I am having a bit of trouble getting a Linux/Apache SSL web server published behind our ISA firewall when I use a Web Publishing rule. I can get it to work using a Server Publishing rule, but that does not allow me to have ISA server authenticate with a user name at the ISA incoming web requests listener.I have read many of the excellent articles and posts here, and they all seem to say that to use the Incoming requests listener, you have to export the certificate from the SSL web server and import it into the ISA server. I have found lots of instructions on how to do this when the server is running IIS, but none on how to do it if the server is running Apache, or if it will even work with Linux. Has anybody tried this before? Also, the certificate that we are using on the Linux box is a self-generated one. Does that make a difference? Right now, when users connect to the server from the outside, they get the little "Security Alert" dialog saying the certificate is not from a trusted site etc, and they have to click "yes" before they can get in. What we want is to have ISA prompt for a password so they are authenticated before they reach the internal web server. Any advice would be greaty appreciated.
You will need to export the Web site certificate from the Linux box. It don't even know if that's possible, or if Linux supports that. They must, but you probably have to figure out the mind bending commands to make it happen
You should also consider bridging SSL as SSL, as you might run into problems depending on whether the sites embed a protocol in their responses (similar to the OWA issue).
If you bridge SSL as SSL, you'll need to put the CA that issued the Linux site's certificate in the Trusted Root Servers list in the machine store of the ISA Server.
Tom: Thanks for the reply. I was able to figure out how to export the certificate from the linux box. Under Red Hat 9 and Apache 2.0, the certificate is stored in /etc/httpd/conf/ssl.crt/server.crt. It is just a text file that you can copy to a folder on the ISA server, and then you can run the standard import routine. I ran the import with no issues, and it shows up in the Personal/certificates store on the ISA server. I also did the certificate properties thing, where MS says you should choose "Enable only the following purposes" and then check all the purposes. Now I have a whole new problem. When I go to set ISA server to use the cert on the Incoming Requests Listener, I am now getting the dreaded "There are no certificates configured on this server" message. I have rebooted the ISA server, but it still says it is not installed. Do you have any idea why ISA cannot see the cert? It is a self-generated cert - do you think that may make a difference?
Just thought I would post a quick note here to let anybody else who may be reading this thread know that I was able to fix my problem by generating a new certificate on a Windows 2000 server, then exporting the certificate from that server and importing it into the ISA server. The certificate generated on the linux box could not be used because it doesn't have the key that created it associated with it (it is a separate file). When you run the export certificate utitily under Windows 2000, it does more than just export the certificate - it also exports the corresponding key to go with it. You can import all the certificates you want into ISA server, but they won't be able to be "seen" by the Incoming Requests Listener unless they were exported on a Windows 2000 machine first. The properly imported keys even look different, as they have a little "key" icon at the bottom and it says "you have a private key that corresponds with this certificate." If you don't have that icon at the bottom, it won't work for ISA web publishing rules.