• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of using a Wildcard Certificate in ISA2004 article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> RE: Discussion of using a Wildcard Certificate in ISA2004 article Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of using a Wildcard Certificate in ISA20... - 7.Jan.2006 3:36:46 AM   
JLC

 

Posts: 1
Joined: 7.Jan.2006
Status: offline
Tom,

I have your ISA 2004 book and it's been a big help. Thanks.


I am implementing ISA 2004 Enterprise on 2 servers using ISA NLB in an array. I also have 2 Exchange front-end servers in a Windows NLB array.

We are publishing 2 websites. 1 for OWA.company.com and a seperate one for RPC.company.com (RPC over HTTPS)

Each ISA web publishing rule uses a different virtual IP.
Each IIS website uses a different virtual IP.

We have a split-DNS configured and we're using SSL bridging too.

We have SSL certificates working from our internal CA but security wants them to be VeriSign and they want to do a wildcard certificate for *.company.com.

If I understood your article correctly, we could not use the wildcard certificate on all 4 servers? I would need to use the wildcard for the ISA rules, and a seperate one for the front-ends? I thought we needed to export from IIS in order for ISA to publish the website?

Okay, and just for bonus points... can you think of any way we could (quickly) ensure that only particular systems (not users) could access the RPC site?

Thanks so much!

(in reply to tshinder)
Post #: 41
RE: Discussion of using a Wildcard Certificate in ISA20... - 26.Jan.2006 4:09:42 PM   
Pheylan

 

Posts: 12
Joined: 5.May2004
From: Colorado, U.S.
Status: offline
Hi all,

We have a similar issue as the previous post.  We are attempting to implement ISA 2004 for our front edge firewall.  We are currently using wildcard certs for all of our websites, but they are on different IP's.  What my question is, is if we have DNS configured correctly, and the wildcard cert installed on the ISA Server, shouldn't we be able to continue to use seperate external IP's for the websites?

TIA,
Kelly

(in reply to JLC)
Post #: 42
RE: Discussion of using a Wildcard Certificate in ISA20... - 10.Apr.2006 11:17:54 AM   
Jeroen_317

 

Posts: 75
Joined: 18.Dec.2002
From: Belgium
Status: offline
Hi,

we are using ISA 2000 on a DMZ to publish OWA and Outlook RPC over HTTPS. For this we installed an internal CA and let it issue the certificate. We imported the CA certificate on the ISA and Outlook client computers and all works well.

Now the customer has bought a wildcard certificate. We installed this certificate on the ISA and OWA still works. Outlook RPC over HTTPS however has stopped working. We uninstalled the CA certificate on the Outlook client computer thinking it might be conflicting but this didn't help.

I know EAS doesn't work with some Windows CE versions..so maybe the same with Outlook RPC? After using the normal exchange.company.com certificate (which we use for both OWA and Outlook RPC) it works again. So it must be something with that wildcard certificate.

Anyone got a working Outlook RPC over HTTPS with a Wildcard cert on ISA2000?

Kind regards,
Jeroen.


(in reply to Pheylan)
Post #: 43
RE: Discussion of using a Wildcard Certificate in ISA20... - 25.Jul.2006 6:55:21 PM   
randy_ray

 

Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
Is it possible to add an additional IP address to the external interface in order to publish more than one SSL site?  I have tested this on ISA2000 before but because of some other inconsistencies in the ISA box itself I was unable to determine if successful.

The problem I face as I move to ISA2004 on a new server is not enough external interfaces (rack server will only hold 2 additional NICs), concerns about wildcard security and economics (Verisign only offers 1 year per FQDN and warns heavily about no 128 encryption as well as all sites use the same key), and I just don't know how many more SSL sites I'll need to publish.

Any information about issues/concerns with wildcard security and multiple IP addresses per phyiscal NIC is appreciated.

