|
MIA -> SSL bridging and tunnelling (17.Apr.2008 10:34:02 AM)
|
Hi all,
We have a DMZ with an external facing ISA (ISA 2000/ W2k3), webserver (IIS6/W2k3 )and internal ISA (ISA 2000/ W2k3)
The webserver hosts a site that uses SSL and a server publishing rule for
SSL tunnelling was created aswell as a web publishing rule. The server
publishing rule maps any https request from the external ISA IP address to
the webserver internal IP address. We are using a verisign certificate
registered against the web site address (www.domain.com)
We have since added another webserver for testing &created a web publishing
rule.
We now want the test site/ server to use SSL - essentially it is a clone of
our live webserver. We have created a selfsigned ssl certificate using the
name registed in dns (test.domain.com)
Both sites have a default.aspx page at the top level that redirects to a
https url
I have done the following to enable this:
1) exported the certificates from the two webservers into the external ISA
2) checked that the two web publishing rules have the bridging set as http
requests redirected as http and ssl redirected as ssl on default ports
3) edited the action in the two web publishing rules to foward to the dns
hostname (ie test.domain.com & www.domain.com) instead of the internal IP
addresses
4) added these entries into the host file on the external ISA
5) disabled the server publishing rule
This is as per
http://www.microsoft.com/technet/archive/isa/2000/isafp1/sslbat.mspx?mfr=true
The problem we are having is that as soon as I disable the server publishing
rule, I cannot resolve to the sites - a host not found / dns error is displayed in
the browser.
Once I re-enable the rule, all is well. I've tried pinging the two entries
from the ISA and they are resolving correctly so it looks like the name
resolution is working there (because of the host file entries), but not at the client level.
Where am I going wrong?
Many thanks
Rob
|
|
|
|