Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

isa server 2006, exchange 2000

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> isa server 2006, exchange 2000 Page: [1]
Login
Message << Older Topic   Newer Topic >>
isa server 2006, exchange 2000 - 20.Jul.2007 6:24:33 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		hi all, I hope someone can assist. (several questions)
Q1. I have a windows 2000 member server with exchange 2000 running happily on it.

I have a 2 NIC isa 2006 server (windows 2003 member server).
I have no public dns web address, but a public IP address registered.

I want to do the following things - read below, what do I need as far as certificates is concerned 1 or 2, if 1 where?)

I have currently got exchange http traffic hitting the public ip NIC, and a rule with windows AD authentication (domain, name, password) set up.  After authentication, the user can read their exchange mail via OWA.

I want to change this to have a secure SSL connection from the outside world to the ISA, and after authentication to have a similar connection as above to my existing setup. 

so,
HAVE:   Internet>public NIC (port 80)>authenticate>Private NIC>exchange server.
WANT:  Internet>public NIC (SECURE)>authenticate>Private NIC>exchange server.
Certificate requirements, do I need one between the exchange server, and the ISA, and another betwen the ISA and the internet??

Q2. Also (!) we have other servers (private IP,s on a private lan, running differnet flavours of apache, with NO domain authentication for access to the web based applications running on them).
On the ISA,  I have a lstener for all traffic (port 80) and that redirects to the exchange server (Q1, as above) , Another listener on port 8080 redirecting all other traffic to one of the apache servers. (only trialing one at this time, other/s to follow)

For the Do I need a public DNS record (domain name), and utilise header analysis in order to have one listener accepting multiple requests for different physical servers in order to answer Q2.?

In short, I would like the user to type a single url, with a subdir "http://www.xxx.yyy/server1, http://www.xxx.yyy/server2" and the 8080 listener redirect to the relevant server.

Currently this is not secure connection based (so I think I could use header analysis?), what about when / if I am asked to add SSL to these non Domain authenticated external users?

Any help on the various probs appreciated.

PS, it currently all works, just not the way I need it to!!  as described above (Exchange port 80, http traffic working fine) etc.

Arthur.
Post #: 1
RE: isa server 2006, exchange 2000 - 20.Jul.2007 11:46:33 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Arthur,

A good place to start is by reviewing some of the Exchange publishing articles on this site. There are a lot of them covering various scenarios -- let us know if you have any questions about them and how you can use that information to put together a secure solution.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 2
RE: isa server 2006, exchange 2000 - 24.Jul.2007 9:36:22 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		well, I have since regiestered a domain against the ip address.
I now need (I guess) to request a trial certificate from Thawte, based on the registered domain?
... so I get the cert, I install it on the ISA server, (and any remote access user's browser as this is a trial cert)..
Once I set up a 445 listener, so I then break bridging, or route traffic to port 80 on the exchange server?

I do not need secure traffic 'in house', only to the isa (I think this is what I need anyway).

Regards,
Arthur,.

(in reply to tshinder)
Post #: 3
RE: isa server 2006, exchange 2000 - 24.Jul.2007 10:45:32 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		You can use a commercial certificate on the external interface of the ISA Firewall and a private cert on the OWA site itself. There's an article on this site on how to do that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 4
RE: isa server 2006, exchange 2000 - 24.Jul.2007 11:06:58 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		that sound sensible, but what if we have no private cert? This is our current situation.

In short, I have been lumbered with trying to get a non public facing Exchange server (no frontend/backend scenario) availableto the entire internet (IE no dedicated VPN), via a secure connection.

However, I have
a) little time to learn how to administer in house generated certificates (hence I would use a thawte purchased one, also I have no sopare kit to install IIS/cert services etc on), and
b) no knowlege of how to use such a cert, on the isa, without having to modify the existing domain exchange setup..

:(

I love lack of financial investment/training/time when it is deemed urgent by 'them upstairs'.

regards,
Arhur

(in reply to tshinder)
Post #: 5
RE: isa server 2006, exchange 2000 - 25.Jul.2007 2:38:51 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Arthur,

Essentially, it works like this:

Put the Thawte certificate on the ISA Firewall and bind that to the Web Listener used for the Web Publishing Rule.

Use MS Certificate Services on any Windows Server (ideally, a domain controller and install it as an enterprise CA).

If you use an enterprise CA, you can use the request a certificate wizard on the OWA Web site. When it asks you for the common name, you can use the actual FQDN of the OWA server if you like. When you use the enterprise CA, the CA certificate will be automatically installed on the Exchange server and the Web site certificate will be automatically installed on the Web site.

On the ISA Firewall, make sure forward the connection using the common name on the certificate, and then use the Browse button on that page in the Web Publishing Wizard to find the computer, or just type in the IP address of the published OWA Server.

That's all there is to it! I should then work fine.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 6
RE: isa server 2006, exchange 2000 - 30.Jul.2007 6:08:54 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		hi there,
Well, I have done everything as requuested but to no avail. (sort of)
I have successfully created a CA on a domain controller.
I have requested a certificate from the exchange server, and installed it.
If (from anywhere within our lan) I type https://xxx.yyy.zzz/exchange (which is the in house IP address of the exchange server) I get the 'certificate' warning pages, and I get the certificate installed!
Then the secure web site is displayed  and is fully functional!
JOY!

I have imported the same certificate on the ISA and it is appearing as a valid Cert, and I have assigned it to the listener.

when however I (externally) type in https://www.mydomainname.com/exchange   I just get a timeout.
I used the 'use a ssl' option when running the exchange 2000 wizard.

What should I be checking to make sure that ssl traffic is
A) being accepted, and
B) forwarded.
??

Getting there slowly..
(PS I decided to use an in house cert as I was having probs with the THAWTE freebie, and wanted to 'discount' it from the equation.
It seems that is not what was causing the errors... hmmm...

regards,
Arthur,

(in reply to tshinder)
Post #: 7
RE: isa server 2006, exchange 2000 - 1.Aug.2007 2:08:17 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Arthur,

Make sure your public DNS is resolving the name on the Web site certificate bound to the Web listener to the address that the listener is listening on.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 8
RE: isa server 2006, exchange 2000 - 2.Aug.2007 6:34:10 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		After reinstalling the CA on the DC (a previous BOFH managed to get the credentials wrong, therefore it would NEVER have worked correctly).,
I now have the following .. (please bear with me!)

our internal domain = york.vst-vossloh.com

DC/CA = netsrv1.york.vst-vossloh.com
Exchange = exchange.york.vst-vossloh.com
ISA = pc174-isa.york.vst-vossloh.com  (2 NIC's and on domain).

I have a certificate on netsrv1 (DC/CA) that says..
Issued from 'netsrv1', to 'netsrv1',  (issuer  CN= netsrv1, DC = york, DC = vst-vossloh, DC = com)

I requested a server cert for Exchange from the CA.
This is issued to 'exchange', from 'netsrv1', (issuer as above).

I have on the ISA requested a certificate (public name  = our public registered url, IE' www.york-office.co.uk').
The SSL listener is looking at this certificate (registered correctly in the computer certificate store).

Now, I have exported the certificate on the exchange server, and imported it into the ISA, but when I try to use SSL bridging (and require a certificate) I cannot chose any...  Am I importing the certificate that was exported from exchange in th ewrong manner, or should I do something else?  I have enables SSL (443) connectivity on the exchange virtual directory, and aside from a certificate warning (I will worry about that bit later!) I can use in house "https://exchange/exchange" with no major probs.

I am awaiting our ISP to do some DNS tasks, so I cannot actually test the 'https://www.york-office.co.uk/exchange' to see if the ISA is responding yet, but I am resolving probs as a go along (and slowly puck up more understanding on how this all pieces together...), the incorrectly installed CA was not a good starting point, glad I fixed that!

Arthur.

(in reply to tshinder)
Post #: 9
RE: isa server 2006, exchange 2000 - 6.Aug.2007 9:29:56 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Let's simplify this.

What's the subject name on the Web site certificate bound to the Web listener on the ISA Firewall?

What is the subject name on the certificate bound to the OWA Web site?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 10
RE: isa server 2006, exchange 2000 - 6.Aug.2007 9:39:28 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		I am not in front of the kit at the mo, but I do recall the OWA side..
(PS we have a corporate name change from Vossloh, to Funkwerk,  but the domain never changed!)

Subject   Exchange, Local Systems, Fun...

CN = exchange
OU = Local Systems
O = Funkwerk IT York
L = York
S = England
C = GB

(in reply to tshinder)
Post #: 11
RE: isa server 2006, exchange 2000 - 6.Aug.2007 11:16:38 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Why is the CN a single label name?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 12
RE: isa server 2006, exchange 2000 - 6.Aug.2007 11:21:39 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		er...
because I have done something wrong?

This is exactly as the subject is shown (I am 100% certain as I have a screenshot here with me).

I admit this is not working as I hoped it would, but after resinstalling CA, on the DC following the instructions I had, I was 'fairly' happy I had not done ti worng.
It would seem from your tone, that I in fact have made a blunder.

I  have not created a top level CA (enterprise)as I do not have enterprise permissions..
I am the 3rd option down on the set up screen (whatever that is).
We are owned by a german company, and whilst I have full admin priviliges here in the UK, I do not have them further up the forest.

(in reply to tshinder)
Post #: 13
RE: isa server 2006, exchange 2000 - 6.Aug.2007 11:25:23 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		When you make the request for the Web site certificate via the Web enrollment site, when it asks for the Name, use a FQDN that's the same as the FQDN that external users will use to access the site.

Are you using a commercial Web site certificate on the ISA Firewall?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 14
RE: isa server 2006, exchange 2000 - 7.Aug.2007 5:39:44 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		In light of what you said, I removed and reinstalled the CA.
Previously when installing the CA, it asks for a CA name (below the name panel , the rest of the in house domain has always been populated so I presumed I did not need to add that to the name..  I have now added the FQDN as the CA name).

I now have a certificate on the CA issued to netsrv1.york.vst-vossloh.com issued from netsrv1.york.vst-vossloh.com.
The cert is intended for the following purposes
All issuance policies.
All application policies.

I hope that is NOW finally correct.


I then on the Exchange server (I will worry about external access later, I need to make sure I get the in house part correct) went to the IIS part of exchange and requested a new certificate (generate now, submit later).
I put in the name (FQDN) of exchange.york.vst-vossloh.com.
The txt file was generated.
I then went to the url of the (whilst using a web browser on exchange) CA, and submitted the request.
On the CA I issued the cert, and I went back to the exchange server & downloaded the certificate chain file.

Again on the exchange server I went to  IIS (directory security/server certificate) and installed the certificate.

(IE 7)When I try https://exchange/exchange (or https://128.18.0.200/exchange)  I get an error (I guess because I am not typing in the FQDN of the exchange server..) -
the error is 'the name on the security certificate is invalid or does not match the name of the site.'  The other two parts are green 'ticked'.
(Firefox)  I get a complaint about the certificate initially until I trust it and install it.  I can then connect to https://128.18.0.200/exchange.


I do have a dns entry for exchange.york.vst-vossloh.com ' HOST (A) ' so I am a bit confused why this does not work in a URL...  - I did try it, but to no avail.

The cert seems ok tho, and subject (this time) is exchange.york.vst-vossloh.com.

I can then browse and view my email.

The details for 'web site identity verified' are :..

The web site 128.18.0.200 supports authentication fot the page you are viewing.  The identity of this web site has been verified  by CN=netsrv1.york.vst-vossloh.com, DC=york,DC=vst-vossloh,DC=com, a certificate authority you trust for this purpose.

The ssl server certificate is
issued to
common name (CN) exchange.york.vst.vossloh.com
Organisation (O) Funkwerk IT York
Organisation Unit (OU) Local Systems
serial number xx:xx:xx:xx:xx:xx... etc (not X's!)

Issued by
Common name (CN) netsrv1.york.vst-vossloh.com
Organisation (O) <not part of certificate>
Organisation Unit (OU) <not part of certificate>


With regard to the Isa, I would be requesting both the external and internal certs from our CA... (I would hope this would make SSL bridging easier - when I finally get that far!)
thanks for your patience, I know what it is like guiding the blind ...

< Message edited by arthur071169 -- 7.Aug.2007 5:46:52 AM >

(in reply to tshinder)
Post #: 15
RE: isa server 2006, exchange 2000 - 7.Aug.2007 12:41:07 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Maybe it's time to get back to basic.

Read this article:

http://www.isaserver.org/articles/2004owapub.html

And then read the articles on how to obtain certificates and export and import certificates. If there are any principles there that don't make sense, let me know.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 16
RE: isa server 2006, exchange 2000 - 8.Aug.2007 7:08:33 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		HI, and thanks again for the reply.

The article is quite interesting, but makes the assumption that the exchange server FQDN is also the URL that people will be typing into their browser

HTTPS://owa.msfirewall.org > ISA > owa.msfirewall.org

I have the following scenario.

HTTPS://www.york-office.co.uk > ISA > exchange.york.vst-vossloh.com

Arthur.

More reading I think.

(in reply to tshinder)
Post #: 17
RE: isa server 2006, exchange 2000 - 8.Aug.2007 7:44:46 AM   
arthur071169

 

Posts: 11
Joined: 20.Jul.2007
Status: offline 		I started reading the guide 'publishing excahnge 2003 outlook web access with isa 2000.

Unfortunately I am trying to publish OWA 2000, with ISA server 2006.

The certificate installation part is fine (!) but the instructions for actually binding the certificate to a selected listener onwards, are drastically different from the environment I have here.

I reckon I would be best following your guides to the letter, but I cannot locate a set that allows for isa 2006...

:(

(in reply to arthur071169)
Post #: 18
RE: isa server 2006, exchange 2000 - 8.Aug.2007 11:06:23 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: arthur071169

HI, and thanks again for the reply.

The article is quite interesting, but makes the assumption that the exchange server FQDN is also the URL that people will be typing into their browser

[link=HTTPS://owa.msfirewall.org]HTTPS://owa.msfirewall.org[/link] > ISA > owa.msfirewall.org

I have the following scenario.

[link=HTTPS://www.york-office.co.uk]HTTPS://www.york-office.co.uk[/link] > ISA > exchange.york.vst-vossloh.com

Arthur.

More reading I think.


Read the articles again. You'll see that the actual name of the pulbished server doesn't matter, what matters is the common name on the certficiates, the actual machines names don't matter at all.

That's why you can use the same name internally and externally.

The procedures are essentially same in ISA 2004 and ISA 2006.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to arthur071169)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> isa server 2006, exchange 2000 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts