Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ssl web publishing problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ssl web publishing problem - 21.Jun.2004 4:27:00 PM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
hi thomas, following situation:
isa2004 rc1 on windows server 2003 machine.
exchange 2003 +iis6 on another machine.
I make publishing rules to publish my web, ftp + exchange server. it works fine I can make connections from another location. But I want to make SSL connections to my published servers. I read your article about SSL publishings and follow al the instructions. I made an certificate on the IIS server with the common name www.zoeyjoey.com ( that is the public domain name external users can reach the website from the browser). I export the certificate and copy it to isa machine. On the ISA machine I import the certificate. Now I choose in the isa management for SSL web publishing wizard and choose for bridging. by the weblistener tab I select the certificate and enable ssl. By the to tab for published webserver name I choose my internal web server name ( discus.home.lan). after that I completed it succesfully. When I go after that to the bridging tab I want both requests to be enabled HTTP and SSL and I can also select certificate for the SSL webserver, but that is not possible , I get the message that there is no certificate configured for this server. Where I have to make that certificate?, because already I have selected the certicate on the weblistener. Must I install certicate services on the isa , but then I have also to install IIS ( I don't want extra services on the firewall). the second issue when I type https in the browser to www.zoeyjoey.com it is not working, when I use my local name discus.home.lan I can make ssl connection, but I get a warning that the name of the certificate is not the same as the website. When I fill in in the to tab for the published server name the same name I use in the certicate ( www.zoeyjoey.com) I get chaining loop error). I want to make from oustside from the browser https://www.zoeyjoey.com an sll connection and not https://discus.home.lan. is that possible? I hope you understand my problem after this long explanation. I hope it is clear to you
ps In isa you have to possiblities to choose for publishing ( web + sslweb) . when you want ssl is it necesarry to publish both? or you choose one ,because you can configure ssl in the web publishing wizard already.
thanks andy
[ June 21, 2004, 08:56 PM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: ssl web publishing problem - 22.Jun.2004 12:15:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
The Web site certificate that you bind to the Web listener must have the same name that the external users use to connect to the site.
So, if you want external users to use www.zoeyjoey.com, the common name on the Web site certificate must be "www.zoeyjoey.com".
HTH,
Tom
|
|
|
|
|
RE: ssl web publishing problem - 22.Jun.2004 12:44:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
ok tom , I understand. but when I fill in by the to tab of the web publishing rule www.zoeyjoey.com to match the certificate CN. I get a proxy chain loop error. when I fill my webserver local name discus.home.lan it works fine. I can make only ssl connections to https://discus.home.lan , then he use the certicate,but I get a waring that the name is not matching the certificate name. thats I understand because I fill in by the to tab discus.home.lan and not www.zoeyjoey.com because then I get the proxy chain loop error. also I want to know about my bridging tab question to make a certificate.
is it not possible? because I test the ssl connection from internal client. is it only working from external to do https://www.zoeyjoey.com.
then I have to test it from my neighbours connection.
hope to hear from you soon
thanks andy
|
|
|
|
|
RE: ssl web publishing problem - 22.Jun.2004 2:10:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
What is the name on the certificate bound to the Web site?
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 22.Jun.2004 4:11:00 PM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
the cn name of the certificate is www.zoeyjoey.com.
thanks andy
|
|
|
|
|
RE: ssl web publishing problem - 23.Jun.2004 12:58:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
What is the name on the "To" tab of your Web Publishing Rule for the OWA site?
Can IP address do you see when you ping that name from the ISA firewall machine?
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 23.Jun.2004 8:26:00 AM
|
|
|
Guest
|
I think the trick is the hosts file.
From outside DNS, www.joeyzoey.com needs to resolve to the external NIC ip address.
However from the ISA server itself, I suspect you need to add a local hosts file record to map www.joeyzoey.com to point to your internally published web server.
Thus as far as the SSL publishing rule is concerns:
Outside work calls on ISA server for www.joeyzoey.com.
Then ISA server, calls on www.joeyzoey.com.
Thus the cert with CN=www.joeyzoey.com is correct for both calls.
Does that make sense to you?
