• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of using a Wildcard Certificate in ISA2004 article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> RE: Discussion of using a Wildcard Certificate in ISA2004 article Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of using a Wildcard Certificate in ISA20... - 26.Apr.2004 3:25:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Make sure you close and open the ISA Management console.

HTH,
Tom

(in reply to tshinder)
Post #: 21
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Jul.2004 3:08:00 AM   
jmlohren

 

Posts: 80
Joined: 7.Sep.2001
From: Spokane, WA USA
Status: offline
Ok. So maybe this is why I've been having my problems. Any suggestions are greatly appreciated.

I have a valid wildcard SSL certificate from DigiCert.
It's installed correctly on my ISA server.
So..am I to assume that if I install the wildcard certificate on my internal webservers that I will get the dreaded 500 error? I need to have specific certificates ie webmail.domain.com or billing.domain.com instead of my wildcard *.domain.com on my internal servers to get this to work correctly?

TIA!

Jason Lohrenz
IT Director
Pacific Medicaid Services

(in reply to tshinder)
Post #: 22
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Jul.2004 3:12:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

That is correct! But you do not need to purchase separate certificates for that. You can create your own using the MS Certificate Server and give them the proper public names. Just make sure you install the CA certificate on the ISA 2004 firewall in the firewall's Machine certificate store in the Trusted Root Certification Authorities node.

HTH,
Tom

(in reply to tshinder)
Post #: 23
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Jul.2004 3:23:00 AM   
jmlohren

 

Posts: 80
Joined: 7.Sep.2001
From: Spokane, WA USA
Status: offline
Can I assume that this will work okay with ISA 2K as well? As that is what I have.

I just posted here as this article was the closest match to my search.

Thanks again.

Jason

(in reply to tshinder)
Post #: 24
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Jul.2004 5:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

Yes, should work just the same with ISA 2000. Just make sure the name on the certificate bound to the Web site and the redirect on the Web publishing rule match.

HTH,
Tom

(in reply to tshinder)
Post #: 25
RE: Discussion of using a Wildcard Certificate in ISA20... - 7.Oct.2004 10:09:00 AM   
AButtigieg

 

Posts: 14
Joined: 19.Jul.2004
Status: offline
And what happens if I want to use OWA forms based authentication and not basic?

- Andrew

(in reply to tshinder)
Post #: 26
RE: Discussion of using a Wildcard Certificate in ISA20... - 27.Nov.2004 12:48:00 PM   
FrancWest

 

Posts: 70
Joined: 22.Jul.2004
Status: offline
Hello, anyone knows if there's a fix already when using ActiveSync on Win Mobile 2003 and wildcard certificates ?

Franc.

(in reply to tshinder)
Post #: 27
RE: Discussion of using a Wildcard Certificate in ISA20... - 4.Dec.2004 2:18:00 AM   
radman57

 

Posts: 2
Joined: 4.Dec.2004
From: Gilbert, AZ
Status: offline
Hello! Im new to this forum and have a question on this topic before I proceed with an attempt.
I am using (wait for it) SBS2003 (I have been warned there will be massive groaning and knashing of teeth) and have the Premium edition installed (ISA 2000 hopefully moving to 2004 when the SP1 for SBS comes out).
I also am "hosting" several websites on the SBS server (examples: www.domain 1.com, db.domain1.com, www.domain2.com, www.domain3.com, etc). Also have the standard OWA, Companyweb, Default, etc as well.
Will this method (wildcard certs) work for this type of setup. essentially 1/2 remote web workplace and half webserver hosting several websites with different names?

Any help is greatly appreciated!

(in reply to tshinder)
Post #: 28
RE: Discussion of using a Wildcard Certificate in ISA20... - 3.Feb.2005 5:19:00 PM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
I'm trying to set up an SSL chain using wildcard certificates, in order to have strong authentication.

Is it possible to get ISA server to accept wildcard certificates, rather than just use them?

