?
Solved

UCC SSL certificate?

Posted on 2010-01-12
11
Medium Priority
?
1,149 Views
Last Modified: 2012-05-08
I have a few websites which I need to publish through a single IP and need to be each established with an independent host name (www.example.com, www.anotherexample.com).  These requirements are from a combination of my hosting provider and the CMS we would like to use. This will be published through an ISA 2006 SP1 system.

I've been researching UCC certificates for this setup. It appears ideal if it will work. Can a UCC certificate be used strictly for IIS? If so, how?
0
Comment
Question by:timbrigham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 26294567
You mean a SAN Certificate?

ISA2006 with SP1 should be able to handle it.

1. You start with installing the Certificate on the Web Server(s) first .
2. Then export the Certificate from the Web Server as a PFX file with the Private Key using the Certificates MMC.  
3. Save the file on the web server Desktop (or wherever you want to store it).  
4. Then copy the PFX file (by whatever means) to the ISA and import it into the ISA's Certificate Store using the Certificates MMC.
5. Create a New Web Listener and add the Certificate to it.
6. Create a separate Web Server Publishng Rule for each Site.
7. Use the same Listener for each Publishing Rule
8. Use Hosts Headers as the means to distinguish one Site from another.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294593
These requirements are from a combination of my hosting provider and the CMS we would like to use.

Q.  What does that mean? Hosting Provider?  You only Publish Sites that are on your LAN behind your ISA.  You do not Publish sites that are physically outside your LAN.
0
 
LVL 15

Expert Comment

by:Tray896
ID: 26294615
I'll admit that I am not very familiar with UCC certificates, but I was under the impression that they were only for Exchange installations?  I don't think you can use them for just a standard IIS website.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:Tray896
ID: 26294648
Yeah this link and others I've found seem to agree with the fact that UCC certs are only for Exchange and Communications server.  http://support.microsoft.com/default.aspx/kb/929395


For just a standard IIS website, you would either need to buy individual certs or user wildcard certs.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294664
Same here. I'm not familiar with UCC.  I feel a bit "accronymed to death".  I wish people would spell out the names instead of assuming I will always know what every accronym out there means.  I never heard of UCC specifically.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26294705
ISA should work with SAN Certs too.  Wildscards Certs only work with a common namepace (*.mydomain.com).  Assuming I don't have my accronyms foulded up the SAN Cert allows completely different FQDNs.

0
 
LVL 13

Accepted Solution

by:
Springy555 earned 1332 total points
ID: 26294744
I think your going to have problems doing this.

You say there are multiple websites using the same IP address?  Do all these websites need to be SSL secured?  The problem is going to be that you will need a seperate IP address for each SSL website regardless of the SSL cert installed.  

Or if you wanted to use just the one IP address, you need to offload the SSL onto a load balancer, or a seperate service (such as the IIS ARR proxy) before passing the traffic unencrypted back to the webservers.
This is because the SSL traffic is encrypted, so IIS won't be able to read the header to see which website the traffic is destined for.

Otherwise, the process for generating a UCC cert is to request the usual CSR that you would do in IIS using the first DNS name, and pass this onto whoever is providing you with the certificate.  They will then ask for the additional DNS names which you can supply to them.  Then the cert gets installed as usual.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 26297086
The websites all need to be SSL secured, unfortunately. There are administrative features specific to each which need to be secured. If I have to I can probably purchase additional IP addresses and set up separate listeners for each site but that will be a pain to maintain.

I've been reading these posts and trying to correlate to what I've been reading. I just found a few new links. They describe how to set up IIS for UCC / SAN certificates and use a single IP.
http://www.digicert.com/ssl-support/configure-iis-host-headers.htm
http://www.digicert.com/ssl-support/ssl-host-headers-iis-7.htm
Do these appear valid to you gentlemen?

Based on what is printed above, I should be able to set up a straight through HTTPS connection through the ISA and into IIS using the same process as for publishing a single site. Do any of you experts see a problem with doing so? I would think a certificate is just a certificate to ISA, but I really don't know.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 668 total points
ID: 26297205
The websites all need to be SSL secured, unfortunately. There are administrative features specific to each which need to be secured. If I have to I can probably purchase additional IP addresses and set up separate listeners for each site but that will be a pain to maintain.

You can have multiple IP#s and multiple Cetificates on a Single Listener.  You no longer need multiple Listeners like you did with ISA2004

Based on what is printed above, I should be able to set up a straight through HTTPS connection through the ISA and into IIS using the same process as for publishing a single site. Do any of you experts see a problem with doing so? I would think a certificate is just a certificate to ISA, but I really don't know.

Yes,..you can do a Server Publishing Rule (aka Non-Web Server Publishing Rule) and ISA can just pass the traffic back to IIS "unmolested" and let IIS "figure out" what to do with it.  But you loose all the additional abilities that the Web Proxying Service brings to the table that you get when you use a normal Web Publishing Rule.

With Web Publishing the Cert is installed on the ISA in addition to being installed on the web server,...so a Cert isn't just a Cert.  With Server Publishing (non-web server publishing) the Cert just does not even exist as far as ISA is concerned,...ISA is just doing a simple Reverse NAT with IIS and the Web Server doing all the work beyond that.  
0
 
LVL 13

Assisted Solution

by:Springy555
Springy555 earned 1332 total points
ID: 26297305
Yes, the details in those links look fine.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 26297676
Thanks gentlemen. I will assign points shortly.

pwindell, thanks for the heads up about the multiple IP and certificate setup. That will make things easier if I go that route. I still might need to do so if things don't work out.

Based on the discussion here and a few links I've found it appears that everything will work with the UCC / SAN certs.

This link indicates that ISA 2006 SP 1 will handle the SAN certs for any published web servers.
http://www.isaserver.org/tutorials/ISA-Server-2006-Service-Pack1-New-features-enhancements.html

The link posed previously gives what I need to set up my IIS 7 servers.
http://www.digicert.com/ssl-support/ssl-host-headers-iis-7.htm


0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question