Randy

(in reply to tshinder)
Post #: 44
RE: Discussion of using a Wildcard Certificate in ISA20... - 2.Oct.2007 5:00:03 PM   
g_ij_s

 

Posts: 1
Joined: 2.Oct.2007
Status: offline
EDIT

< Message edited by g_ij_s -- 28.Mar.2010 3:44:33 AM >

(in reply to tshinder)
Post #: 45
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 4:40:44 AM   
andyproctor

 

Posts: 4
Joined: 8.Nov.2007
Status: offline
i've read your article http://isaserver.org/tutorials/2004wildcardcert.html. and i'm confused as to why i need separate server certificates for web hosts that exist in the same domain as the wildcard certificate which has been installed on the ISA server, surely all servers will have the wildcard and the ISA will forward the requests to the FQDN of the web servers based on ssl hostheaders supported in windows 2003 sp1?

(in reply to tshinder)
Post #: 46
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 5:51:12 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
do you mean seperate certificates on the ISA server itsself? or on the individual internal web-servers?

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to andyproctor)
Post #: 47
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 6:37:09 PM   
andyproctor

 

Posts: 4
Joined: 8.Nov.2007
Status: offline
the article mentions the *wildcard cert on the isa and separate cert for the web server, i would have thought all hosts could have the * wildcard, also is there any issue on isa 2004 with ssl host headers?

(in reply to AHIT)
Post #: 48
RE: Discussion of using a Wildcard Certificate in ISA20... - 11.Nov.2007 6:18:25 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
from recollection (ie: not gunna go back and read it now) the article talks about setting up own (privately created) certificates for the INTERNAL network - ie: so there's a constant 'end to end' SSL between the end client to ISA and from ISA to the internal host.

"issue on isa 2004 with ssl host headers? ", not that I'm aware of.. but you'd be best posting in the ISA2004 sub-forums for that one, or doing a quick search of http://support.microsoft.com

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to andyproctor)
Post #: 49
RE: Discussion of using a Wildcard Certificate in ISA20... - 14.Dec.2009 5:51:31 AM   
isashnik

 

Posts: 9
Joined: 27.Dec.2008
Status: offline
Good Day!
i have a problem:
I have MS ISA 2004 standard edition with all installed updates, i have 2 web servers in internal and two physical NICs, local and global.
I have creaded a ssl listener with wildcard certificate which i recieved from corporate CA and published two rules, both of them used one listener but when i am trying to apply changes i  recieve the follow error:
"The configuration changes were saved to store, but at least one service failed to load these changes. The event log may include additional information on possible reassons for failure."
Please, help how to resolve my problem.
 

< Message edited by isashnik -- 13.Jan.2010 12:01:28 AM >

(in reply to AHIT)
Post #: 50
RE: Discussion of using a Wildcard Certificate in ISA20... - 13.Jan.2010 12:21:36 AM   
isashnik

 

Posts: 9
Joined: 27.Dec.2008
Status: offline
I haven't solved my problem.
I have read this article but i'm publishing two or more ssl sites not exchange. what i have done:
1) Installed 2004 standard edition, installed all updates (SP3)
2)On ISA 2004 i have 2 NIC card with: 192.168.0.1 -local ;  212.111.X.X -internet
3) i requested wildcard certificate(*.mydomain.com) from company CA and imported it on ISA Server
4) I created web listener#1 with this wildcard certificate
5) i have 2 SSL internal web servers
internal1.mydomain.com and internal2.mydomain.com
5) i chose secure web publishing and publish  internal1.mydomain.com with listener#1
6) then i chose secure web publishing and publish  internal2.mydomain.com with listener#1
7) then i checked trusted root certificate store and found my corporate CA certificate;
8) i edited hostfile and create appropriate records like:
192.168.0.2    internal1.mydomain.com
192.168.0.3    internal2.mydomain.com

BUT it doesn't work. My external web users couldn't connect to the web servers. When they use telnet to check connection they could be able to do it/they linked to 443 port but they couldn't see anything in browsers.

Please Help ME. 

_____________________________

from USSR
MCSE, ISA SERVER 2004 (70-350)

(in reply to JLC)
Post #: 51

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> RE: Discussion of using a Wildcard Certificate in ISA2004 article Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts