Certificate for Reverse Proxy Server

• Question

• 

  

  0

  Sign in to vote

  Hello,

   

  We are in process of configuring certificate for the reverse proxy server ISA 2006 to setup SSL bridging using two separate certificates.

   

  Please find below some details.

   

  Front-End Server:

  Front-end server is member of the domain testing.local.

  The subject name and the subject alternative name on the certificate being used for the front-end and IIS server are as follow:

  Subject Name:

  Pool1.testing.local

  Subject Alternative Name (SAN):

  sip.testing.local
  OCS2007.testing.local
  Pool1.testing.local 

   

  ISA 2006 (Reverse Proxy Server):

  ISA Server is member of a workgroup WORKGROUP. For the time being, the ISA Server is part of the same LAN in order to avoid IP routing and port issues. The External users will use abs.testing.local name to connect to the IIS website which is running on the internal OCS Front-end server.  

   

  As per my understanding I need to follow the following steps to configure the certificate for the Reverse Proxy server so that ISA will behave correctly: Please correct me if I am going to the wrong direction.

   

  1.       I need to issue a certificate to the ISA server with the subject name of abs.testing.local. 

  2.       I also need to export the root CA certificate from my internal CA and import it into the Trusted Root Certification Authorities store on the ISA computer. 

   

  I have read from a blog that "ISA 2006 will ignore the Subject Name value if the SAN is populated, so the recommendation is to set the first SAN value equal to the Subject Name and then ISA will appear to behave correctly."

   

  Question A: As I mentioned above my internal certificate which is issued to front-end has SAN values. The first SAN value is equal to sip.testing.local. Do you think ISA will behave correctly with the above mentioned configuration?

  Question B: Do we need to copy the certificate that was originally configured and assigned to the IIS Web Site on the OCS front-end to the ISA server? Why we require a server certificate on ISA Reverse Proxy Server that has a SN of the OCS 2007 Pool FQDN (pool1.testing.local)?

   

  Thanks,

   

  Muhammad

   

   

  ============================

   

  1. I configured the reverse proxy server with settings mentioned above.
  2. I get the following error message I when I try to access https://abs.testing.local/abs/ext from a ISA machine itself.

  ====================
  The page cannot be displayed 
  Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

  --------------------------------------------------------------------------------

  Try the following:

  Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
  Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
  Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

  --------------------------------------------------------------------------------

  Technical Information (for support personnel)

  Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
  ==============================

  3. I get the following warning messages when validating Web Components on OCS Front End Server:

  =======================
  Office Communications Server 2007 Deployment Log
   
   
  Time Logged: Thursday, February 14, 2008 4:20:13 PM Expand All
  Collapse All 
   

  Action  Action Information  Execution Result 

  Execute Action       Warning
  [0x43FC200C] Not all checks were successful 

  Initialize   Machine FQDN: OCS2007.testing.local
  WMI Repository Path: \\.\root\cimv2
  Host Name: OCS2007.testing.local
  Product Version: Microsoft Office Communications Server 2007 3.0.6362.0
  Installed components:
  DATAMCUWEB
  ACPMCU
  GROUPEXPANSION
  IMMCU
  DATAMCU
  AUDIOVIDEOMCU
  ARCHIVINGAGENT
  ADMINTOOL
  EE

  Service Status:

  RTCDATAMCU: Running
  RTCSRV: Running
  RTCACPMCU: Running
  RTCIMMCU: Running
  RTCAVMCU: Running

  Backend: sql
     Success
   

  Diagnose WebComponents   Check Configuration: True
  Check Connectivity: True
     Warning
  [0x43FC200C] Not all checks were successful 

  Check Configuration       Success
   

  WMI Class MSFT_SIPGroupExpansionSetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting
  WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPGroupExpansionSetting.Backend="sql",InstanceID="{302B6696-523F-4BD4-9673-05AEE289C392}"
  Backend (String): sql
  EnableDLOperation (Boolean): True
  ExternalDLExpansionWebURL (String): https://abs.testing.local/GroupExpansion/Ext/service.asmx
  InstanceID (String): {302B6696-523F-4BD4-9673-05AEE289C392}
  InternalDLExpansionWebURL (String): https://pool1.testing.local/GroupExpansion/Int/service.asmx
  MaxGroupSize (UInt32): 100
     Success
   

  WMI Class MSFT_SIPAddressBookSetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting
  WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPAddressBookSetting.Backend="sql",InstanceID="{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}"
  Backend (String): sql
  DaysToKeep (UInt32): 30
  ExternalURL (String): https://abs.testing.local/Abs/Ext/Handler
  IgnoreGenericRules (Boolean): False
  InstanceID (String): {D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}
  InternalURL (String): https://pool1.testing.local/Abs/Int/Handler
  MaxDeltaFileSizePercentage (UInt32): 1250
  OutputLocation (String): \\sql\abs
  PartitionOutputByOU (Boolean): False
  RunTime (UInt32): 130
  SynchronizeNow (Boolean): False
  SynchronizePollingIntervalSecs (UInt32): 300
  UseNormalizationRules (Boolean): True
     Success
   