-Neil
|
|
|
|
|
RE: ssl web publishing problem - 23.Jun.2004 4:21:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Neil,
Exactly what I'm trying to figure out. The name on the "To" tab needs to resolve to the IP address of the internal server, and the name on the "To" tab must be the same as that on the certificate bound to the Web site.
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 23.Jun.2004 6:51:00 PM
|
|
|
NeilGo
Posts: 3
Joined: 23.Jun.2004
From: Santa Cruz, CA
Status: offline
|
Tom,
In buried in his message was this:
"thats I understand because I fill in by the to tab discus.home.lan and not www.zoeyjoey.com because then I get the proxy chain loop error"
So I believe his "To" section has been discus.home.lan, because otherwise he gets a proxy chain loop error.
He would get the chain-loop if his ISA server resolves www.joeyzoey.com to the external port of the ISA server, right?
-Neil
|
|
|
|
|
RE: ssl web publishing problem - 24.Jun.2004 1:46:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
exactly tom ,I get the chain loop when isa tries to resolve www.zoeyjoey.com.when I type in the browser www.zoeyjoey.com, I get the chain loop error. when I fill in the to tab discus.home.lan which I can select from the active directory, he resolves www.zoeyjoey.com, but then the name doesn't match the certificate cn name. which ip adress I have to fill in the host file?. the ip adress of the published machine ( 192.168.16.2) or the ip adress of the external nic of the isa
192.168.0.2 to resolve www.zoeyjoey.com?
thanks for all the reply's till so far
Andy
|
|
|
|
|
RE: ssl web publishing problem - 24.Jun.2004 3:28:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by NeilGo:
Tom,
In buried in his message was this:
"thats I understand because I fill in by the to tab discus.home.lan and not www.zoeyjoey.com because then I get the proxy chain loop error"
So I believe his "To" section has been discus.home.lan, because otherwise he gets a proxy chain loop error.
He would get the chain-loop if his ISA server resolves www.joeyzoey.com to the external port of the ISA server, right?
-Neil
Hi Neil,
This is actually a nice exercise and shows the importance of name resolution for the redirect.
If on the "To" tab he has "www.joeyzoey.com" and the firewall resolves the name to the external IP address of the ISA firewall, it tries to forward the redirect to the same interface that it received the request on, which generates the proxy loop errorr, becuase it ends up in an endless loop, sort of makes sense, doesn't it?
That is why the split DNS, or a HOSTS file entry is so important. If he has "www.joeyzoey.com" on the "To" tab, then he can configure a split DNS, or enter a HOSTS file entry for "www.joeyzoey.com" and map that entry to the IP address of the Web site on the Internal network.
However, to make it all work, it requires not only the correct name resolution, but also the correct name on the Web site certificate. If on the "To" tab is "www.joeyzoey.com", then the Common Name on the Web site certificate bound to the Web site must be the same, which is "www.joeyzoey.com". If the Common name on the Web site's certificate is different, then you'll see an "Internal Server 500 error".
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 24.Jun.2004 3:32:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Andrew27863:
exactly tom ,I get the chain loop when isa tries to resolve www.zoeyjoey.com.when I type in the browser www.zoeyjoey.com, I get the chain loop error. when I fill in the to tab discus.home.lan which I can select from the active directory, he resolves www.zoeyjoey.com, but then the name doesn't match the certificate cn name. which ip adress I have to fill in the host file?. the ip adress of the published machine ( 192.168.16.2) or the ip adress of the external nic of the isa
192.168.0.2 to resolve www.zoeyjoey.com?
thanks for all the reply's till so far
Andy
Hi Andrew,
Read the answer I gave Neil and see if that makes sense to you.
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 24.Jun.2004 9:49:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
ok thomas , i,m going to find out , I'll let you know the result
thanks Andy
[ June 24, 2004, 09:50 AM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: ssl web publishing problem - 24.Jun.2004 3:50:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andy,
Thanks!
