• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web Listener can't bind certificate to Virtual IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Web Listener can't bind certificate to Virtual IP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web Listener can't bind certificate to Virtual IP - 22.Nov.2007 10:36:11 PM   
TR

 

Posts: 8
Joined: 11.Nov.2007
Status: offline
Hi there,

We are running two ISA Server 2006 Enterprise Edition set up in an array where ISA Integrated NLB is activated for the External and Internal Network.

Now we are trying to publish OWA using a Public SSL Cert for External and a Private SSL Cert for Internal users.

We've been following the steps described in Thomas Shinders Articel "Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall".

As using Split DNS, the internal FQDN for OWA points to the Virtual IP Address of the Internal ISA Interface.

However, when it comes to creating the Web Listener we can't bind the Private SSL Certificate to the Virtual IP of the Internal interface.

In the Web Listener Configuration -> "Select Certificate" it lists 2 identical certificates issued by the internal CA.

Selecting the first certificate it says "corrrectly installed on ISA-Server-1" but the certificate can't be found on ISA-Server-2.

Selecting the second certificate it says "correctly installed on ISA-Server-2" but the certificate can't be found on ISA-Server-1.

As a result we can't bind a valid certificate to the Virtual IP of the Internal Network.
Using the 2 primary IP Addresses of the ISA Server rather then the Virtual IP works and we can bind the certificate installed to the corresponding ISA Server.

However, we need to bind the certificate to the Virtual IP used in NLB rather than to the Server individually.
 
Any clues on that?
 
Thanks,
TR
Post #: 1
RE: Web Listener can't bind certificate to Virtual IP - 23.Nov.2007 3:34:15 AM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline
Hi,
1. you must install the internal and external cert to all ISA Nodes.
2. carefull with the cn Name in the UCC SAN Cert.
2. make tow listener and 3 roles for internal and 3 for external (copy and change the listener)

regards
jazzer

(in reply to TR)
Post #: 2
RE: Web Listener can't bind certificate to Virtual IP - 23.Nov.2007 11:12:26 PM   
TR

 

Posts: 8
Joined: 11.Nov.2007
Status: offline
Hi jazzer,

> 1. you must install the internal and external cert to all ISA Nodes.
Yes, I've done that using the internal ca for the private cert (http://server/certsrv)

> 2. carefull with the cn Name in the UCC SAN Cert.
Okay, I've got the correct entry/order here...

> 3. make tow listener and 3 roles for internal and 3 for external (copy and change the listener)
I've created a listener for the Internal Interface which is used in the OWA publishing rule.

However, this works fine if I bind the private certificate to the primary IP Address of the ISA Server but I still can't bind it to the ISA NLB Virtual IP.

The Virtual IP is actually the one I would like to use as you would set up DNS to point to owa.domain.com (= Virtual IP of Internal NLB) rather than creating 2 records in DNS pointing to the ISA Server directly.

What would I need 3 rules for?

Thanks,
TR

(in reply to jazzer)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Web Listener can't bind certificate to Virtual IP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts