Asked by:
Certificate for Reverse Proxy Server

Question
-
Hello,
We are in process of configuring certificate for the reverse proxy server ISA 2006 to setup SSL bridging using two separate certificates.
Please find below some details.
Front-End Server:
Front-end server is member of the domain testing.local.
The subject name and the subject alternative name on the certificate being used for the front-end and IIS server are as follow:
Subject Name:
Pool1.testing.local
Subject Alternative Name (SAN):
sip.testing.local
OCS2007.testing.local
Pool1.testing.localISA 2006 (Reverse Proxy Server):
ISA Server is member of a workgroup WORKGROUP. For the time being, the ISA Server is part of the same LAN in order to avoid IP routing and port issues. The External users will use abs.testing.local name to connect to the IIS website which is running on the internal OCS Front-end server.
As per my understanding I need to follow the following steps to configure the certificate for the Reverse Proxy server so that ISA will behave correctly: Please correct me if I am going to the wrong direction.
1. I need to issue a certificate to the ISA server with the subject name of abs.testing.local.
2. I also need to export the root CA certificate from my internal CA and import it into the Trusted Root Certification Authorities store on the ISA computer.
I have read from a blog that "ISA 2006 will ignore the Subject Name value if the SAN is populated, so the recommendation is to set the first SAN value equal to the Subject Name and then ISA will appear to behave correctly."
Question A: As I mentioned above my internal certificate which is issued to front-end has SAN values. The first SAN value is equal to sip.testing.local. Do you think ISA will behave correctly with the above mentioned configuration?
Question B: Do we need to copy the certificate that was originally configured and assigned to the IIS Web Site on the OCS front-end to the ISA server? Why we require a server certificate on ISA Reverse Proxy Server that has a SN of the OCS 2007 Pool FQDN (pool1.testing.local)?
Thanks,
Muhammad
============================
1. I configured the reverse proxy server with settings mentioned above.
2. I get the following error message I when I try to access https://abs.testing.local/abs/ext from a ISA machine itself.====================
The page cannot be displayed
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.--------------------------------------------------------------------------------
Try the following:
Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.--------------------------------------------------------------------------------
Technical Information (for support personnel)
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
==============================3. I get the following warning messages when validating Web Components on OCS Front End Server:
=======================
Office Communications Server 2007 Deployment Log
Time Logged: Thursday, February 14, 2008 4:20:13 PM Expand All
Collapse All
Action Action Information Execution Result
Execute Action Warning
[0x43FC200C] Not all checks were successfulInitialize Machine FQDN: OCS2007.testing.local
WMI Repository Path: \\.\root\cimv2
Host Name: OCS2007.testing.local
Product Version: Microsoft Office Communications Server 2007 3.0.6362.0
Installed components:
DATAMCUWEB
ACPMCU
GROUPEXPANSION
IMMCU
DATAMCU
AUDIOVIDEOMCU
ARCHIVINGAGENT
ADMINTOOL
EEService Status:
RTCDATAMCU: Running
RTCSRV: Running
RTCACPMCU: Running
RTCIMMCU: Running
RTCAVMCU: RunningBackend: sql
Success
Diagnose WebComponents Check Configuration: True
Check Connectivity: True
Warning
[0x43FC200C] Not all checks were successfulCheck Configuration Success
WMI Class MSFT_SIPGroupExpansionSetting WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting
WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting.Backend="sql",InstanceID="{302B6696-523F-4BD4-9673-05AEE289C392}"
Backend (String): sql
EnableDLOperation (Boolean): True
ExternalDLExpansionWebURL (String): https://abs.testing.local/GroupExpansion/Ext/service.asmx
InstanceID (String): {302B6696-523F-4BD4-9673-05AEE289C392}
InternalDLExpansionWebURL (String): https://pool1.testing.local/GroupExpansion/Int/service.asmx
MaxGroupSize (UInt32): 100
Success
WMI Class MSFT_SIPAddressBookSetting WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting
WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting.Backend="sql",InstanceID="{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}"
Backend (String): sql
DaysToKeep (UInt32): 30
ExternalURL (String): https://abs.testing.local/Abs/Ext/Handler
IgnoreGenericRules (Boolean): False
InstanceID (String): {D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}
InternalURL (String): https://pool1.testing.local/Abs/Int/Handler
MaxDeltaFileSizePercentage (UInt32): 1250
OutputLocation (String): \\sql\abs
PartitionOutputByOU (Boolean): False
RunTime (UInt32): 130
SynchronizeNow (Boolean): False
SynchronizePollingIntervalSecs (UInt32): 300
UseNormalizationRules (Boolean): True
Success
WMI Class MSFT_SIPDataMCUCapabilitySetting WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting
WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting.Backend="sql",InstanceID="{086D006C-8672-4A73-A488-3F9346D4F98C}"
Backend (String): sql
ContentExpirationGracePeriod (UInt32): 14
ContentStorageLimit (UInt32): 500
ExternalClientContentDownloadURL (String): https://abs.testing.local/etc/place/null
HandoutsStorageLimit (UInt32): 150
InMeetingHelpURL (String): http://r.office.microsoft.com/r/rlidLiveMeeting
InstanceID (String): {086D006C-8672-4A73-A488-3F9346D4F98C}
InternalClientContentDownloadURL (String): https://pool1.testing.local/etc/place/null
MeetingMetadataLocation (String): \\sql\Metadata
MeetingPresentationContentLocation (String): \\sql\Presentations
Success
Check Connectivity Warning
[0x43FC200C] Not all checks were successfulCheck GroupExpansion Warning
[0x43FC200C] Not all checks were successfulCheck Http URL URL: https://pool1.testing.local/GroupExpansion/Int/service.asmx
Received a successful HTTP response: HTTP Response: 200 OK
Content-Length:3267
Cache-Controlrivate, max-age=0
Content-Type:text/html; charset=utf-8
Date:Thu, 14 Feb 2008 21:20:27 GMT
Server:Microsoft-IIS/6.0
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NETReceived a successful HTTP response: OK
Success
Check Http URL URL: https://abs.testing.local/GroupExpansion/Ext/service.asmx
Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
Connection:close
Pragma:no-cache
Content-Length:2024
Cache-Control:no-cache
Content-Type:text/html
The page cannot be displayed
style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.
style="FONT: 8pt/11pt verdana; COLOR: #000000">--------------------------------------------------------------------------------
Try the following:
Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
--------------------------------------------------------------------------------Technical Information (for support personnel)
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
Warning
[0x43FC200C] Not all checks were successfulChecking Address Book Server configuration Success
Check Http URL URL: https://pool1.testing.local/Abs/Int/Handler/D-0a15-0a16.dabs
Received a successful HTTP response: HTTP Response: 200 OK
Content-Length:550
Cache-Controlrivate
Content-Type:application/dabs
Date:Thu, 14 Feb 2008 21:20:28 GMT
Server:Microsoft-IIS/6.0
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NETReceived a successful HTTP response: OK
Success
Check Web Conferencing Server Virtual Directory Setting Warning
[0x43FC200C] Not all checks were successfulCheck Http URL URL: https://pool1.testing.local/etc/place/null/slidefiles/blank.png
Received a successful HTTP response: HTTP Response: 200 OK
Accept-Ranges:bytes
Content-Length:567
Content-Type:image/png
Date:Thu, 14 Feb 2008 21:20:28 GMT
ETag:"0a724b9d1c6c71:5f5"
Last-Modifiedun, 15 Jul 2007 11:17:26 GMT
Server:Microsoft-IIS/6.0
X-Powered-By:ASP.NETReceived a successful HTTP response: OK
Success
Check Http URL URL: https://abs.testing.local/etc/place/null/slidefiles/blank.png
Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
Connection:close
Pragma:no-cache
Content-Length:2024
Cache-Control:no-cache
Content-Type:text/html
The page cannot be displayed
style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.
style="FONT: 8pt/11pt verdana; COLOR: #000000">--------------------------------------------------------------------------------
Try the following:
Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
--------------------------------------------------------------------------------Technical Information (for support personnel)
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
=============================
Any ideas....Thanks,
Muhammad
Thursday, February 14, 2008 6:15 PM