Tom
|
|
|
|
|
RE: ssl web publishing problem - 25.Jun.2004 1:35:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
hi tom, it is still confusing to get it work. I followed all te instructions step by step ,reading your article about publishing secure owa sites. the chain loop error is no more. but when I'll type inthe browser http://www.zoeyjoey.com to an internal client or external client I'll get a forbidden 403 error (isa denies the specified url). it works only when I use the local name https//discus.home.lan to make a secure connection, but then the certificate doesn,t match (I,ll understand). when i ping www.zoeyjoey.com from the isa machine I get the ip adress of the internal published website. (192.168.16.2). i Tried also the hostfile, but that doens'nt give any result.
so now I removed all the secure firewall rules and also the certicate services. I set up web publishing owa ,web and mail without ssl and certificates and then everything works fine. I can use wwww.zoeyjoey.com from internal and external location. it works because in the logs I can see that he use all the publishing rules and make connections, i'm happy so far.
But I'm still upset and confusing why ssl publishing and certificates doesn't work the way I want.
the point is that ssl works only in my situation for my local webserver ( (http://discus.home.lan) ,but not www.zoeyzoey.com.
Do you have any suggestions for me to get this working, because it can't be that complicated.
At the moment I 'll spent a lot of time to get this working, but at the moment i'm satisfied with the current setup that works fine.
so I let it rest for the time being ,but i'm still very curious about any input from you or other members
till so far thanks for the replies .
Andy
[ June 25, 2004, 01:37 AM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: ssl web publishing problem - 25.Jun.2004 2:19:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andy,
Here's the easy way to do it:
1. Create a certificate with the common name www.zoeyjoey.com and bind that certificate to the web site.
2. Export that certificate from the Web site, and then import that certificate into the ISA firewall's machine certificate store.
3. Import the CA certificate for the CA that issued the Web site certificate into the ISA firewall's machine certificate store, into the "trusted root certification authorities" node.
4. Create the Web Publishing Rule. The Public name should be www.zoeyjoey.com and the Server name on the Internal network should also be www.zoeyjoey.com
5. Configure a HOSTS file entry on the ISA firewall to map www.zoeyjoey.com to the IP address of the Web server on the Internal network.
5. Configure a Public DNS entry on your public DNS server that maps www.zoeyjoey.com to the external IP address on the ISA firewall.
6. Configure a private DNS entry on your Internal network DNS server that maps www.zoeyjoey.com to the Internal IP address of your Web server.
That's it!
HTH,
Tom
|
|
|
|
|
RE: ssl web publishing problem - 25.Jun.2004 4:04:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
[ June 25, 2004, 05:44 PM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: ssl web publishing problem - 25.Jun.2004 5:45:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andy,
OK, I can see that you have registered that domain, so that's good. Just make sure you have also created that domain on your Internal DNS, so that you have a proper split DNS. On your Internal DNS, create a HOST (A) record for www.zoeyjoey.com that maps to the Web site's Internal address.
HTH,
Tom
|
|
|
|
|
RE: ssl web publishing problem - 26.Jun.2004 12:13:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
hi thomas,
How I configure in my internal dns a host record for www.zoeyjoey.com.
my internal fqdn is home.lan so my host records get the name host.home.lan.
When a create a new host record I get www.zoeyjoey.com.home.lan, that not what you mean I suppose ,I have already a zone named home.lan.
another I figure out already where I thinks it goes wrong with ssl bridging that from external the first ssl connection is from external to isa and then isa makes a second ssl connection to the owa site. I think it's goes wrong on the second connection, because isa is resolving www.zoeyjoey.com to my internal ip adress and not resolving my public wan ip adress. I have configured isa's internal nic to use the internal dns on the owa machine which is forwarding the dnsquery of the isa to my public dns servers. after that isa resolves www.zoeyjoey.com with the publishing which is pointing to my internal ip adress of the owa machine. Am I right it goes this way?. My main question is how I make host record on te internal dns
thanks andy
[ June 26, 2004, 12:16 AM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: ssl web publishing problem - 26.Jun.2004 11:16:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andy,
You need to create a new DNS zone on your internal DNS server with the name zoeyjoey.com, and then create the Host (A) record for the www host in that zone. You should already have a reverse lookup zone for your internal addresses, so you won't need to do that.
You DO want the ISA firewall to resolve the name www.zoeyjoey.com to the Internal address of the Web site. So, don't change anything that will do that.
Just make sure the name on the certificate bound to the Web site also has the common name "www.zoeyjoey.com" on it.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
