Reverse Proxy Certificate/Setup question RRS feed

  • Question

  • Hi,

    I have OCS working in our environment with the following configuration: 

    Access Edge Server
    Standard Front End Server (Running all services: web conft, AV, etc...)

    Everything is working fine except I now need to setup the reverse proxy.  My front end server has a 3rd party cert installed (for a specific reason) and with a SN matching the FQDN. 

    I'd rather not use the existing 3rd party front end cert for the reverse proxy as then I'd have to create an external A record with my internal server name, correct?  So my thought is to get another cert, ie: abs.domain.com, create an external A record called abs.domain.com pointing to my proxy server. 

    Question is, would I then have to use the abs.domain.com cert on my front end server replacing my existing cert?  Or would the new cert just import on the proxy and my FE remain untouched?

    That's where I'm confused.  My question may not make much sense so please forgive me...
    Tuesday, July 29, 2008 11:06 PM

All replies

  • Based on what you described you will need a second certificate with a subject name matching the external FQDN of your external ABS URL (abs.domain.com in your example).  I don't know which proxy server you have but if it's like ISA you would place the public certificate on the proxy server and the proxy server would broker communication to the Standard Edition server.

    Wednesday, July 30, 2008 12:14 AM
  • Correct, I'd be using ISA 2006 SP1.  That being the case, do I need to specify anything for the SAN?
    Wednesday, July 30, 2008 1:23 AM
  • If you haven't already, take a look a Jeff's blog.  Towards the bottom of the article he outlines the ISA config.  http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19


    If you are requesting a certificate from a public CA specifically for publishing the web components externally then you would just put the FQDN as the subject name of the certificate.  If you are combining that certificate with another role then you need the have one or more SANs on the certificate, which should work properly with ISA 2006 SP1 now that they've updated the SAN support.


    Wednesday, July 30, 2008 2:11 PM