It seems a bit strange that it will happily provide them, functioning as a server, but will not accept them (Principal Target name is incorrect) as a client. Anyone found any way round this?

(in reply to tshinder)
Post #: 29
RE: Discussion of using a Wildcard Certificate in ISA20... - 10.Mar.2005 10:22:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Why,

Just doesn't work that way. I think they choose this becasue of security issues.

HTH,
Tom

(in reply to tshinder)
Post #: 30
RE: Discussion of using a Wildcard Certificate in ISA20... - 10.Mar.2005 10:25:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Robert Dye:
Hello! Im new to this forum and have a question on this topic before I proceed with an attempt.
I am using (wait for it) SBS2003 (I have been warned there will be massive groaning and knashing of teeth) and have the Premium edition installed (ISA 2000 hopefully moving to 2004 when the SP1 for SBS comes out).
I also am "hosting" several websites on the SBS server (examples: www.domain 1.com, db.domain1.com, www.domain2.com, www.domain3.com, etc). Also have the standard OWA, Companyweb, Default, etc as well.
Will this method (wildcard certs) work for this type of setup. essentially 1/2 remote web workplace and half webserver hosting several websites with different names?

Any help is greatly appreciated!

Hi Robert,

No groaning or gnashing, but there aren't many people knowledgable about ISA who also can help with SBS. Any version of ISA on SBS is essentailly a hacked up version made to work in an on-box config, but the product was designed as a network firewall, so you break too much of the firewall functionality to get it to work on SBS.

HTH,
Tom

(in reply to tshinder)
Post #: 31
RE: Discussion of using a Wildcard Certificate in ISA20... - 24.May2005 9:54:00 AM   
fordo

 

Posts: 41
Joined: 21.Apr.2005
Status: offline
Tom --
In this article under the Import the Wildcard Certificate section, step 13 instructs to put a checkmark in the "Mark this key as exportable..." checkbox.

However, on page 675 of your 2004 book, step 15 instructs "Do NOT mark the certificate as exportable".

When using a wildcard certificate, should the exportable be checked or unchecked?

Thanks.

(in reply to tshinder)
Post #: 32
RE: Discussion of using a Wildcard Certificate in ISA20... - 1.Jun.2005 4:04:00 PM   
fordo

 

Posts: 41
Joined: 21.Apr.2005
Status: offline
Can someone help me out here? Thanks!

In this article under the Import the Wildcard Certificate section, step 13 instructs to put a checkmark in the "Mark this key as exportable..." checkbox.

However, on page 675 of your 2004 book, step 15 instructs "Do NOT mark the certificate as exportable".

When using a wildcard certificate, should the exportable be checked or unchecked?

(in reply to tshinder)
Post #: 33
RE: Discussion of using a Wildcard Certificate in ISA20... - 17.Aug.2005 7:12:00 PM   
rneubauer

 

Posts: 9
Joined: 26.Oct.2003
Status: offline
I am a little confused... [Confused]

I have a wildcard cert from godaddy(Valicert). I want to use it for owa, as well as a few other servers internally. I have already imported the cert to the ISA server, and now I need to change the cert on the OWA server to the FQDN that I am going to use. I understand that. But where do I generate that cert from? An Enterprise CA onmy network. If so, do I need to import that cert to my ISA server?

Rick

(in reply to tshinder)
Post #: 34
RE: Discussion of using a Wildcard Certificate in ISA20... - 17.Aug.2005 7:13:00 PM   
rneubauer

 

Posts: 9
Joined: 26.Oct.2003
Status: offline
I am a little confused... [Confused]

I have a wildcard cert from godaddy(Valicert). I want to use it for owa, as well as a few other servers internally. I have already imported the cert to the ISA server, and now I need to change the cert on the OWA server to the FQDN that I am going to use. I understand that. But where do I generate that cert from? An Enterprise CA onmy network. If so, do I need to import that cert to my ISA server? How does it validate when trying to connect to it externally?

