Hello, I have setup a ISA 2006 Server in a DMZ, with 2 Nics, one external connected to the DMZ of which is Nat'd to and from the ISA server, the other to the internal Lan. I have made the ISA server part of the Windows 2003 domain. I have spent the past couple of days getting the owa password change to work, this was quite a task as the front end exchange server 2003 and the backend is exchange 2000. I have finally got all this working perfect now, using SSL from the client to the backend. My question here is that I would like to use the Change password management feature, it is my understanding so please correct me if I am wrong that I need to generate a SSL Certificate on one of the domain controllers to do LDAPS (using port 636) correct? In order to get this working are they any other steps that I need to configure?
Also, is there anyway to configure more than 1 DC for this in the event it is removed or down? do I have to generate a Cert for each DC?
Thank you in advance for any advice you can provide.
< Message edited by mplevesque -- 29.Oct.2006 8:48:35 PM >
Thanks for the Reply Tom. It seem as though (as I was monitoring the traffic) that LDAPS calls were being made to the DC and being denied when ISA server attempts to change the password as I get an error messag from ISA. I get the message of:
"An error occurred while trying to change the password. Please contact technical support for your organization"
So that is why I am thinking I just need to load a SSL certificate on the Domain Controller to enable authentication using LDAPS.
Thanks for the reply. I finally installed a 3rd party Certificate in the root domain and it works! Now that it works, do I need to have a certificate on my child domains as well to provide the same password management functionality? It seems that when I attempt to do this with a child domain, it fails with a similar message as the root domain before installing a certificate.
Also on another Note, when you mentioned you installed the CA on your DC's, is that all you do is just install the service? Nothing else to provide the secure LDAP?
From: United Kingdom
You will need SSL certs on every LDAPS server you specifiy in ISA. If you want password management against the child domain then you will need SSL certs on these too to allow LDAPS connections.
You man be better looking at Microsoft Certificate Services to issue these certificates as opposed to using third-party ones. However, PKI is not really something you should just "chuck in" as it should be designed properly.
Thanks for the reply. I am actully NOT specifiying any LDAP servers, as I am using Active Directory selection instead, but I assume it is using the same process of needing SSL for the child domains. As I logged a monitoring session, you can see where it attempts to authenticate to the child domain.