I have your ISA 2004 book and it's been a big help. Thanks.
I am implementing ISA 2004 Enterprise on 2 servers using ISA NLB in an array. I also have 2 Exchange front-end servers in a Windows NLB array.
We are publishing 2 websites. 1 for OWA.company.com and a seperate one for RPC.company.com (RPC over HTTPS)
Each ISA web publishing rule uses a different virtual IP. Each IIS website uses a different virtual IP.
We have a split-DNS configured and we're using SSL bridging too.
We have SSL certificates working from our internal CA but security wants them to be VeriSign and they want to do a wildcard certificate for *.company.com.
If I understood your article correctly, we could not use the wildcard certificate on all 4 servers? I would need to use the wildcard for the ISA rules, and a seperate one for the front-ends? I thought we needed to export from IIS in order for ISA to publish the website?
Okay, and just for bonus points... can you think of any way we could (quickly) ensure that only particular systems (not users) could access the RPC site?
From: Colorado, U.S.
We have a similar issue as the previous post. We are attempting to implement ISA 2004 for our front edge firewall. We are currently using wildcard certs for all of our websites, but they are on different IP's. What my question is, is if we have DNS configured correctly, and the wildcard cert installed on the ISA Server, shouldn't we be able to continue to use seperate external IP's for the websites?
we are using ISA 2000 on a DMZ to publish OWA and Outlook RPC over HTTPS. For this we installed an internal CA and let it issue the certificate. We imported the CA certificate on the ISA and Outlook client computers and all works well.
Now the customer has bought a wildcard certificate. We installed this certificate on the ISA and OWA still works. Outlook RPC over HTTPS however has stopped working. We uninstalled the CA certificate on the Outlook client computer thinking it might be conflicting but this didn't help.
I know EAS doesn't work with some Windows CE versions..so maybe the same with Outlook RPC? After using the normal exchange.company.com certificate (which we use for both OWA and Outlook RPC) it works again. So it must be something with that wildcard certificate.
Anyone got a working Outlook RPC over HTTPS with a Wildcard cert on ISA2000?
Is it possible to add an additional IP address to the external interface in order to publish more than one SSL site? I have tested this on ISA2000 before but because of some other inconsistencies in the ISA box itself I was unable to determine if successful.
The problem I face as I move to ISA2004 on a new server is not enough external interfaces (rack server will only hold 2 additional NICs), concerns about wildcard security and economics (Verisign only offers 1 year per FQDN and warns heavily about no 128 encryption as well as all sites use the same key), and I just don't know how many more SSL sites I'll need to publish.
Any information about issues/concerns with wildcard security and multiple IP addresses per phyiscal NIC is appreciated.
i've read your article http://isaserver.org/tutorials/2004wildcardcert.html. and i'm confused as to why i need separate server certificates for web hosts that exist in the same domain as the wildcard certificate which has been installed on the ISA server, surely all servers will have the wildcard and the ISA will forward the requests to the FQDN of the web servers based on ssl hostheaders supported in windows 2003 sp1?
the article mentions the *wildcard cert on the isa and separate cert for the web server, i would have thought all hosts could have the * wildcard, also is there any issue on isa 2004 with ssl host headers?
From: Sydney, Australia
from recollection (ie: not gunna go back and read it now) the article talks about setting up own (privately created) certificates for the INTERNAL network - ie: so there's a constant 'end to end' SSL between the end client to ISA and from ISA to the internal host.
"issue on isa 2004 with ssl host headers? ", not that I'm aware of.. but you'd be best posting in the ISA2004 sub-forums for that one, or doing a quick search of http://support.microsoft.com
Good Day! i have a problem: I have MS ISA 2004 standard edition with all installed updates, i have 2 web servers in internal and two physical NICs, local and global. I have creaded a ssl listener with wildcard certificate which i recieved from corporate CA and published two rules, both of them used one listener but when i am trying to apply changes i recieve the follow error: "The configuration changes were saved to store, but at least one service failed to load these changes. The event log may include additional information on possible reassons for failure." Please, help how to resolve my problem.
< Message edited by isashnik -- 13.Jan.2010 12:01:28 AM >
I haven't solved my problem. I have read this article but i'm publishing two or more ssl sites not exchange. what i have done: 1) Installed 2004 standard edition, installed all updates (SP3) 2)On ISA 2004 i have 2 NIC card with: 192.168.0.1 -local ; 212.111.X.X -internet 3) i requested wildcard certificate(*.mydomain.com) from company CA and imported it on ISA Server 4) I created web listener#1 with this wildcard certificate 5) i have 2 SSL internal web servers internal1.mydomain.com and internal2.mydomain.com 5) i chose secure web publishing and publish internal1.mydomain.com with listener#1 6) then i chose secure web publishing and publish internal2.mydomain.com with listener#1 7) then i checked trusted root certificate store and found my corporate CA certificate; 8) i edited hostfile and create appropriate records like: 192.168.0.2 internal1.mydomain.com 192.168.0.3 internal2.mydomain.com
BUT it doesn't work. My external web users couldn't connect to the web servers. When they use telnet to check connection they could be able to do it/they linked to 443 port but they couldn't see anything in browsers.