Rick

(in reply to tshinder)
Post #: 35
RE: Discussion of using a Wildcard Certificate in ISA20... - 18.Aug.2005 5:44:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Fordo:
Tom --
In this article under the Import the Wildcard Certificate section, step 13 instructs to put a checkmark in the "Mark this key as exportable..." checkbox.

However, on page 675 of your 2004 book, step 15 instructs "Do NOT mark the certificate as exportable".

When using a wildcard certificate, should the exportable be checked or unchecked?

Thanks.

Hi Fordo,

Doesn't matter from a functionality perspective, just a security perspective. The explanation is in the book.

Thanks!
Tom

(in reply to tshinder)
Post #: 36
RE: Discussion of using a Wildcard Certificate in ISA20... - 18.Aug.2005 5:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by rneubauer:
I am a little confused... [Confused]

I have a wildcard cert from godaddy(Valicert). I want to use it for owa, as well as a few other servers internally. I have already imported the cert to the ISA server, and now I need to change the cert on the OWA server to the FQDN that I am going to use. I understand that. But where do I generate that cert from? An Enterprise CA onmy network. If so, do I need to import that cert to my ISA server?

Rick

Hi Rick,

Yes, the wildcard cert is bound to the ISA firewall's Web listener. You can then create your own Web site certificate for the OWA site. Make sure the CA certificate for your CA is installed on the ISA firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 37
RE: Discussion of using a Wildcard Certificate in ISA20... - 26.Aug.2005 5:49:00 AM   
paulmon

 

Posts: 4
Joined: 21.Aug.2003
From: UK - Manchester
Status: offline
I was wondering if someone could tell if this would work using wildcard certificates. I have seen the MS article on how to use wildcard certificates but the example it uses is not the best because in it the external domain name http://owa.internal.net/ is the same as the internal domain name. In my experience this is very rarely the case.

We are just in the process of establishing a hosting company that will host Exchange mailboxes and Sharepoint data for our customers. Initially each customer will have a dedicated domain within the AD forest hosted.network (abctools.hosted.network)

What I would like to know if it is possible to use a wildcard certificate for all domains within the hosted.network bearing in mind that the URL the customer enters to get to their OWA will be https://mail.abctools.net/ or https://mail.xyzsolutions.com/

I have included a diagram to try and make things easier to understand.

Cheers
Paul


(in reply to tshinder)
Post #: 38
RE: Discussion of using a Wildcard Certificate in ISA20... - 28.Aug.2005 1:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

The example provided was not for a hosting environment, but for self-hosting, where using the same domain name internally and externally IS a best practice for transparency for remote access users. I *always* deploy a well designed split DNS infrastructure, since users love it and there are no adverse security issues.

However, a well-designed split DNS will work for a hosting environment too -- and I have deployed it as such. Works great and the users love it since they don't have to monkey around with application settings based on their current location.

HTH,
Tom

[ August 28, 2005, 01:37 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 39
RE: Discussion of using a Wildcard Certificate in ISA20... - 5.Oct.2005 11:53:00 AM   
jiml

 

Posts: 1
Joined: 5.Oct.2005
Status: offline
Tom,
Is it possible to publish virtual webs from a server utilizing host headers and a wildcard cert on the IIS and ISA box as well. I.e. wildcard Cert on IIS and ISA is *.mydomain.com; the IIS server hosts two sites user.mydomain.com and int.user.mydomain.com via host headers; a web listener configured using *.mydomain.com; separate publishing rules, one each referencing a published name for user.mydomain.com and the other referencing int.user.mydomain.com; Host file on the ISA box for the resolution of the internal URLĘs.

As a secondary question not directly related to the above scenario, can you create a publishing rule using a wildcard as part of the server name and public name in a SSL bridging scenario? I donĘt see how this would work, but the attempt is to be able to create a single rule to publish a number of different SSL sites so they would only have to have a single certificate for all the internal webs; using a host file on the ISA server to resolve the different URLs.

Jim

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> RE: Discussion of using a Wildcard Certificate in ISA2004 article Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts