Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion of using a Wildcard Certificate in ISA2004 article
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 7.Jan.2006 3:36:46 AM
|
|
|
JLC
Posts: 1
Joined: 7.Jan.2006
Status: offline
|
Tom,
I have your ISA 2004 book and it's been a big help. Thanks.
I am implementing ISA 2004 Enterprise on 2 servers using ISA NLB in an array. I also have 2 Exchange front-end servers in a Windows NLB array.
We are publishing 2 websites. 1 for OWA.company.com and a seperate one for RPC.company.com (RPC over HTTPS)
Each ISA web publishing rule uses a different virtual IP.
Each IIS website uses a different virtual IP.
We have a split-DNS configured and we're using SSL bridging too.
We have SSL certificates working from our internal CA but security wants them to be VeriSign and they want to do a wildcard certificate for *.company.com.
If I understood your article correctly, we could not use the wildcard certificate on all 4 servers? I would need to use the wildcard for the ISA rules, and a seperate one for the front-ends? I thought we needed to export from IIS in order for ISA to publish the website?
Okay, and just for bonus points... can you think of any way we could (quickly) ensure that only particular systems (not users) could access the RPC site?
Thanks so much!
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 26.Jan.2006 4:09:42 PM
|
|
|
Pheylan
Posts: 12
Joined: 5.May2004
From: Colorado, U.S.
Status: offline
|
Hi all,
We have a similar issue as the previous post. We are attempting to implement ISA 2004 for our front edge firewall. We are currently using wildcard certs for all of our websites, but they are on different IP's. What my question is, is if we have DNS configured correctly, and the wildcard cert installed on the ISA Server, shouldn't we be able to continue to use seperate external IP's for the websites?
TIA,
Kelly
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 10.Apr.2006 11:17:54 AM
|
|
|
Jeroen_317
Posts: 73
Joined: 18.Dec.2002
From: Belgium
Status: offline
|
Hi,
we are using ISA 2000 on a DMZ to publish OWA and Outlook RPC over HTTPS. For this we installed an internal CA and let it issue the certificate. We imported the CA certificate on the ISA and Outlook client computers and all works well.
Now the customer has bought a wildcard certificate. We installed this certificate on the ISA and OWA still works. Outlook RPC over HTTPS however has stopped working. We uninstalled the CA certificate on the Outlook client computer thinking it might be conflicting but this didn't help.
I know EAS doesn't work with some Windows CE versions..so maybe the same with Outlook RPC? After using the normal exchange.company.com certificate (which we use for both OWA and Outlook RPC) it works again. So it must be something with that wildcard certificate.
Anyone got a working Outlook RPC over HTTPS with a Wildcard cert on ISA2000?
Kind regards,
Jeroen.
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 25.Jul.2006 6:55:21 PM
|
|
|
randy_ray
Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
|
Is it possible to add an additional IP address to the external interface in order to publish more than one SSL site? I have tested this on ISA2000 before but because of some other inconsistencies in the ISA box itself I was unable to determine if successful.
The problem I face as I move to ISA2004 on a new server is not enough external interfaces (rack server will only hold 2 additional NICs), concerns about wildcard security and economics (Verisign only offers 1 year per FQDN and warns heavily about no 128 encryption as well as all sites use the same key), and I just don't know how many more SSL sites I'll need to publish.
Any information about issues/concerns with wildcard security and multiple IP addresses per phyiscal NIC is appreciated.
Randy
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 2.Oct.2007 5:00:03 PM
|
|
|
g_ij_s
Posts: 1
Joined: 2.Oct.2007
Status: offline
|
The topics and articles here are great. I rarely have problems with it and almost works out of the box everytime :) Thanks for that.
Except this time :(
I tried the article and all my clients can connect perfectly with the webservers. However, the isaserver won't let anyone connect from the external interface.
The certificates are all fine and the trusted root certificate is automaticly added.
It should be fine but isa still denies every connection. I know it a certificate problem because my own certificate works just fine, but it's ofcourse not a wildcard certificate.
Can you tell me what the problem is or do you have some tips ?
(Excuse me for my bad english, i'm dutch)
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 4:40:44 AM
|
|
|
andyproctor
Posts: 4
Joined: 8.Nov.2007
Status: offline
|
i've read your article http://isaserver.org/tutorials/2004wildcardcert.html. and i'm confused as to why i need separate server certificates for web hosts that exist in the same domain as the wildcard certificate which has been installed on the ISA server, surely all servers will have the wildcard and the ISA will forward the requests to the FQDN of the web servers based on ssl hostheaders supported in windows 2003 sp1?
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 5:51:12 PM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
do you mean seperate certificates on the ISA server itsself? or on the individual internal web-servers?
_____________________________
http://www.ahit.com.au/isa
(Previous nick: Tolk)
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 8.Nov.2007 6:37:09 PM
|
|
|
andyproctor
Posts: 4
Joined: 8.Nov.2007
Status: offline
|
the article mentions the *wildcard cert on the isa and separate cert for the web server, i would have thought all hosts could have the * wildcard, also is there any issue on isa 2004 with ssl host headers?
|
|
|
|
|
RE: Discussion of using a Wildcard Certificate in ISA20... - 11.Nov.2007 6:18:25 PM
|
|
|
AHIT
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
|
from recollection (ie: not gunna go back and read it now) the article talks about setting up own (privately created) certificates for the INTERNAL network - ie: so there's a constant 'end to end' SSL between the end client to ISA and from ISA to the internal host.
"issue on isa 2004 with ssl host headers? ", not that I'm aware of.. but you'd be best posting in the ISA2004 sub-forums for that one, or doing a quick search of http://support.microsoft.com
_____________________________
http://www.ahit.com.au/isa
(Previous nick: Tolk)
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
