locked
Reverse Proxy, Splint DNS Certificate Woes RRS feed

  • Question

  •  

    Hello,

    I was wondering if i can get some insight with OCS certificate issues with the SAN and subject name for ISA 2006 Sp1 reverse proxying of the addres book.
    I have setup up environment. and the edge server.  All 3rd party certificates are isntalled on the edge and remote logon works great. My only issue is i cannot for the life of me, get my ISA 2006 SP1 web listener configured for reverse proxying for external users.

    my cert is issued by an internal ca.  I am using Split DNS on our network.

    The cert has the following -
    Subject name -> ocsserver1.company.ca  (internal domain)
    SAN --> ocsserver.company.ca (internal domain)
                  ocsserver.company.com    (for address book publishing) and external domain.
                  sip.company.com  (for external and internal)

    now when i setup the listener - no authentication ssl.  and publish the site.  
    as follows -
    internal site - ocsserver.company.ca
    external site - ocsserver.company.com  

    I get an error for the listener - The selected web listener is not configured with a certificate matching the public name defined in the wizard.

    I have read a few blogs where it states -
    "ISA 2006 server checks the first SAN listed in the certificate against
    the Internal Site Name specified in the web publishing rule.  If there is
    no match the connection will fail.  Even if the main Subject name of the
    certificate is correct ISA only checks the first SAN".

    Can someone who has split dns in their environment and has successfuly published their address book pls provide some insight into what i have missed.
    Wednesday, September 17, 2008 11:21 PM

Answers

  • The text you have quoted regarding ISA only checking the first SAN entry has been fixed in SP1.

     

    I have the Subject Name of the certifiacte set to the same FQDN as the Public Name as defined in the publishing rule.  It appears you have used your internal Front-End server's FQDN as the certificate's SN.

    Thursday, September 18, 2008 12:08 AM
    Moderator
  • Giri,

     

    I would not use the same certificate that you used on the FE server on the ISA Web Listener. I would obtain a new certificate for the ISA Web Listener with the external FQDN of the internal web farm as the SN. There is no SANs required for the certificate on the ISA Web Listener. Do not change the cert on the FE IIS site, it is correct, assuming the internal FQDN of the internal web farm is either ocsserver.company.ca or ocsserver1.company.ca.

     

    Split DNS should have no effect on your configuration here. Point your ISA DNS to the internal domain DNS server.

     

    Another caveat is that you cannot create a certificate request from within ISA for the Web Listener. You will have to request and obtain the certificate through another means and then import it into the certificate store on the ISA server.

     

    Once you get all that working, you may run into another issue with authentication. See this blog entry to add a new SPN to the RTCComponentService for the external web farm FQDN.

     

    http://blogs.technet.com/jitreddy/archive/2008/08/07/unable-to-download-address-book-from-office-communicator-2007-prompting-for-credentials.aspx

     

    Regards,

     

    Jamie Schwinn

    www.systmsny.net

    Thursday, September 18, 2008 6:25 PM

All replies

  • The text you have quoted regarding ISA only checking the first SAN entry has been fixed in SP1.

     

    I have the Subject Name of the certifiacte set to the same FQDN as the Public Name as defined in the publishing rule.  It appears you have used your internal Front-End server's FQDN as the certificate's SN.

    Thursday, September 18, 2008 12:08 AM
    Moderator
  •  

    Jeff,

     

    I have applied SP1 to ISA 2006.  Yes, i have used the Front-end server FQDN. I used the SAN cert created during the setup of OCS FE. This same cert was also applied to IIS.

     

    I then exported this Cert from IIS with the key into ISA to use for the web listener.

     

    How would i correct this? can i request a cert from IIS for the Default Website, with just the fqdn of the external site then export it to ISA to use as the listener.

    Will the FE still work if I assign this cert to it?

     

    Thank you in advance. 

     

    Giri

    Thursday, September 18, 2008 3:21 AM
  • Giri,

     

    I would not use the same certificate that you used on the FE server on the ISA Web Listener. I would obtain a new certificate for the ISA Web Listener with the external FQDN of the internal web farm as the SN. There is no SANs required for the certificate on the ISA Web Listener. Do not change the cert on the FE IIS site, it is correct, assuming the internal FQDN of the internal web farm is either ocsserver.company.ca or ocsserver1.company.ca.

     

    Split DNS should have no effect on your configuration here. Point your ISA DNS to the internal domain DNS server.

     

    Another caveat is that you cannot create a certificate request from within ISA for the Web Listener. You will have to request and obtain the certificate through another means and then import it into the certificate store on the ISA server.

     

    Once you get all that working, you may run into another issue with authentication. See this blog entry to add a new SPN to the RTCComponentService for the external web farm FQDN.

     

    http://blogs.technet.com/jitreddy/archive/2008/08/07/unable-to-download-address-book-from-office-communicator-2007-prompting-for-credentials.aspx

     

    Regards,

     

    Jamie Schwinn

    www.systmsny.net

    Thursday, September 18, 2008 6:25 PM
  •  

    Jamie,

     

    thank you. I have my address book sync'ing fine externally. Everything is just perfect, Livemeeting works great.

     

    thank you for guiding me to the right solution.

     

    G.

     

    Friday, September 19, 2008 8:36 PM