locked
Certificate for Reverse Proxy Server RRS feed

  • Question

  • Hello,

     

    We are in process of configuring certificate for the reverse proxy server ISA 2006 to setup SSL bridging using two separate certificates.

     

    Please find below some details.

     

    Front-End Server:

    Front-end server is member of the domain testing.local.

    The subject name and the subject alternative name on the certificate being used for the front-end and IIS server are as follow:

    Subject Name:

    Pool1.testing.local

    Subject Alternative Name (SAN):

    sip.testing.local
    OCS2007.testing.local
    Pool1.testing.local 

     

    ISA 2006 (Reverse Proxy Server):

    ISA Server is member of a workgroup WORKGROUP. For the time being, the ISA Server is part of the same LAN in order to avoid IP routing and port issues. The External users will use abs.testing.local name to connect to the IIS website which is running on the internal OCS Front-end server.  

     

    As per my understanding I need to follow the following steps to configure the certificate for the Reverse Proxy server so that ISA will behave correctly: Please correct me if I am going to the wrong direction.

     

    1.       I need to issue a certificate to the ISA server with the subject name of abs.testing.local. 

    2.       I also need to export the root CA certificate from my internal CA and import it into the Trusted Root Certification Authorities store on the ISA computer. 

     

    I have read from a blog that "ISA 2006 will ignore the Subject Name value if the SAN is populated, so the recommendation is to set the first SAN value equal to the Subject Name and then ISA will appear to behave correctly."

     

    Question A: As I mentioned above my internal certificate which is issued to front-end has SAN values. The first SAN value is equal to sip.testing.local. Do you think ISA will behave correctly with the above mentioned configuration?

    Question B: Do we need to copy the certificate that was originally configured and assigned to the IIS Web Site on the OCS front-end to the ISA server? Why we require a server certificate on ISA Reverse Proxy Server that has a SN of the OCS 2007 Pool FQDN (pool1.testing.local)?

     

    Thanks,

     

    Muhammad

     

     

    ============================

     

    1. I configured the reverse proxy server with settings mentioned above.
    2. I get the following error message I when I try to access https://abs.testing.local/abs/ext from a ISA machine itself.

    ====================
    The page cannot be displayed 
    Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

    --------------------------------------------------------------------------------

    Try the following:

    Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
    Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
    Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    --------------------------------------------------------------------------------

    Technical Information (for support personnel)

    Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
    ==============================

    3. I get the following warning messages when validating Web Components on OCS Front End Server:

    =======================
    Office Communications Server 2007 Deployment Log
     
     
    Time Logged: Thursday, February 14, 2008 4:20:13 PM Expand All
    Collapse All 
     

    Action  Action Information  Execution Result 

    Execute Action       Warning
    [0x43FC200C] Not all checks were successful 

    Initialize   Machine FQDN: OCS2007.testing.local
    WMI Repository Path: \\.\root\cimv2
    Host Name: OCS2007.testing.local
    Product Version: Microsoft Office Communications Server 2007 3.0.6362.0
    Installed components:
    DATAMCUWEB
    ACPMCU
    GROUPEXPANSION
    IMMCU
    DATAMCU
    AUDIOVIDEOMCU
    ARCHIVINGAGENT
    ADMINTOOL
    EE

    Service Status:

    RTCDATAMCU: Running
    RTCSRV: Running
    RTCACPMCU: Running
    RTCIMMCU: Running
    RTCAVMCU: Running

    Backend: sql
       Success
     

    Diagnose WebComponents   Check Configuration: True
    Check Connectivity: True
       Warning
    [0x43FC200C] Not all checks were successful 

    Check Configuration       Success
     

    WMI Class MSFT_SIPGroupExpansionSetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting
    WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting.Backend="sql",InstanceID="{302B6696-523F-4BD4-9673-05AEE289C392}"
    Backend (String): sql
    EnableDLOperation (Boolean): True
    ExternalDLExpansionWebURL (String): https://abs.testing.local/GroupExpansion/Ext/service.asmx
    InstanceID (String): {302B6696-523F-4BD4-9673-05AEE289C392}
    InternalDLExpansionWebURL (String): https://pool1.testing.local/GroupExpansion/Int/service.asmx
    MaxGroupSize (UInt32): 100
       Success
     

    WMI Class MSFT_SIPAddressBookSetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting
    WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting.Backend="sql",InstanceID="{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}"
    Backend (String): sql
    DaysToKeep (UInt32): 30
    ExternalURL (String): https://abs.testing.local/Abs/Ext/Handler
    IgnoreGenericRules (Boolean): False
    InstanceID (String): {D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}
    InternalURL (String): https://pool1.testing.local/Abs/Int/Handler
    MaxDeltaFileSizePercentage (UInt32): 1250
    OutputLocation (String): \\sql\abs
    PartitionOutputByOU (Boolean): False
    RunTime (UInt32): 130
    SynchronizeNow (Boolean): False
    SynchronizePollingIntervalSecs (UInt32): 300
    UseNormalizationRules (Boolean): True
       Success
     

