Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Wildcard Certificates / RPC over HTTP / FBA & Citrix SSL Relay

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Wildcard Certificates / RPC over HTTP / FBA & Citrix SSL Relay Page: [1]
Login
Message << Older Topic   Newer Topic >>
Wildcard Certificates / RPC over HTTP / FBA & Citri... - 7.Jan.2005 2:48:00 PM   
joggelichopf

 

Posts: 3
Joined: 7.Jan.2005
From: Zurich
Status: offline 		Hi
I'm running an Ex2k3 with OWA and RPC over HTTP and FBA successfully behind one single IP (ISA2004). That works fine.
Now I tried to apply the article http://www.isaserver.org/tutorials/2004wildcardcert.html to be able to use more then one SSL Enabled Server behind the ISA. As soon as I switched from owa.mydomain.com to *.mydomain.com certificate on the Listener, RPC Over Http refused to work. Tom, you know about this issue?

Further, actually a second thing I'd like to accomplish is Citrix. The SSL Relay requires a SSL Connection to a Citrix Server behind the Firewall. I could not configure that successfully, if the SSL Connection was passing a Web listener (SSL-SSL Bridged). Using an Accessrule that allows HTTPS, Application Publishing works fine. Any idea, whether the web listener manipulates the data?

The final Goal would be to let working everything together as follows:

ISA Listener
Citrix < - > https://ts.mydomain.com
Exchange < - > https://owa.mydomain.com
Other SSL < - > https://secure.mydomain.com

Has anyone (also partly) solved issues within this setup?

Cheers
--raffi

[ January 07, 2005, 03:58 PM: Message edited by: Raffael Grob ]
Post #: 1
RE: Wildcard Certificates / RPC over HTTP / FBA & C... - 8.Jan.2005 11:58:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Raffi,

I've never tried the wildcard cert with anything but Web site access. It might be that some applications do not accept the wildcard. I would have to test the scenarios to determine what is supported and what is not.

HTH,
Tom

(in reply to joggelichopf)
Post #: 2
RE: Wildcard Certificates / RPC over HTTP / FBA & C... - 10.Jan.2005 4:02:00 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
Originally posted by tshinder:
Hi Raffi,

I've never tried the wildcard cert with anything but Web site access. It might be that some applications do not accept the wildcard. I would have to test the scenarios to determine what is supported and what is not.

HTH,
Tom
I have used wildcards with RPC over HTTP...I found the following gotcha - you just need to make sure that the setting in Outlook called "principal name for proxy server" is defined as "*.domain.com" and not "server.domain.com". This priciple name has to match the common name on the wilcard cert for it to work.

As for Citrix, you shouldnt really be using the SSL relay, but should be using secure gateway instead. From memory CSG is desgined to be the first SSL component that the client connects to...the Citrix guides recommend that SSL load balancer shouldn't be placed in front of CSG. So I guess this is the same for ISA.

At the end of the day, CSG is acting as it's own HTTPS reverse proxy for the HTTPS and ICA protocols. I havent heard of many vulnerabilties and it seems to do its security job very well...

If you dont go for CSG then the best security is probably to just use server publishing for the SSL relay.

Cheers

JJ

[ January 10, 2005, 04:08 PM: Message edited by: Jason Jones ]

(in reply to joggelichopf)
Post #: 3
RE: Wildcard Certificates / RPC over HTTP / FBA & C... - 11.Jan.2005 12:35:00 AM   
joggelichopf

 

Posts: 3
Joined: 7.Jan.2005
From: Zurich
Status: offline 		Hi Jason
Thanks a lot for your input. Using a * as hostname of 'principal name for proxy server' resolved my major issue. Now I can use RPC over HTTP beside multiple differently named https sites on one listener.

The second issue's first goal is to use the same listener as used above to publish the citrix ssl relay. Using a second public IP Address resolves the issue in the sense, that I simpliy creating a second access rule for SSL on that second interface. That works, but is a bit ... let's say, not as I like it.

Thougth I could publish an access rule below the web listener. Then I make the listener ignoring a specified hostname and let do the SSL publish job to the one below the web listener. However, this 'ignoring a specified hostname' seems not to be configurable.

Maybe no solution -> fine. A cool Hack -> better :-)

--raffi

(in reply to joggelichopf)
Post #: 4
RE: Wildcard Certificates / RPC over HTTP / FBA & C... - 11.Jan.2005 12:49:00 AM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		I think the best solution is to create a 2nd listener as you have done and publish using a 2nd IP. Then use a different FQDN and bind the wildcard cert.

Nothing wrong with multiple listeners as long as you have enough public IP's.

Whne you say access rule, do you mean server publishing rule? Ideally, you should be using server publishing to publish the SSL relay HTTPS server.

I think that is the best way, but I will have a think about other options...maybe tom or one of the other guys will have a solution.

JJ

P.S. I noticed you ignored my CSG advice [Razz]

[ January 11, 2005, 12:52 AM: Message edited by: Jason Jones ]

(in reply to joggelichopf)
Post #: 5
RE: Wildcard Certificates / RPC over HTTP / FBA & C... - 11.Jan.2005 9:08:00 AM   
joggelichopf

 

Posts: 3
Joined: 7.Jan.2005
From: Zurich
Status: offline 		Hi Jason
I'm behind a cable connection. The provider supplies me with 4 public dynamic ip addresses. All of them are from different subnets and therefore I can't use more then one of them on my ISA. I tried to configure two nic's going to the internet. Both catched an ip address individually. That's good! But both catched different gateways and that's no good!:-( - A solution, that allows this kind of setup would be great. However, ISA is a professional server solution and only privat setups run into trouble as I do. If I were installing this setup for a customer, I would want him to aquire two IP's.

The CSG advise is not gone with the wind ... I definitivly want to install it and try it. I did not answer on this, because from a ISA point of view it makes no difference to the SSL Relay setup. Both solutions require a 'unstripped' SSL Server Publishing Rule (you're right! - not an access rule).

Best regards and thanks!
--raffi

PS: Here's my current setup to use more then one IP:
LOCAL <-> ISA <- PUB.ip <- INTERNET
LOCAL <-> ISA <-nat-> LINUX-FW <- PUB.ip <- I-NET

It's a solution, that makes only sense on a Virtualized environment where a little Linux FW is no overhead and neither additional HW effort.

(in reply to joggelichopf)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Wildcard Certificates / RPC over HTTP / FBA & Citrix SSL Relay Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts