ocs 2007 Reverse proxy certificate woes.
Hello,
I was wondering if i can get some insight with OCS certificate issues with the SAN and subject name for ISA 2006 Sp1 reverse proxying of the addres book.
I have setup up environment. and the edge server. All 3rd party certificates are isntalled on the edge and remote logon works great. My only issue is i cannot for the life of me, get my ISA 2006 SP1 web listener configured for reverse proxying for external users.
my cert is issued by an internal ca. I am using Split DNS on our network.
The cert has the following -
Subject name -> ocsserver1.company.ca (internal domain)
SAN --> ocsserver.company.ca (internal domain)
ocsserver.company.com (for address book publishing) and external domain.
sip.company.com (for external and internal)
now when i setup the listener - no authentication ssl. and publish the site.
as follows -
internal site - ocsserver.company.ca
external site - ocsserver.company.com
I get an error for the listener - The selected web listener is not configured with a certificate matching the public name defined in the wizard.
I have read a few blogs where it states -
"ISA 2006 server checks the first SAN listed in the certificate against
the Internal Site Name specified in the web publishing rule. If there is
no match the connection will fail. Even if the main Subject name of the
certificate is correct ISA only checks the first SAN".
Can someone who has split dns in their environment and has successfuly published their address book pls provide some insight into what i have missed.
I was wondering if i can get some insight with OCS certificate issues with the SAN and subject name for ISA 2006 Sp1 reverse proxying of the addres book.
I have setup up environment. and the edge server. All 3rd party certificates are isntalled on the edge and remote logon works great. My only issue is i cannot for the life of me, get my ISA 2006 SP1 web listener configured for reverse proxying for external users.
my cert is issued by an internal ca. I am using Split DNS on our network.
The cert has the following -
Subject name -> ocsserver1.company.ca (internal domain)
SAN --> ocsserver.company.ca (internal domain)
ocsserver.company.com (for address book publishing) and external domain.
sip.company.com (for external and internal)
now when i setup the listener - no authentication ssl. and publish the site.
as follows -
internal site - ocsserver.company.ca
external site - ocsserver.company.com
I get an error for the listener - The selected web listener is not configured with a certificate matching the public name defined in the wizard.
I have read a few blogs where it states -
"ISA 2006 server checks the first SAN listed in the certificate against
the Internal Site Name specified in the web publishing rule. If there is
no match the connection will fail. Even if the main Subject name of the
certificate is correct ISA only checks the first SAN".
Can someone who has split dns in their environment and has successfuly published their address book pls provide some insight into what i have missed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Before purchasing a public cert you can test by creating an internal cert with the ocsserver.company.com subject name and assigning it on the ISA rule. Then import your internal Root CA Certificate on an external client and disable CRL checking on the external client.
Disable CRL checking on client side:
HKEY_LOCAL_MACHINE\SOFTWAR
EnableCRLChecking = 0 (if does not exist, please create a DWORD value.) Close/Exit Communicator to take effect.
You also need to import the Root CA certificate on your ISA server.
The To Tab on your rule should have the ocserver.company.ca as the published site which is your internal server that have the Web Components role. The cert assigned in IIS on that server can be internal and should have ocserver.company.ca as the subject name which is probably also your pool fqdn in a Standard Edition installation so can be the same cert as used for OCS Home server.