ISA best practice report - secure channel to the domain controller cannot be verified

Posted on 2009-12-22
Last Modified: 2012-08-13
Hi all,

i just ran the ISA best practice report tool and came back with a few errors, just wondering if anyone can help me out with them

as in the title secure channel to the domain controller cannot be verified - i looked in the system policy (see below)
and it all looks up and allowed

the version is ISA 2004 and is installed on sbs server

the no connectivity error, doesnt matter about that one thats about a connection to an external company

Question by:awilderbeast
    LVL 29

    Expert Comment

    I suspect the BPA you ran does not work correctly on SBS.  SBS lives in its own little world. What is true in the real world in not true in the SBS world,...and what is true in the SBS world is not true in the real of the world.

    If the ISA was not communicating with Active Directlry services, would become obvious without having to have the BPA tell you about it.

    But you Certificate error is definiately a problem.

    LVL 1

    Author Comment

    i darent play around with the certificates anymore after it took me so long to get owa and activesync working
    LVL 29

    Expert Comment

    The "Certificate not matching the Public Name" is a serious Cert problem, is not going to "go away".   So however you have it working, isn't working correctly.  If the Cert does not match the Public Name then it is as if the Cert does not exist.

    You can do what you want with it, rests on you.  But I feel responsible to make sure you are properly warned.

    LVL 1

    Author Comment

    how would i go about assessing the problem before i make any changes?

    can you guide me through and help me sort it?

    LVL 29

    Accepted Solution

    It is a simple thing.  Think of these terms,...common name,....public name,....FQDN,....Hosts Headers,.....well guess what,...they all mean the same thing with just a little different focus.  So if your OWA site is recognized from the Internet as:

    Then the Certificate has to be specifically purchased for exactly ""
    And then the names above are like this:

    common name =
    public name =
    FQDN =
    Hosts Header =

    So in the Publishing Rule for OWA,...anytime any of these names are asked for, answer it with "", matter what.   Never ever ever use an IP# at all in the Rule anywhere.  The Listener might have an External IP# only if there is more that one external IP on the SBS box,...but if there is only one IP# then it only needs to be specificed as External.

    Now the other half of the picture is your DNS.  It has to be correctly done, compromises!
    People out in Internet Land don't use your DNS, they are irrelevant.   But your users and the ISA use your DNS (and only your DNS), they are completely and totally relevant. Every single host on the LAN needs to use your AD/DNS and never anything else.  Even the SBS Box only uses itself,...and it does that only on the Internal facing Nic,...the external facing Nic must have the DNS left blank.  In the config of the DNS Service you can add an external DNS IP# as a Forwarder and make sure the SBS is allowed to make outbound DNS queries.

    You have to create a Split DNS Setup so that as far as your Users and your ISA are concerned the name "" will always resolve the private internal IP# that the OWA site runs at.   So the Publishing Rule for ISA will send the incomming OWA traffic to the Private IP# of the OWA by correctly resolving "".

    Your LAN users is even more simple,...they go directly to the OWA site at the private IP#.  Since this is SBS with Exchange, IIS, OWA and ISA on the same box this may require an Access Rule for HTTP/HTTPS that runs between Internal to Localhost or it could be Internal to <OWA IP#>.

    One last thing,....I am not an SBS guy.  It would be a smart thing to do to run what I am saying past someone more experienced with SBS incase what I said needs tweeked a little bit.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
    In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now