• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 Password Management configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> ISA 2006 Password Management configuration Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 Password Management configuration - 29.Oct.2006 8:46:24 PM   
mplevesque

 

Posts: 5
Joined: 29.Oct.2006
Status: offline
Hello, I have setup a ISA 2006 Server in a DMZ, with 2 Nics, one external connected to the DMZ of which is Nat'd to and from the ISA server, the other to the internal Lan. I have made the ISA server part of the Windows 2003 domain. I have spent the past couple of days getting the owa password change to work, this was quite a task as the front end exchange server 2003 and the backend is exchange 2000. I have finally got all this working perfect now, using SSL from the client to the backend. My question here is that I would like to use the Change password management feature, it is my understanding so please correct me if I am wrong that I need to generate a SSL Certificate on one of the domain controllers to do LDAPS (using port 636) correct? In order to get this working are they any other steps that I need to configure?

Also, is there anyway to configure more than 1 DC for this in the event it is removed or down? do I have to generate a Cert for each DC?

Thank you in advance for any advice you can provide.

Mark

< Message edited by mplevesque -- 29.Oct.2006 8:48:35 PM >
Post #: 1
RE: ISA 2006 Password Management configuration - 30.Oct.2006 9:02:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

If the ISA Firewall is a domain member, you don't need to configure LDAP servers for password change.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mplevesque)
Post #: 2
RE: ISA 2006 Password Management configuration - 30.Oct.2006 9:36:44 AM   
mplevesque

 

Posts: 5
Joined: 29.Oct.2006
Status: offline
Thanks for the Reply Tom. It seem as though (as I was monitoring the traffic) that LDAPS calls were being made to the DC and being denied when ISA server attempts to change the password as I get an error messag from ISA. I get the message of:

"An error occurred while trying to change the password. Please contact technical support for your organization"

So that is why I am thinking I just need to load a SSL certificate on the Domain Controller to enable authentication using LDAPS.

Thanks

Mark

(in reply to tshinder)
Post #: 3
RE: ISA 2006 Password Management configuration - 2.Nov.2006 9:39:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Well, now that you mention it, maybe a machine certificate is required on the DC.

I always deploy enterprise CAs on DCs, so maybe that's why it's been working for me.

Give it a try and see what happens.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mplevesque)
Post #: 4
RE: ISA 2006 Password Management configuration - 15.Nov.2006 11:39:16 PM   
mplevesque

 

Posts: 5
Joined: 29.Oct.2006
Status: offline
Hi Tom,

Thanks for the reply. I finally installed a 3rd party Certificate in the root domain and it works! Now that it works, do I need to have a certificate on my child domains as well to provide the same password management functionality? It seems that when I attempt to do this with a child domain, it fails with a similar message as the root domain before installing a certificate.

Also on another Note, when you mentioned you installed the CA on your DC's, is that all you do is just install the service? Nothing else to provide the secure LDAP?

Thanks for the help.

Mark

(in reply to tshinder)
Post #: 5
RE: ISA 2006 Password Management configuration - 19.Nov.2006 2:50:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Certificates themselves have nothing to do with AD domains.

I install enterprise CAs on the DCs, which allows for autoenrollment and sending certificate requests to online CAs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mplevesque)
Post #: 6
RE: ISA 2006 Password Management configuration - 21.Nov.2006 7:16:47 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You will need SSL certs on every LDAPS server you specifiy in ISA. If you want password management against the child domain then you will need SSL certs on these too to allow LDAPS connections.

You man be better looking at Microsoft Certificate Services to issue these certificates as opposed to using third-party ones. However, PKI is not really something you should just "chuck in" as it should be designed properly.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 7
RE: ISA 2006 Password Management configuration - 21.Nov.2006 8:54:04 AM   
mplevesque

 

Posts: 5
Joined: 29.Oct.2006
Status: offline
Thanks for the reply. I am actully NOT specifiying any LDAP servers, as I am using Active Directory selection instead, but I assume it is using the same process of needing SSL for the child domains. As I logged a monitoring session, you can see where it attempts to authenticate to the child domain.

Thanks again for the reply.

Mark

(in reply to Jason Jones)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> ISA 2006 Password Management configuration Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts