Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Wildcard certs
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Wildcard certs - 27.Jan.2006 11:10:39 PM
|
|
|
mitchskrove
Posts: 4
Joined: 1.Dec.2004
Status: offline
|
I am working with a client to publish Outlook Web Access using a Unihomed (Single-NIC) ISA Server 2004 Web Proxy. The client uses certificates configured with a wildcard in the common name, *.company.com. I have the cert with the wildcard on both the Exchange Server 2003 frontend and also on the ISA server bound to the listener.
This appears to be causing me problems as I receive an error in IE when I use the following URL https://webmail.company.com I receive the following error -
Error Code: 500 Internal Server Error. The target principle name is incorrect. (-2146893022)
I believe we would be successful if the cert CN was webmail.company.com. Does anyone know how to configure ISA 2004 OWA publishing rules to work with wildcards in certs or configuration change to make this work?
Thanks in advance.
Mitch
|
|
|
|
|
RE: Wildcard certs - 28.Jan.2006 1:10:52 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Whatever you have configured in to 'To' tab of the ISA publishing rule must match the name that is in the certificate on the Front End server. Depending on your DNS setup, you might have to place an entry in ISAs HOSTS file to make sure ISA resolves that name to the Front End server.
Did you by chance use an IP address on the 'To' tab? This would cause that error.
< Message edited by ClintD -- 28.Jan.2006 1:12:06 AM >
|
|
|
|
|
RE: Wildcard certs - 28.Jan.2006 2:17:30 AM
|
|
|
mitchskrove
Posts: 4
Joined: 1.Dec.2004
Status: offline
|
The cert CN = *.company.com
The cert is installed on both the ISA server and the E2K3 front-end
The TO tab in ISA is set to webmail.company.com
The ISA server has an entry in the hosts file for webmail.company.com with the IP ADDR of the E2K3 FE server
The client (IE) uses https://webmail.company.com/exchange
Bottom line - can you use the same cert with the wildcard on both the ISA server and E2K3 FE server and make it work?
Thanks for your response. I hope the info above provides a bit more clarity.
Mitch
|
|
|
|
|
RE: Wildcard certs - 28.Jan.2006 2:33:52 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Mitch,
you can find the answer in http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx:
quote:
I am using wildcard certificates and getting the error: 500 Internet Server Error – The target principal name is incorrect.
ISA Server only supports wildcard certificates on the ISA Server computer. When using HTTPS to HTTPS bridging, you cannot use wildcard certificates to authenticate the back-end Web server. Instead, on the internal Web server, create a new certificate that matches the name of the internal Web server, as specified on the To tab in the Web publishing rule. For more information about configuring this scenario, see Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004 (www.microsoft.com).
HTH,
Stefaan
|
|
|
|
|
RE: Wildcard certs - 17.Feb.2006 12:40:01 PM
|
|
|
adelprete
Posts: 42
Joined: 11.Jan.2004
From: Rome, Italy
Status: offline
|
Hi Tom,
from what I read here: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx
I would have to buy 3 certificates: 1 wildcard certificate and 2 standard ssl certificates (1 for OWA and one for the webserver). Did I get this right?
It would be more economic to buy just the 2 standard certificates and import them both in ISA, am I wrong?
I thought that the advantage of using a wildcard certificate was the fact that with only one certificate I could use that one for each web server and for ISA listeners, but from what I read this is not possible, so I'm surely missing the advantage. Could you clear this up a little bit?
Last question: is it possible to bind the same wildcard certificate to different listeners on ISA2k4?
Thank you.
|
|
|
|
|
RE: Wildcard certs - 17.Feb.2006 2:22:07 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Adelprete,
For the client connection to the ISA firewall, you can use a wildcard certificate. However, on the back end you cannot.
Have you read my article series on using public and private certs together to save money?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Wildcard certs - 17.Feb.2006 11:17:54 PM
|
|
|
Jason Jones
Posts: 2265
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Mitch,
Wildcard certs aren't supported for the second SSL link in this version of the ISA firewall.
HTH,
Tom
Tom,
You know if ISA 2k6 solves this? Didn't notice it in the guides...
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Wildcard certs - 18.Feb.2006 6:34:21 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
quote:
ORIGINAL: Jason Jones
quote:
ORIGINAL: tshinder
Hi Mitch,
Wildcard certs aren't supported for the second SSL link in this version of the ISA firewall.
HTH,
Tom
Tom,
You know if ISA 2k6 solves this? Didn't notice it in the guides...