  WMI Class MSFT_SIPDataMCUCapabilitySetting   WMI Class Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting
  WMI Instance Path: \\OCS2007\root\cimv2:MSFT_SIPDataMCUCapabilitySetting.Backend="sql",InstanceID="{086D006C-8672-4A73-A488-3F9346D4F98C}"
  Backend (String): sql
  ContentExpirationGracePeriod (UInt32): 14
  ContentStorageLimit (UInt32): 500
  ExternalClientContentDownloadURL (String): https://abs.testing.local/etc/place/null
  HandoutsStorageLimit (UInt32): 150
  InMeetingHelpURL (String): http://r.office.microsoft.com/r/rlidLiveMeeting
  InstanceID (String): {086D006C-8672-4A73-A488-3F9346D4F98C}
  InternalClientContentDownloadURL (String): https://pool1.testing.local/etc/place/null
  MeetingMetadataLocation (String): \\sql\Metadata
  MeetingPresentationContentLocation (String): \\sql\Presentations
     Success
   

  Check Connectivity       Warning
  [0x43FC200C] Not all checks were successful 

  Check GroupExpansion       Warning
  [0x43FC200C] Not all checks were successful 

  Check Http URL   URL: https://pool1.testing.local/GroupExpansion/Int/service.asmx
  Received a successful HTTP response: HTTP Response: 200 OK
  Content-Length:3267
  Cache-Controlrivate, max-age=0
  Content-Type:text/html; charset=utf-8
  Date:Thu, 14 Feb 2008 21:20:27 GMT
  Server:Microsoft-IIS/6.0
  X-AspNet-Version:2.0.50727
  X-Powered-By:ASP.NET

  Received a successful HTTP response: OK
     Success
   

  Check Http URL   URL: https://abs.testing.local/GroupExpansion/Ext/service.asmx
  Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
  Connection:close
  Pragma:no-cache
  Content-Length:2024
  Cache-Control:no-cache
  Content-Type:text/html

   

   

   

   

  
   
   
   

  The page cannot be displayed
   

   
   style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

   
   style="FONT: 8pt/11pt verdana; COLOR: #000000">

  --------------------------------------------------------------------------------

   

  Try the following:

   

   

  Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.

  Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.

  Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

   

  
  --------------------------------------------------------------------------------

   

  Technical Information (for support personnel)

   

   

  Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

  
   

   

  Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
     Warning
  [0x43FC200C] Not all checks were successful 

  Checking Address Book Server configuration       Success
   

  Check Http URL   URL: https://pool1.testing.local/Abs/Int/Handler/D-0a15-0a16.dabs
  Received a successful HTTP response: HTTP Response: 200 OK
  Content-Length:550
  Cache-Controlrivate
  Content-Type:application/dabs
  Date:Thu, 14 Feb 2008 21:20:28 GMT
  Server:Microsoft-IIS/6.0
  X-AspNet-Version:2.0.50727
  X-Powered-By:ASP.NET

  Received a successful HTTP response: OK
     Success
   

  Check Web Conferencing Server Virtual Directory Setting       Warning
  [0x43FC200C] Not all checks were successful 

  Check Http URL   URL: https://pool1.testing.local/etc/place/null/slidefiles/blank.png
  Received a successful HTTP response: HTTP Response: 200 OK
  Accept-Ranges:bytes
  Content-Length:567
  Content-Type:image/png
  Date:Thu, 14 Feb 2008 21:20:28 GMT
  ETag:"0a724b9d1c6c71:5f5"
  Last-Modifiedun, 15 Jul 2007 11:17:26 GMT
  Server:Microsoft-IIS/6.0
  X-Powered-By:ASP.NET

  Received a successful HTTP response: OK
     Success
   

  Check Http URL   URL: https://abs.testing.local/etc/place/null/slidefiles/blank.png
  Received a failure HTTP response.: HTTP Response: 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )
  Connection:close
  Pragma:no-cache
  Content-Length:2024
  Cache-Control:no-cache
  Content-Type:text/html

   

   

   

   

  
   
   
   

  The page cannot be displayed
   

   
   style="FONT: 8pt/11pt verdana; COLOR: #000000">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

   
   style="FONT: 8pt/11pt verdana; COLOR: #000000">

  --------------------------------------------------------------------------------

   

  Try the following:

   

   

  Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.

  Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.

  Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

   

  
  --------------------------------------------------------------------------------

   

  Technical Information (for support personnel)

   

   

  Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

  
   

   

  Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
  =============================
   
  Any ideas....

   

  Thanks,

  Muhammad

  Thursday, February 14, 2008 6:15 PM