secure OWA, which type of certificate is issued?
TOM: You should bind a Web site certificate to the OWA site, using the Web Site Certificate Wizard integrated into IIS
That was the introdution to my question.
I installed Certificate Services on Exchange 2k3 and created a Stand-alone CA. According to my humble understanding, Windows 2003 AUTOMATICALLY publsihs the CA to AD if in a domain network. If this is correct, then something might have gone wrong with my configuration. This might explain why I have two identical CA certificates in the CA Trusted Root CA Certificate store as I said in a previous post. The bottom line is, my Exchange IIS default web server is unaware of my CA, whcih is, for my IIS, supposed to be an online CA. Thus, the second option in creating a new certificate by sending a request immediately to an online CA is greyed out.
Can you please help me figure out how to revive that second option? How can I check AD for CA awareness? If all of that is history now, can you please walk me through the other manual option of creating a new certificate?
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 18.Sep.2006 10:25:25 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
Ok, I got somewhere but still not sure.
Internally, it works fine. The public name (certificate common name)\exchange or \certsrv opens immediately. However, two issues:
1 - Even though the web listener is configured to use FBA, internally, I only get basic authentication dialogue. While the public FQDN is only recognized by ISA because of the hosts file entry and ISA listener is configured to listen on internal and external NICs, isn't it that the request should go to ISA and the latter should return the FBA?
2 - Externally, it opens the FBA page and after consuming my credintials, it returns a 500 error - target principal name incorrect. I tried Microsoft site but got nowhere.
Please help me.
Thanks
Yba
|
|
|
|
|
RE: Web certificate - 24.Sep.2006 12:27:40 AM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
I used a Microsoft KB to remove the CA attributes from AD. I then reinstalled the CA (on Exchange box) as Enterprise and the second option in the IIS default web site that reads something like "send the request to an online CA" was now on and I used it.
I went, in details, through your article and found the discripancies below. Please tell me which is fatal, in the sense that OWA will not work and which is NR, classified as Not Recommended:
1 - In exporting the OWA certificate from IIS to file, you recommended that the option Include all certificates in the certification path is possible is checked and Enable strong protection... be unchecked. In my case, I left the default, which chose the latter option.
2 - My Exchange internal FQDN, which is used in the Web mail server text box, is DIFFERENT from the common name on the certificate, which external users will wrtie in their internet browser. If this is FATAL, you said in that article that you would, in a future article, explain how to allow for internal and external names to be different. Is that article available now?
Thanks
Yba
P. S.
Since the external name is a publicly recognized FQDN, why the hosts entry in the client machine?
< Message edited by yba02 -- 24.Sep.2006 3:37:14 AM >
|
|
|
|
|
RE: Web certificate - 24.Sep.2006 4:44:28 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
1 - In exporting the OWA certificate from IIS to file, you recommended that the option Include all certificates in the certification path is possible is checked and Enable strong protection... be unchecked. In my case, I left the default, which chose the latter option.
TOM: the "Enable strong protection" MUST NOT be enabled.
2 - My Exchange internal FQDN, which is used in the Web mail server text box, is DIFFERENT from the common name on the certificate, which external users will wrtie in their internet browser. If this is FATAL, you said in that article that you would, in a future article, explain how to allow for internal and external names to be different. Is that article available now?
TOM: The common/subject name on the certificate must be the same name that the external users will use to connect to the ISA Firewall. External users will use a public DNS to resolve this name. I used a HOSTS file entry on the client for the lab, but in a production environment you would use a public DNS server. The actual name of the Exchange Server and the name on the certificate do not need to be the same, and in almost all cases will not be the same.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web certificate - 24.Sep.2006 11:03:43 PM
|
|
|
yba02
Posts: 37
Joined: 7.Sep.2006
Status: offline
|
Hi,
It is even getting more nuts, and so do I.
Now, internally, SSL OWA works with the internal Exchange FQDN. However, When using the external name (which is in the certificate) I get an error message that ISA server denied the specificied URL.
Any ideas?
Thanks
Yba
P. S. Since I posted this inquiry, I've been trying to solve the issue but reached nowhere. My public domain, which in fact has nothing to do with ISA server (as far as I knwo) now seems abducted by ISA server. Whenever I try to reach any lower domain in my public domain, whether the former actually exisits or no, I get the same message. I even removed the OWA publishing rule, along with its listeners and still get the same error. Is that normal? Is it something being cached somewhere? Please help TOM.
Thanks
< Message edited by yba02 -- 25.Sep.2006 1:54:38 AM >
|
|
|
|
|
RE: Web certificate - 26.Sep.2006 1:27:55 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Yba,
This error indicates that the name on the Public Name tab doesn't match the name that the external user is using to connect to the ISA Firewall's external interface. This is the same name that is on the common/subject name of the Web site certificate bound to the Web listener for the Web Publishing Rule publishing the OWA server.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
