Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Wildcard Certificate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Wildcard Certificate - 24.May2006 4:21:49 PM
|
|
|
brigettabrannon
Posts: 13
Joined: 6.Mar.2006
Status: offline
|
Has anyone deployed a wildcard certificate for use with ISA?
We are looking into this, but I've not found much information on it.
Thanks,
Brigetta
|
|
|
|
|
RE: Wildcard Certificate - 24.May2006 8:54:34 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Brigetta,
from http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-publish.mspx:
quote:
Q.
Publishing fails when I publish a secure Web server and present a wildcard certificate. For example, when I publish myserver.adomain.com and present a wildcard certificate *.adomain.com, publishing fails. Why?
A.
This is by design. ISA Server can use a wildcard certificate on a listener, but will not accept a wildcard certificate from a published website.
HTH,
Stefaan
|
|
|
|
|
RE: Wildcard Certificate - 25.May2006 5:57:47 PM
|
|
|
brigettabrannon
Posts: 13
Joined: 6.Mar.2006
Status: offline
|
Thanks for the follow-up. It does make sense, but...
This means that I publish the wildcard cert on the HTTPS listener, but what happens for the websites? Do they NOT need a cert? The cert is just "taken care of" with the listener?
Thanks again.
Brigetta
|
|
|
|
|
RE: Wildcard Certificate - 25.May2006 7:52:55 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Brigetta,
that means that you can bind a wildcard certificate *.domain.tld to the ISA HTTPS listener. If the clients accessing that listener do support a wildcard certificate than it should work. As far as I know, all popular browsers do support such a certificate. Take note that there can be clients who don't support that. There are at least two Microsoft clients I work with that do *not* support a wildcard certificate:
- the RPC/HTTP component in Windows XP SP2 used by Outlook 2003.
- ISA server itself as a web client of a web server.
It should be obvious that the latter is always the case in a HTTPS - HTTPS bridging scenario. This happens to be the most common secure web publishing scenario because it doesn't break the trust relation the user expects by using an HTTPS resource. In other words, if you are publishing a secure website through HTTPS - HTTPS bridging, the web server itself can *not* have a wildcard certificate bound to it. It must be a regular certificate such as www.domain.tld.
HTH,
Stefaan
|
|
|
|
|
RE: Wildcard Certificate - 31.May2006 11:07:35 PM
|
|
|
brigettabrannon
Posts: 13
Joined: 6.Mar.2006
Status: offline
|
Stefaan,
Sorry to be a pain, but here's another question on this realm:
Is it true that in order to use more than one SSL site going through ISA, I MUST have a wildcard certificate? We had a contractor give us this information, but we're a bit confused now.
Also, by putting a wildcard on the the HTTPS listener, do my websites NOT need a separate certificate.
Many thanks!
Brigetta
|
|
|
|
|
RE: Wildcard Certificate - 3.Jun.2006 5:23:18 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Brigetta,
ISA server supports only *one* certificate per SSL listener (aka IP + port pair). The reason for this limitation is quite simple:
When the client sends the "CLIENT HELLO", the server is expected to send back a server certificate. However, the "CLIENT-HELLO" does not contain any indication to the name of the server that the client is interested in. This indication appears only in the Host header of the HTTP request, sent only *after* the SSL handshake have already been established. Therefore the server has no choice but to return a single server certificate per listener, which is the only thing he "knows" before receiving the HTTP request.
So, if you have only one SSL listener (aka IP + port pair) and you want to publish multiple HTTPS websites, than you have no choice but using a wildcard certificate. However, if you can configure multiple SSL listeners because you have multiple IP addresses bound to the ISA external interface, than a wildcard certificate is not required and you can use a normal certificate per SSL listener.
Now, regardless what is used on the SSL listener on ISA, the websites you want to publish must have a normal certificate because the ISA server as client does not support a wildcard certificate.
HTH,
Stefaan
|
|
|
|
|
RE: Wildcard Certificate - 7.Jun.2006 11:43:10 PM
|
|
|
tpgbrennan
Posts: 5
Joined: 9.Feb.2006
Status: offline
|
Hi Brigetta,
If you have a single IP address for the ISA server get a wildcard cert for the ISA server: *.domain.com. Use a standard cert on the backend web servers: web.domain.com, outlook.domain.com, web2.domain.com, etc. As long as the client is looking for a site that ends in domain.com it should work fine. You only need the one wildcard cert on the ISA server, but each individual web site you publish also needs its own standard cert.
|
|
|
|
|
RE: Wildcard Certificate - 12.Jun.2006 6:18:35 PM
|
|
|
brigettabrannon
Posts: 13
Joined: 6.Mar.2006
Status: offline
|
Thanks for all of your help folks. This has been a source of contention in our approach, but you've enlightened me!
Brigetta
|
|
|
|
|
RE: Wildcard Certificate - 23.Jun.2006 1:44:28 PM
|
|
|
ringram
Posts: 5
Joined: 26.Jan.2002
From: London, UK
Status: offline
|
Sorry, answered my own post 5min later. Ignore.
< Message edited by ringram -- 23.Jun.2006 2:32:24 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
