Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Want to remove ISA server and need to understand some certificate info...

Posted on 2010-08-23
12
Medium Priority
?
316 Views
Last Modified: 2012-05-10
We currently run ISA 2006 standard edition on a Windows server 2003 standard 32bit. Exchange 2007 server running on Server 2008 standard. The ISA is going to be removed as we are changing our firewall appliance. There are 3 rules in the ISA server that I'm a little worried about.
Because ISA does the internal/public certificate publishing stuff for OWA/ActiveSync and Outlook AnyWhere, where would that certificate information need to be placed before ISA goes bye bye. If anyone knows of any articles out there that would help me it would be greatly appreciated.

Thanks
BW
0
Comment
Question by:bwinkworth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33500498
if you are no longer going to have a reverse proxy (ISA) in place, then the certificates must reside on the Exchange CAS server (firewall directs all traffic to exchange)
0
 

Author Comment

by:bwinkworth
ID: 33500595
Thanks endital1097.
 Because I didn't set up this configuration, is it possible that the consultants may have already setup the certificates on the Exchange CAS? How can I check for these certificates? Something tells me they may already be there as they setup the ISA after for other reasons.

Thanks,
BW
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33500656
from the management shell run
get-exchangecertificate | fl

look for the certificate where services contains IIS
look at the certificatedomains for that certificate and verify that the name used is listed
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:bwinkworth
ID: 33500891
Ok did that. AccessRules came up with a some info below:
CertificateDomanins: <our fqdn here>
HasPrivateKey: True
IsSelfSigned: False
Issuer: <our domain controller>
NotAfter: <date>
NotBefore: <date>
PublicKeySize: 1024
RootCAType: Enterprise
SerialNumber: <long alphanumeric number here>
Services: IMAP, POP, IIS, SMTP
Status: Valid
Thumbprint: <big honkin number here>

That mean yes? :))
If I do look into the IIS there is the owa, Microsoft-Server-ActiveSync etc. Properties of each of these have 'Required SSL' checked and 'Require 128-bit SSL' checked and the Client certificates option of 'Ignore' selected.
So it seems maybe all I have to do is redirect the new appliance to Exchange. Everything seems ok.

Thanks
BW
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33500993
that is a certificate from your internal ca
look at the certificate on the web listener in isa, it should be from a 3rd party
you'll need to view the certificate and verify the names on it
0
 

Author Comment

by:bwinkworth
ID: 33502063
The certificate on the web listener is from a 3rd party. Do I then need to install this certificate on the Exchange server since ISA is going away?

Thanks
BW
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33502138
yes, you will need to install that on the exchange server
look at this article to ensure your certificate will work
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html

you need to be aware of how users access exchange both internally and externally and what names should be present on the certificate
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33505456
If you Published with ISA the normal proper way the Cert would already be on the Exchange,...it would have had to be due to the fact that the ISA uses it when communicating between itself the the OWA Site (SSL Bridging).  In the normal Publishing process the Cert is put on the Exchange/OWA IIS to begin with and then exported from there as a PFX file with the Private Key,...the PFX file is then copied to the ISA machine and then imported into the Cert Store,...so therfore, it should already be on the Exchange in the Machine's Certificate Store..
0
 

Author Comment

by:bwinkworth
ID: 33510740
Thanks pwindell. So you're saying all I really have to do is direct the traffice from the firewall to Exchange as endital1097 said once ISA is gone and it should work?

Thanks,
BW
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 1000 total points
ID: 33510772
NO
your comments have shown that the ISA server has a different certificate than the exchange server
if you just flip the switch your users may start getting certificate warnings and outlook anywhere may break

you need to export the certificate from the ISA server, import it onto the exchange server, and assign the services

http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 

Author Closing Comment

by:bwinkworth
ID: 33510918
Gotcha.
Thanks a million endital1097. Appreciate your help

BW
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33510967
It makes a difference if it was the same cert or not.   In a more normal situation they would be the same Cert.  I could not tell by your posts if that was true or not.  But if it is a different Cert than you have to do as enditall1097 indicates.  Sorry, I don't want to create any confusion.
 
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question