• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't Logi n For Certificate...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Can't Logi n For Certificate... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can't Logi n For Certificate... - 13.Dec.2007 4:20:37 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
I have the following hypothetical setup:

LAN:  192.0.2.0-192.0.2.255/24
WAN: 10.20.0.1-10.20.0.2/16
Authenticated DMZ:  192.0.3.1-192.0.3.3/24
Anonymous DMZ: 172.16.0.1-172.16.0.2/16

The Front End Exchange Server is in the Authenticated DMZ with an address of 192.0.3.2.

The ISA Firewall's Authenticated DMZ address is 192.0.3.1

The Exchange Server is on the LAN with an address of 192.0.2.12

I can PING the Front End Exchange Server from the LAN and from ISA.

When I try to go to https://192.0.3.2/certsrv I am prompted for a username and password.  I enter the Domain Admin username and password and nothing happens.  When I look at the logs in ISA, there are no denied connections.

Any idea what could be happening here?

Thanks,

Charlie
Post #: 1
RE: Can't Logi n For Certificate... - 14.Dec.2007 12:43:13 PM   
Rumple

 

Posts: 30
Joined: 5.Dec.2004
Status: offline
it appears as if you are running an enterprise certificate host on a server sitting in the dmz.  Why have you not put the Enterprise certificate server on a system on the internal network where it belongs (the Enterprise Cert server needs to be protected at all costs). 

The authentication should be going against Active directory and you probably should not be allowing the dmz server to have that many ports open between the dmz and the internal network (or you might as well take it out of the dmz).

(in reply to charlieit)
Post #: 2
RE: Can't Logi n For Certificate... - 14.Dec.2007 2:08:33 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
You are completely correct--I made a very big security mistake putting the CA on the FE in the Authenticated DMZ (Ironically I had just caught this a few minutes before the notification popped up that you responded to my question).  I am changing that as we speak.

However, it sounds like you are thinking of "DMZ" in the OLD sense of the word.  In the old days, DMZ's were where you quarantined public servers from your internal network.  Preferrably you had no communications between the DMZ's and your network.

However, many of us have web-based applications that communicate with database servers on the LAN which need to be secure.  The best example of this is Exchange Front-End/Back-End servers.  Fortunately, ISA 2004 and especially ISA 2006 handle this very nicely.  We can now have "Authenticated DMZ's" which only allow authenticated users to securely communicate with back-end systems.  For the anonymous users, you can create a secure "Anonymous DMZ" which does not have access to your back-end network.

If you are interested, read the following ISA 2004 article which explains the whole concept:

http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html

ISA 2006 has a few cool new features that expand on this concept as well.


(in reply to Rumple)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Can't Logi n For Certificate... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts