OWA 2010 vs ISA 2006 vs RSA AM 6.1 vs SSL

Posted on 2011-05-10
Last Modified: 2012-08-13
Hi Experts

I'm hoping that someone has done this, and can help out ?!

Our scenario is :-

1. Exchange 2010 OWA on Windows 2008 R2 64bit with RSA Auth Manager 6.1 as replica
2. ISA 2006 Std on Windows 2003
3. NAT between OWA and ISA

The other Exchange 2010 servers are on the same subnet as the OWA, and the RSA master.
The RSA master is fine and works with RADIUS from firewall.
OWA works, with certificate errors, but allows us in, on forms-based auth.
We have a new SSL certificate, created for our owa / exchange use, with an intermediate, all in a pfx file which imports into the ISA server mmc as well as the OWA server mmc.

If we try import the pfx into EMC we get "certificate is invalid for exchange server usage"
ISA 2006 listener also does not like the certificate, saying "private key not installed"
If I install RSA AM onto the OWA box, as a replica, it finds the replica package but then errors later. The installation then finishes but I can see it is not 100%. We have copied the sdconf.rec file as required, and if we recreate the replica package and apply it, we get "SHFileOperation copy failed"

Setting up an ISA publish rule, with correct settings, gives us the RSA "106 - server too busy" error.
We had a successful RSA SecureID with ISA 2004 and OWA 2003.

If we browse to the internal ISA NIC, we get through the NAT and can connect to OWA, with SSL errors.
If we browse to the external ISA NIC, we get nothing !

ISA is working, and we were able to publish a basic http page on the OWA box. The minute SSL is selected, it no worky !

Does anyone have a list of steps to follow, to get the SSL to behave, as well as the ISA to publish the RSA correctly ?  Do you have to follow the "Exchange certificate request" wizard ?
Or am I pushing my luck trying to get this all working together ?

Thanks in advance
Question by:DoveSupport
    LVL 8

    Accepted Solution

    Not sure if this will help but I don't use ISA so I cannot give you any real world exp on it.
    LVL 1

    Author Comment

    Thanks, steinmto. That is part of what  I am doing with the SSL. I've requested a cert in addition to the wildcard we have.

    I believe I can use a wildcard on the ISA, but need a specific cert for OWA.
    LVL 1

    Author Comment

    OK, now I have SSL working and the ISA can publish a basic OWA page properly.

    I am now using a 32 bit RSA replica which is giving me nightmares. The version 6.1 master works perfectly, and the replica is able to run replication cycles to the primary, however, the test utility still reckons the replica server is unavailable and an auth test does not work . . .

    Anyone with RSA experience ?
    LVL 10

    Assisted Solution

    Why not just drop the RSA AM, and use RADIUS pre authentication on the  isa2006. Just add a RADIUS server to ISA.

    Create a web listener on the ISA, using RADIUS authentication as the authentication. Make sure the public name of the Listener matches the installed certificate.

    I have experience with other RADIUS OTP solutions, and we published OWA using OTP from ActivIdentity and using Kerberos Constrained Delegation with ISA 2006. There was no plugins used... This works from the box using ISA 2006.
    LVL 1

    Author Closing Comment

    Ok, problems solved eventually. SSL certificates were aligned and RSA was reset to 32 bit box.
    New RSA agent-hosts were created and extra sdconf files were created for both sides of a NAT translation.
    Thanks for the advice guys.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now