TSWeb Gateway Certificate invalid

TSWeb Gateway Certificate invalid (Full Version)

All Forums >> [ISA 2006 Publishing] >> Server Publishing

Message

FirewallBlues -> TSWeb Gateway Certificate invalid (5.Jun.2008 11:49:08 AM)
I've got the firewall blues! Here's my scenario: ISA2006 with self-signed wildcard SSL cert on one listener with SSO enabled 1 publishing rule for OWA using SSL cert 'webmail.domain.com' (works fine) 1 publishing rule for TSweb using SSL cert 'tsweb.domain.com' (problem) Single-Sign on works fine. I can log in to both sites with no problem. Once logged into TSweb from the Internet, clients try to use Remote Desktop, but get the following error: This computer can't connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server's certificate is not valid. Contact your network administrator for assistance. Internally, TSweb / RDP works fine. This error only occurs from the Internet. I'd really like to get this working with if this is possible. Any help would be appreciated.

tshinder -> RE: TSWeb Gateway Certificate invalid (12.Jun.2008 10:33:05 AM)
Is the CA certificate that issued the certificate to the ISA Firewall's TSweb listener installed on the client machines? Tom

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (12.Jun.2008 1:56:36 PM)
Yes, the certs are trusted by the client PC. I'm using HTTPS to HTTPS bridging with a wildcard cert (*.mydomain.com)on the listener. Initially, I tried using one cert (tsweb.mydomain.com) installed on both the ISA server and the TSweb server in the publishing rule. I was able to login to tsweb, but couldn't use remote desktop because there was a "Terminal Services Gateway server's certificate is not valid error" (probably because the cert I used was using the public FQDN: tsweb.mydomain.com, not the server's internal FQDN: tsserver.mydomain.local) Next, I decided to issue a new cert on the tsweb server: tsserver.mydomain.local and exported it to the ISA server and imported it into the personal certificates store. So now, I have a public wildcard cert on the listener, a tsweb.mydomain.com cert in the publishing rule, AND an internal cert between the ISA server and the TS server. After logging in through ISA the TSWEb site is no longer available. I get "500 Internal Server error. The certificate chain was issued by an authority that is not trusted." Is this error from the client, ISA, or TS server? All three have all of the certificates imported into the trusted authorities store and local personal stores where applicable. This SSL stuff is confusing! Should I go back to using one certificate or am I one step closer to making this work?

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (12.Jun.2008 2:51:50 PM)
....continued... Ok, I fixed the certificate chain error by intalling the tsweb server's cert in the trusted CAs store on the ISA server. So, now I can log into TSweb again. When attempting to use Remote Desktop from TSweb, I get two login prompts. after the second login the following error occurs: the Terminal Services Gateway server address requested and the certificate subject name do not match.

tshinder -> RE: TSWeb Gateway Certificate invalid (12.Jun.2008 9:07:15 PM)
I suggest using the same certificate from end to end. tsg.domain.com on the ISA firewall's cert common name tsg.domain.com on the TSG cert common name On the TO tab of the publishing rule, use tsg.domain.com as the name of the server Make sure that name resolves to the IP address used by the TSG machine. HTH, Tom

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (16.Jun.2008 10:25:32 AM)
I am now using the same certificate from end-to-end....with the exception of a wildcard certificate. I can log into TSweb, the certificate is trusted by the client computer, but when I try to use Remote Desktop, I get the same error I had before: "The computer can't connect to the remote computer because the Terminal Services Gateway server address requested and te certificate subject name do not match." Is this error because I'm using a wildcard certificate? The ISA server resolves the tsg.domain.com domain to the internal IP address of the Gateway server. The TSweb rule is configured as follows: To: tsg.domain.com Computer Name or IP address (blank) Requests appear to come from ISA server Public name: tsg.domain.com There must be a way to get this to work with a wildcard cert!

tshinder -> RE: TSWeb Gateway Certificate invalid (16.Jun.2008 10:28:39 AM)
You bring up a good question. Not all services or clients accept wildcard certs. Maybe this is a problem with the TSG 6+ client? Tom

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (16.Jun.2008 2:19:19 PM)
I'd really like to get this to work with a wild card certificate. For testing purposes, I am trying to use RD (Remote Desktop) withot the wild card cert. I don't get any errors, but now when I try to use RD, I get a endlessly repeated login prompts: These credentials will be used to connect to the following computers: 1. tsg.domain.com 2. myPC.domain.local No matter how many times I enter my credentials (domain\username and password), the login prompt pops up again every time. I know my credentials are good and I know RD works throught the ISA server, because I can RD to the TSG server directly. I can't allow users to logon to the TSG server. I need to get RD working through TSweb somehow. This is really frustrating!

tshinder -> RE: TSWeb Gateway Certificate invalid (17.Jun.2008 7:23:56 AM)
Hi FB, Just a thought. Are you requiring authentication at the ISA Firewall for the TSG clients? If so, that won't work. HTH, Tom

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (17.Jun.2008 12:53:24 PM)
I am using SSo on the ISA listener with Forms based authentication. Once authenticated, users can hit the OWA server or TSWeb server. When attempting to use the Remote Desktop from TSWeb, users are prompted with a Windows login box. On the TSG server, I have Use HTTPS-HTTP bridging turned on. Should I turn it off? Should I turn off SSO on the ISA server?

tshinder -> RE: TSWeb Gateway Certificate invalid (18.Jun.2008 12:05:56 PM)
You should be using SSL to SSL bridging, as I don't think the TSG will support SSL offload. Also, make sure that the Web Publishing Rule that the RDP/SSL client is using does not require authentication at the ISA Firewall. Also, that rule should be created using the Exchange Rule Wizard, using the RPC/HTTP option. HTH, Tom

FirewallBlues -> RE: TSWeb Gateway Certificate invalid (19.Jun.2008 6:13:28 PM)
Thank you for all your help Tom, I added the exchange publishing rule for the TSweb gateway RPC site and passing authentication on to the gateway server. ( I am no longer login into ISA to get to the TSweb site). I still had the same problem where I am repeatedly asked for credentials when trying to use Remote Desktop from TSweb. On the RPC site, I had require SSL with Basic authentication. I enabled Windows authentication also, and was finally able to connect! It's too bad that credentials can't be passed by ISA (or can they?) using ISA forms authentication / SSO. Microsoft's documentation seems to be insufficient. Do you have a step-by-step article on this topic? If not, I will post the configuration next week if I can figure it out. Perhaps, I could turn Forms Auth / SSO back on to allow users to login to both TSweb and OWA, then add another rule to redirect 3389 traffic to another IP address / Listener which will pass the authentication directly to the Gateway server.

tshinder -> RE: TSWeb Gateway Certificate invalid (23.Jun.2008 8:37:36 AM)
Hi FB, Check out next month's TechNet magazine. Me and Yuri Diogenes did an article on how to do this correctly :) Thanks! Tom

Page: [1]