Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

UCC SSL certificate?

Posted on 2010-01-12
11
Medium Priority
?
1,162 Views
Last Modified: 2012-05-08
I have a few websites which I need to publish through a single IP and need to be each established with an independent host name (www.example.com, www.anotherexample.com).  These requirements are from a combination of my hosting provider and the CMS we would like to use. This will be published through an ISA 2006 SP1 system.

I've been researching UCC certificates for this setup. It appears ideal if it will work. Can a UCC certificate be used strictly for IIS? If so, how?
0
Comment
Question by:timbrigham
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 26294567
You mean a SAN Certificate?

ISA2006 with SP1 should be able to handle it.

1. You start with installing the Certificate on the Web Server(s) first .
2. Then export the Certificate from the Web Server as a PFX file with the Private Key using the Certificates MMC.  
3. Save the file on the web server Desktop (or wherever you want to store it).  
4. Then copy the PFX file (by whatever means) to the ISA and import it into the ISA's Certificate Store using the Certificates MMC.
5. Create a New Web Listener and add the Certificate to it.
6. Create a separate Web Server Publishng Rule for each Site.
7. Use the same Listener for each Publishing Rule
8. Use Hosts Headers as the means to distinguish one Site from another.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294593
These requirements are from a combination of my hosting provider and the CMS we would like to use.

Q.  What does that mean? Hosting Provider?  You only Publish Sites that are on your LAN behind your ISA.  You do not Publish sites that are physically outside your LAN.
0
 
LVL 15

Expert Comment

by:Tray896
ID: 26294615
I'll admit that I am not very familiar with UCC certificates, but I was under the impression that they were only for Exchange installations?  I don't think you can use them for just a standard IIS website.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 15

Expert Comment

by:Tray896
ID: 26294648
Yeah this link and others I've found seem to agree with the fact that UCC certs are only for Exchange and Communications server.  http://support.microsoft.com/default.aspx/kb/929395


For just a standard IIS website, you would either need to buy individual certs or user wildcard certs.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294664
Same here. I'm not familiar with UCC.  I feel a bit "accronymed to death".  I wish people would spell out the names instead of assuming I will always know what every accronym out there means.  I never heard of UCC specifically.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294705
ISA should work with SAN Certs too.  Wildscards Certs only work with a common namepace (*.mydomain.com).  Assuming I don't have my accronyms foulded up the SAN Cert allows completely different FQDNs.

0
 
LVL 13

Accepted Solution

by:
Springy555 earned 1332 total points
ID: 26294744
I think your going to have problems doing this.

You say there are multiple websites using the same IP address?  Do all these websites need to be SSL secured?  The problem is going to be that you will need a seperate IP address for each SSL website regardless of the SSL cert installed.  

Or if you wanted to use just the one IP address, you need to offload the SSL onto a load balancer, or a seperate service (such as the IIS ARR proxy) before passing the traffic unencrypted back to the webservers.
This is because the SSL traffic is encrypted, so IIS won't be able to read the header to see which website the traffic is destined for.

Otherwise, the process for generating a UCC cert is to request the usual CSR that you would do in IIS using the first DNS name, and pass this onto whoever is providing you with the certificate.  They will then ask for the additional DNS names which you can supply to them.  Then the cert gets installed as usual.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 26297086
The websites all need to be SSL secured, unfortunately. There are administrative features specific to each which need to be secured. If I have to I can probably purchase additional IP addresses and set up separate listeners for each site but that will be a pain to maintain.

I've been reading these posts and trying to correlate to what I've been reading. I just found a few new links. They describe how to set up IIS for UCC / SAN certificates and use a single IP.
http://www.digicert.com/ssl-support/configure-iis-host-headers.htm
http://www.digicert.com/ssl-support/ssl-host-headers-iis-7.htm
Do these appear valid to you gentlemen?

Based on what is printed above, I should be able to set up a straight through HTTPS connection through the ISA and into IIS using the same process as for publishing a single site. Do any of you experts see a problem with doing so? I would think a certificate is just a certificate to ISA, but I really don't know.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 668 total points
ID: 26297205
The websites all need to be SSL secured, unfortunately. There are administrative features specific to each which need to be secured. If I have to I can probably purchase additional IP addresses and set up separate listeners for each site but that will be a pain to maintain.

You can have multiple IP#s and multiple Cetificates on a Single Listener.  You no longer need multiple Listeners like you did with ISA2004

Based on what is printed above, I should be able to set up a straight through HTTPS connection through the ISA and into IIS using the same process as for publishing a single site. Do any of you experts see a problem with doing so? I would think a certificate is just a certificate to ISA, but I really don't know.

Yes,..you can do a Server Publishing Rule (aka Non-Web Server Publishing Rule) and ISA can just pass the traffic back to IIS "unmolested" and let IIS "figure out" what to do with it.  But you loose all the additional abilities that the Web Proxying Service brings to the table that you get when you use a normal Web Publishing Rule.

With Web Publishing the Cert is installed on the ISA in addition to being installed on the web server,...so a Cert isn't just a Cert.  With Server Publishing (non-web server publishing) the Cert just does not even exist as far as ISA is concerned,...ISA is just doing a simple Reverse NAT with IIS and the Web Server doing all the work beyond that.  
0
 
LVL 13

Assisted Solution

by:Springy555
Springy555 earned 1332 total points
ID: 26297305
Yes, the details in those links look fine.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 26297676
Thanks gentlemen. I will assign points shortly.

pwindell, thanks for the heads up about the multiple IP and certificate setup. That will make things easier if I go that route. I still might need to do so if things don't work out.

Based on the discussion here and a few links I've found it appears that everything will work with the UCC / SAN certs.

This link indicates that ISA 2006 SP 1 will handle the SAN certs for any published web servers.
http://www.isaserver.org/tutorials/ISA-Server-2006-Service-Pack1-New-features-enhancements.html

The link posed previously gives what I need to set up my IIS 7 servers.
http://www.digicert.com/ssl-support/ssl-host-headers-iis-7.htm


0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Screencast - Getting to Know the Pipeline
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question