Reverse Proxy Certs RRS feed

  • Question

  • Hi,

    I have my OCS infrastructure setup and working except for one thing the reverse proxy. I am currently getting an certificate error in the browser. I just have some questions about the certs for reverse proxy:


    My internal and external dns name spaces are split i.e...


    internal ocs standard:               ocs01.internal.local

    external revers proxy address:   meetings.external.com


    I have added the internal.local to the trusted root auth on the ISA server


    1. Because of the split DNS do I need a SAN certificate on my external side of the ISA server with the names meetings.external.com and ocs01.internal.local??


    2. Also I read of somebody buying just one SAN certificate and added all his server/domain names to it and the one certificate did all his edge server roles. However he said that ISA server could only read the first and second listing on the SAN cert.. Is this true?




    Saturday, April 12, 2008 8:28 PM

All replies

  • I replied in another thread you asked similar questions, but...

    1 - No. You can use a single name, standard SSL cert on the web listener. It only needs the external name.

    2 - You can use 1 SAN cert for all your Edge services, yes. You still need another one for your web components which aren't published through the Edge server. And yes, ISA will not read SAN entries with one exception - It will only try to match the SN to the first SAN and if it doesn't match, ISA will throw an error. It ignores every SAN after the first one.
    Monday, April 14, 2008 5:15 PM
  • You can use a certificate with SANs on your listener without any problem.

    The problem is when publishing an internal server with multiple SANs then you must make sure that you enter the name of the first SAN in the publishing rule


    So SANs work just fine on ISA keeping in mind that you connect to the internal web server with correct SAN entry


    Monday, April 14, 2008 9:43 PM
  • Hmm. That's interesting. I was under the impression you couldn't use a SAN for the listener, but I guess it would make sense you could. I'll have to try that one out.

    Monday, April 14, 2008 10:37 PM
  • I have configured ISA Server many times with SAN Certificates.

    That is just the strength of ISA Server, you can have multiple SSL websites on one IP Address that is awesome!

    Tuesday, April 15, 2008 9:42 AM
  • Hi Guys,

    I am getting the following error in my browser when I test the reverse proxy setup externally using..



    Technical Information (for support personnel)

    • Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)


    My config is

    ISA Sever:

    OCS Server: = ocs01.internal.local


    • There is an internal cert on ocs server with SN of ocs01.internal.local
    • There is a public cert on ISA server with SN of meetings.external.com
    • The internal.local cert path is installed in the trusted root authority on the isa server
    Friday, April 18, 2008 3:07 PM
  • Hi guys,

    All is good I got it working. Thanks for yer comments.The steps I did to get it working are.


    Steps I did to configure my reverse proxy.


    1. Setup the Reverse Proxy server as is stated in the Edge Server documentation. A public cert was purchased for the reverse proxy rule with a SN that matched the external url on the ocs server  ( Note in my case I have our ISA server on our LAN doing reverse proxy with with just one NIC and our corporate firewall is natting the external public i.p address for our external url to my isa server.

    2. I recreated a cert for ocs standard ( cert was there before that was created in the original setup but had some san entries and these are not needed) with just the SN name of ocs.internal.local and when I created it i marked it as exportable.

    3. restarted ocs services

    4. I exported the ocs certificate from iis mmc on ocs server

    5. I imported the previously exported ocs cert into the trusted root cer authority and into personal certs on Revere Proxy server.


    All works now  :-)





    Friday, April 18, 2008 4:59 PM
  • Just to note that from my steps above I managed to break the client access to the ocs server. The clients were getting an invalid certificate error.

    I realised then that I did need a san cert on my ocs server as we are using split dns. to resolve this problem i again attached the san cert to the ocs server and the users were able to connect fine again. I then attached a normal cert to IIS on the ocs server ( its iis cert that reverse proxy looks at) with an SN of the same FQDN as the SN on the SAN cert on the ocs server.



    Monday, April 21, 2008 4:21 PM