I just read your "Publishing multiple web sites using a wildcard certificate" which is very good. I didn't understand why you needed a hosts entry. Why not just use an alias in the DNS server?
Anyhow, my problem is with the listener. I assume you cannot have more than one listener per port on a single external IP address. Also, OWA forms is a mutually exclusive type of authentication. Therefore, is it possibe to publish a secure web site AND OWA with forms on the same site with only one external IP address?
I tested this and you're correct that a single listener can listen on the same port and IP address. So if you select forms-based auth, all published sites on that listener will generate the log on form. However, the log on form will allow you to access the second site after you log on. And if the second site does not require authentication, you won't even see the form.
Thanks for your help Tom, Now, let me (as you say) "drill down" on this a little. I don't intend to do this, but to illustrate the concept:
I have a wild card certificate, *.Tom.net. I create a listener called Listen443 that listens on 443, and has Outlook Forms checked as the authentication type. On my exchange server I publish OWA and a Web site that I want secure HTTPS access to. My web site is wwwssl.tom.net and I use both mail.tom.net and owa.tom.net to get to outlook. I have published the web site and the outlook site in two publishing rules each with the correct public names for their respective sites. If a User attempts to access Outlook using either public name (mail or owa) he will get the form, and because of the public name he will be authenticated by the cert and forwarded to OWA for Exchange. If the User tries to access wwwssl.tom.net he will get the form but when he authenticates he will be connected with the wwwssl web site.
Now, I also have a web site, www.tom.net that I want to give everyone public access to. I assume I have to define another listener because even if I select port 80 on ListenSSL the only authentication allowed is Outlook Forms. So I define another listener, Listen80 which would listen on port 80 and use integrated authentication. This listener would be used in a third publishing rule to allow access to the public web site.
Now, is all this correct? And could you clarify "And if the second site does not require authentication, you won't even see the form."? Because if you try to use ListenSSL for everything including Port 80, what type of authentication would be implied for plain old HTTP requests when only Outlook Forms was selected in the listener?
Correct. But in addition there is a secure web site wwwssl.tom.net that is also published through listen443. Will he authenticate with the OWA form but actually go to the web site?
Also, I would still like you to clarify your earlier statement "And if the second site does not require authentication, you won't even see the form."? It looks to me like you are saying you could use one listener for everything. But if you try to use Listen443 for everything including Port 80, what type of authentication would be implied for plain old HTTP requests when only Outlook Forms was selected in the listener?
Thanks Tom, OK, that of course fits in with the hypothetical case I outlined. I was confused because in your original reply back on the 18th you didn't mention using 2 listeners. I jumped to the conclusion you were doing all this with one listener, and I couldn't understand what authentication would apply to port 80. Actually using 2 listeners makes it a little more organized and less complicated.