SSL working but unusably slow! (Full Version)

All Forums >> [ISA Server 2000 General] >> Web Publishing



Message


djc -> SSL working but unusably slow! (10.Jun.2002 1:46:00 PM)

I will be implementing SSL to secure OWA soon and setup a test on another system. This test system is NOT OWA but just a regular web page. I just wanted to test the SSL setup as I have not done it before. The test setup is SSL from outside client to ISA then the request is redirected as HTTP to internal server. It hangs for a few minutes before popping up the expected message about the certificate not coming from a trusted party (i used windows CA) then when I hit 'OK' to continue it hangs another few minutes before finally loading the page! It does finally succeed though. Any ideas on what could be causing this?

other info:
the test environment does not have public DNS. The publishing is done by IP. The site is accessed by IP. I named the certificate https://IP-Address.

what could be wrong?




tshinder -> RE: SSL working but unusably slow! (11.Jun.2002 6:50:00 AM)

Hi Djc,

Could be a name resolution issue. Make sure the DNS settings on the ISA Server are correct, and also try using a FQDN and *not* and IP address in a publishing rule.

HTH,
Tom




djc -> RE: SSL working but unusably slow! (11.Jun.2002 2:43:00 PM)

unfortunately I don't have a public FQDN for this machine.. its just a test lab at home. I do stuff there before I try it in a production environment.

since it did work and was just slow I will go ahead and set it up on my real server so I can use a FQDN in the web publishing rule. (I can always undo it if its no good)

Thanks Tom.




deyster -> RE: SSL working but unusably slow! (11.Jun.2002 3:14:00 PM)

What you need to do is install the Root certificate from the windows CA to your computer. This will speed up access to your website. I have an article somewhere on it. I will dig it up and post the information for you. We had to do this also for our websites that we publish.

Dan




deyster -> RE: SSL working but unusably slow! (11.Jun.2002 3:22:00 PM)

Ok, here is what you need to do:

Open up a blank MMC and add the certificates snap-in (do not add the certificate authority snap-in). Select computer account (click the next button) and then select local computer. Expand the tree for the certificates and open the trusted root certificates folder. Open the certificates fold and find the name of your root CA, right click and select all tasks -> export. Follow the wizard to export the root certificate. I did the default settings through the wizard. Now, copy the file you just created and install it locally on your computer or which ever one is trying to access the site. This should speed up the SSL process. If not, let me know. Also, I have a webpage that our users go to that allows them to install the root certificate before entering the sites that have SSL. If you want a copy of the code that allows you to install the root certificate off a webpage, let me know and I will post it here.

HTH,

Dan




tshinder -> RE: SSL working but unusably slow! (11.Jun.2002 5:18:00 PM)

Hey guys,

Maybe Q295070 will help.

HTH,
Tom




djc -> RE: SSL working but unusably slow! (11.Jun.2002 5:42:00 PM)

deyster,

YOU JUST MADE MY DAY!

That did the trick. Its working nice and speedy in my test environment. I would like to see that code to enable users to download the certificate from a web page.

Now my test environment was a regular web site just to test the SSL. My production setup will be using SSL to publish OWA. Any pitfalls you know of? I have OWA published without SSL now and it works fine.

TOM: should I name my certificate http://FQDN/exchange ? And, do I need only that one certificate or will I need one for each published path?

Thank you both very much.




deyster -> RE: SSL working but unusably slow! (11.Jun.2002 5:44:00 PM)

DJC,

Glad to hear everything works now.

Dan

[ June 11, 2002, 05:45 PM: Message edited by: deyster ]




deyster -> RE: SSL working but unusably slow! (11.Jun.2002 5:54:00 PM)

DJC,

You only need the one root certificate from the root CA. Also, you need one certificate per website. However, if you make another root CA, you will need the root certificate from that installed on the PC that is trying to view a website that has a certificate issued from that CA. Make sense?

HTH,
Dan




tshinder -> RE: SSL working but unusably slow! (14.Jun.2002 7:02:00 AM)

Hi David,

The certificate must have for the name something like "www.domain.com" or "webmail.domain.com"

Whatever the FQDN is that the users use.

HTH,
Tom




Page: [1]