    WMI Class MSFT_SIPDataMCUCapabilitySetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting
    WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting.Backend="sql",InstanceID="{086D006C-8672-4A73-A488-3F9346D4F98C}"
    Backend (String): sql
    ContentExpirationGracePeriod (UInt32): 14
    ContentStorageLimit (UInt32): 500
    ExternalClientContentDownloadURL (String): https://abs.testing.local/etc/place/null
    HandoutsStorageLimit (UInt32): 150
    InMeetingHelpURL (String): http://r.office.microsoft.com/r/rlidLiveMeeting
    InstanceID (String): {086D006C-8672-4A73-A488-3F9346D4F98C}
    InternalClientContentDownloadURL (String): https://pool1.testing.local/etc/place/null
    MeetingMetadataLocation (String): \\sql\Metadata
    MeetingPresentationContentLocation (String): \\sql\Presentations
       Success
     

    Check Connectivity       Warning
    [0x43FC200C] Not all checks were successful 

    Check GroupExpansion       Warning
    [0x43FC200C] Not all checks were successful 

    Check Http URL   URL: https://pool1.testing.local/GroupExpansion/Int/service.asmx
    Received a successful HTTP response: HTTP Response: 200 OK
    Content-Length:3267
    Cache-ControlStick out tonguerivate, max-age=0
    Content-Type:text/html; charset=utf-8
    Date:Thu, 14 Feb 2008 21:20:27 GMT
    Server:Microsoft-IIS/6.0
    X-AspNet-Version:2.0.50727
    X-Powered-By:ASP.NET

    Received a successful HTTP response: OK
       Success
     

    Check Http URL   URL: https://abs.testing.local/GroupExpansion/Ext/service.asmx
    Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
    Connection:close
    Pragma:no-cache
    Content-Length:2024
    Cache-Control:no-cache
    Content-Type:text/html

     

     

     

     


     
     
     

    The page cannot be displayed
     

     
     style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

     
     style="FONT: 8pt/11pt verdana; COLOR: #000000">

    --------------------------------------------------------------------------------

     

    Try the following:

     

     

    Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.

    Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.

    Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

     


    --------------------------------------------------------------------------------

     

    Technical Information (for support personnel)

     

     

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


     

     

    Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
       Warning
    [0x43FC200C] Not all checks were successful 

    Checking Address Book Server configuration       Success
     

    Check Http URL   URL: https://pool1.testing.local/Abs/Int/Handler/D-0a15-0a16.dabs
    Received a successful HTTP response: HTTP Response: 200 OK
    Content-Length:550
    Cache-ControlStick out tonguerivate
    Content-Type:application/dabs
    Date:Thu, 14 Feb 2008 21:20:28 GMT
    Server:Microsoft-IIS/6.0
    X-AspNet-Version:2.0.50727
    X-Powered-By:ASP.NET

    Received a successful HTTP response: OK
       Success
     

    Check Web Conferencing Server Virtual Directory Setting       Warning
    [0x43FC200C] Not all checks were successful 

    Check Http URL   URL: https://pool1.testing.local/etc/place/null/slidefiles/blank.png
    Received a successful HTTP response: HTTP Response: 200 OK
    Accept-Ranges:bytes
    Content-Length:567
    Content-Type:image/png
    Date:Thu, 14 Feb 2008 21:20:28 GMT
    ETag:"0a724b9d1c6c71:5f5"
    Last-ModifiedTongue Tiedun, 15 Jul 2007 11:17:26 GMT
    Server:Microsoft-IIS/6.0
    X-Powered-By:ASP.NET

    Received a successful HTTP response: OK
       Success
     

    Check Http URL   URL: https://abs.testing.local/etc/place/null/slidefiles/blank.png
    Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
    Connection:close
    Pragma:no-cache
    Content-Length:2024
    Cache-Control:no-cache
    Content-Type:text/html

     

     

     

     


     
     
     

    The page cannot be displayed
     

     
     style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

     
     style="FONT: 8pt/11pt verdana; COLOR: #000000">

    --------------------------------------------------------------------------------

     

    Try the following:

     

     

    Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.

    Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.

    Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

     


    --------------------------------------------------------------------------------

     

    Technical Information (for support personnel)

     

     

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


     

     

    Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
    =============================
     
    Any ideas....

     

    Thanks,

    Muhammad

    Thursday, February 14, 2008 6:15 PM