Hi all - ISA 2006 std in a 3-leg scenario...I can see that there has been a fair bit of discussion about this but not quite sure if I understand it fully, I want to publish Active Sync, OWA, TS Gateway and a few secure directories on the webserver which sits in the DMZ the other boxes TS, E2K7 etc reside internally + I am using a wildcard certificate.
Some people have said to add a virtual IP so how do you do this so I can use multiple instances of port 443 pointing to an dmz/internal IP - would welcome any pointers :)
I have to say I'm not sure why you would want multiple IP addresses in this scenario, but to cover that topic first: You can add as many IP addresses as you like to your NIC by going to Network Connections, and selecting the properties of the card that you want multiple bindings for. Then go to TCP/IP properties, and select Advanced. On the IP Settings tab, you can add further addresses.
So, that is how you would do it. The next question is why would you want to do it?
HTTPS effectively only supports one certificate per IP address. This gives the client authentication of the server. The client requests an HTTPS connection for server.domain and is returned a certificate which it can use to match to server.domain, so that it can be sure that it has come to the correct server.
However, you have a wildcard certificate, so the client requests server.domain and gets a certificate back for *.domain. This is acceptable and will not raise a warning to the client. That means that you could have HTTPS connections for owa.domain, activesync.domain and any others within the .domain domain covered by this certificate. You can then publish the different servers based on this FQDN information.
This means that you can publish all these sites on the same IP address. You do not need multiple addresses.
Hi RuiFiske - many thanks for the reply...you are correct - I was under the assumption that if I had multiple servers and I wanted to pass https I would need more than one IP - I was very wrong (live and learn they say) - you are exactly right, I purchased a wildcard certificate and it all works a treat although using a wildcard may pose some security concerns.
JJ - I had that exact problem with a WM5 device and a wildcard!
Pleased to help.
Jason is correct, of course. Not all environments support wildcard certificates. ISA Server 2004 itself did not support them when it first came out. If you're going to be using a wildcard certificate, then you need to ensure that it will be fully supported by all clients.