JJ
Hi Jason,
Yes! They've fixed this from what the devs have told me. However, I haven't tested it yet to see if it actually works :)
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Wildcard certs - 7.Mar.2006 6:37:39 PM
|
|
|
adelprete
Posts: 42
Joined: 11.Jan.2004
From: Rome, Italy
Status: offline
|
Hi Tom,
I bought a wildcard certificate from Comodo, and installed it on ISA, everything ok except for a few things:
1. Using the commercial certificate only on ISA and internal generated certificates on the exchange server a problem comes up: we use RPC over HTTPS with Outlook, but when you configure Outlook you have to fill in the msstd:exchange.domain.com field. If you put in there the internal certificate common name (eg: webmail.domain.com), while in the office (LAN) everything is ok, but if you are out of the office (Internet) Outlook doesn't connect because the msstd: parametere refers to the internal certificate common name, and when you connect from Internet the certificate bound on the ISA Listener is the wildcard certificate
(*.domain.com) and it doesn't match. I solved the problem by unchecking the "Mutually Authenticate the session when connecting with SSL" option, but it's not a solution that I like.
2. I tried to use the wildcard certificate also for the VPN Server (we use ISA also as a secure VPN server with L2TP IPSec and user certificates) but I couldn't find a way to tell ISA to use the new wildcard certificate, at least not in the VPN options on ISA configuration tool. I knew that ISA used RRAS so I discovered that I could change the certificate changing the ISA Server Default Policy that ISA creates in RRAS, but I also discovered that when ISA restarts it overwrites any changes you make to that policy, so the solution was to create a new RRAS policy, that is an exact duplicate of the one ISA generated, with just a change on the EAP certificate to be used and put in in the first position respect to the ISA policy. This is not a perfect solution because I have to keep the 2 policies in sync manually if I change VPN options through ISA configuration tool, but it's the only one feasible because not all the options of the policy are available in the ISA configuration tool (timeouts, certificates, encryotion level etc.). Anyway this didn't solve my problem because from what I could see, the XP VPN client doesn't seem to support wildcard certificates.
I could solve the Outlook problem if I could use the Wildcard certificate also on the Exchange server other than ISA, but like you said ISA doesn't support wildcard certificates on the back-end connections. In this scenario, users would have to change Outlook configuration if they're connecting from Internet or in LAN, this is really a bad architecture in my opinion. What do you think?
I would also like to ask you if you can confirm that the XP VPN Client does NOT support wildcard certificates and if there's a way to tell ISA what certificate to use for the VPN server without touching the RRAS generated default policy like I had to do. In the meanwhile I'm continuing to use a standard internal generated certificate because the VPN client refused to connect while I used the wildcard certificate.
Thanks for any suggestions you'll give me Tom. :)
...Alessandro
|
|
|
|
|
RE: Wildcard certs - 15.Mar.2006 3:03:22 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Alessandro,
1. Using the commercial certificate only on ISA and internal generated certificates on the exchange server a problem comes up: we use RPC over HTTPS with Outlook, but when you configure Outlook you have to fill in the msstd:exchange.domain.com field. If you put in there the internal certificate common name (eg: webmail.domain.com), while in the office (LAN) everything is ok, but if you are out of the office (Internet) Outlook doesn't connect because the msstd: parametere refers to the internal certificate common name, and when you connect from Internet the certificate bound on the ISA Listener is the wildcard certificate
(*.domain.com) and it doesn't match. I solved the problem by unchecking the "Mutually Authenticate the session when connecting with SSL" option, but it's not a solution that I like.
TOM: Interesting find, I wasn't aware of that. Makes sense though, since you're using a wildcard cert and not a Web server cert. Its an SSL issue, though. Not a client/server issue.
2. I tried to use the wildcard certificate also for the VPN Server (we use ISA also as a secure VPN server with L2TP IPSec and user certificates) but I couldn't find a way to tell ISA to use the new wildcard certificate, at least not in the VPN options on ISA configuration tool. I knew that ISA used RRAS so I discovered that I could change the certificate changing the ISA Server Default Policy that ISA creates in RRAS, but I also discovered that when ISA restarts it overwrites any changes you make to that policy, so the solution was to create a new RRAS policy, that is an exact duplicate of the one ISA generated, with just a change on the EAP certificate to be used and put in in the first position respect to the ISA policy. This is not a perfect solution because I have to keep the 2 policies in sync manually if I change VPN options through ISA configuration tool, but it's the only one feasible because not all the options of the policy are available in the ISA configuration tool (timeouts, certificates, encryotion level etc.). Anyway this didn't solve my problem because from what I could see, the XP VPN client doesn't seem to support wildcard certificates.
TOM: One alternative is to use EAP with RADIUS authentication and RADIUS RAS policy.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
) 
