I only the one IP address on my external card, but if my memeory serves me correctly I had to configure the incoming listeners individually to get the certificate option to appear.
So what I would suggest, is to configure your listeners individually, you would currently have to configure 3 (as you aren't currently using your 4th IP address), if you take note of what incoming authorization, if any, you are currently using.
firstly create a listener using the IP address you use for the isa server itself, and configure it for just incoming port80, with any authentication, then do the same again for the ip address of the in house web site, again port 80 and any authentication.
Then for the owa site, configure another listener, using the IP address for owa and using port 80 and enable ssl, port 443, then select basic authentication and the required certificate.
Hi all! I worked a lot to make my OWA working correctly using HTTPS, but was sevaral months ago. The main problem I had was for certificates, because if you pass from ISA to reach your published OWA site, your ISA server need to ask (and recognize) the certificate from you internal OWA server: isa server send his (her ;-) ) cert. to the browser, than pass the SSL req. to the IIS hosting OWA that send the cert to ISA. If isa not recognize (for example for domain names) that certifcation authority, denies request. So you probably have to make the Cert. Auth. that created the OWA cert. trusted to the ISA server.
I have set my external IP's each with an individual configuration. The ip that requires the certificate has had it added. But due to a pop up on setting I have also gone thru the loop of setting only the OWA with a cert. But sadly this still does not work.
I think I am coming down on the side of the CA is not being recognised or something like that, mainly because even if I set the SSL Listeners on when I do a netstat -na i do not see any (SSL)ports listed as open and listening.
How can i check if the cert. contains the right info and the CA can be found ?. Still new to CA's
As said, I made this several months ago. I'll try to search in my docs and configs, but maybe is not the same for you. I try to explain my config: I have two different domains (I mean not only windows domain, but TCP/IP domains): internaldomain.it and externaldomain.it. When you pass all headers, the internal OWA server receive a request for externaldomain.it and not for internaldomain.it. so the Cert. installed on OWA's IIS must be externaldomain.it. Then must create a cert. and import in the certification DB for the ISA server, but because is issued by the internaldomain.it Certification Authority, this must be trusted (i.e. installed in a spefici "folder" in the cert. DB) in that machine. This i done after correctly apllying of all the rules to publish a server (ssl to ssl, headers an so on) If your config is different, may be you need some others modification, but I hope this will explain some general rules..
The machines are on the same domain, to create the cert i used IIS web site properties security tab to install it I used the same tab and installed from there. The Cert Shows up all right it does not appear to have anything wrong with it in IIS.
When I created the Cert I used the FQDN of the owa site.
OK. Be shure that the Cert. issued on the OWA machine have tha name of the ISA server name. if your external people access you net as https://www.mydomain.com/exchange, probably your owa machine looks like http://owaserver/exchange. If you try to connect (from your internal net) as the second way above, you must receive a warning that tells you that the cert. not correpsond to the machine that send the cert. If not, maybe you need to use a cert. to install in your OWA server that is for www.mydomain.com. This if because when you pass the headers from ISA to OWA, headers contains www.mydomain.it, and the server must recognize this. than you must install the same cert on both machines. This worked for me. Be sure that your IIS on OWA is configured to respond to that header properly.
Thats one of the things thats most annoying about this, if I access the machine https://internal_name/exchange then I get the request to accept the certificate, then I get the login in prompt and then once entered credentials i get in.
Ultimatley i suppose this is why i have put a request for help on here, cause it all appears to be ok and works if used in house. It just wont work from the outside world :-(
Is there anyother way I can do this with out SSL, but still keep it secure ?
Hi! I know how is frustrating following articles and see that after applying all still not work. I red that article, but I followed other steps (I hate wizards), and have all in two different domains. First, i didn't used an FQDN in the web publishing rule (my ISA is also DNS for our internet domain). If you still receive an host not found, try using IP address of your internal IIS (OWA) server. Than, if you pass original headers, may be that you specified explicitly headers in the default web site in your OWA's IIS. As last, if you have a sniffer, watch the packets between ISA and OWA... Good luck! Cele
You MUST do it *exactly* as explained in the article and the ISA/Exchange Kit if you don't understand how it works. I've tried to explain how things work in the kit and articles, but if you don't understand all the steps and why they are performed, don't get creative.
* dont' publish using IP addresses * You should create the HOSTS file * certificate must have correct FQDN in CN field * Don't run OWA on the firewall itself * Make sure the listener is configured correctly * etc