I hope that taking the time to post on a 2 year old stale fourm post is worthwhile. If it saves some shmuck the 8 hours of hell I just went thru, great.'
Tom's tutorial is incorrect! The cert request procedure for local host DOES NOT produce a PFX type cert. .CER, .P7B etc are produced, but the cert i snot visible / seen by ISA when attaching to the listener. You see it in the store allright, but you surely do not in the listener properties config.
I was fianly able to create the localhost cert via another computers IIS, and generating a cert req. The IIS was independant, and was stand alone. The key element is to get a PFX cert, with exportable key.
LOCALHOST Certificate listener computer store PFX not P7B not CER ISA FBA
plysaker: Thanks for posting this - I've been pulling my hair out too. All was working for ages, but after a disk failure on the firewall, I restored from backup, and everything worked fine except the mobile phones now no longer authenticated properly, even though they did before. So ActiveSync was, and still is, screwed. Turns out the "localhost" certificate has become "detached" from the listener. However, when trying to reattach it, it doesn't show up in the list of certificates, despite it appearing fine in the local machine's certificate store, via the MMC's certificate console.
I'll try your suggestion, and post back my experience.
The ISA2004 firewall's been doing a fine job for what we need it for, so don't see the point of moving to ISA2006 for the sake of it, so would prefer to fix this one problem.
Seems odd that it would recognize it before, but not now after a backup restoration. Anyways, seems like the way to go is to create another LocalHost certificate, but I'm not sure about this:
Both the external and localhost listener certificates were originally created using a CA installed on my SBS2003 server. The CA services have since been de-installed, and when I go now to reinstall them, the installation wizard tells me that the server "mailserver" (my SBS server's name and the name I used when first installing the CA service to create the initial certificates) has an existing private key, and "do I want to overwrite it with a new one?". If I say yes to this, does it make the existing external certificate invalid and unuseable? If so, this would cause me to have to update all the phones that use ActiveSync (that's broken now anyway), and the external web clients with new certificates, so that's not the prefered path.
ISA2004 is on a separate Win2000sp4 Advanced Server box (joined to the domain), and Exhange is on a SBS2003sp2 box.
So how do you suggest I proceed to create a new localhost certificate?
BTW, I do have a copy of ISA2006 sitting here, so there is the option of upgrading if you advise it strongly enough. Is the process of an inplace upgrade a smooth one? i.e. will it keep all my existing rules, or will I have to set it all up again?
I have just implemented it (Exchange 2003 + ISA 2004), and now when I browse to my OWA site from the internet, I get a user/pwd prompt before the Authentication Form is displayed (looks like a Basic Auth prompt). Therefore I have to type in username and password twice... reading the article and this related mail thread did not give any indication this is expected, so there must be something different in my ISA / Exchange config. Any ideas? I already removed "Integrated Authentication" from the related Exchange folders (I wonder if I know them all)
Also, I had not used OMA before, and right now I've just tried it with my IE browser, it prompts me for username/password, but it won't accept my credentials... after 3 or so failed attempts, I get a not authorized "HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS)". I am still checking things out... Any sugestions?
Never mind about the first question (having to entire user/pwd twice, first in a IE prompt box and secondly inside the actual form) I figured it out... The organization does not want every single user to have access to OWA, so instead of configuring it on a per-user basis inside AD, I created a security group with the people who should have access to OWA and used it with the original Mail Publishing rule that I had. Now that there are three, the first rule (external to localhost) should have "All Users", since it is the one using a listener with Basic Authentication.
Should have payed more attention before posting
(About the OMA error message, I had enabled "Require SSL" on the OMA IIS folder, and found out it cannot be set that way.)