Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1214
  • Last Modified:

OWA 2010 vs ISA 2006 vs RSA AM 6.1 vs SSL

Hi Experts

I'm hoping that someone has done this, and can help out ?!

Our scenario is :-

1. Exchange 2010 OWA on Windows 2008 R2 64bit with RSA Auth Manager 6.1 as replica
2. ISA 2006 Std on Windows 2003
3. NAT between OWA and ISA

The other Exchange 2010 servers are on the same subnet as the OWA, and the RSA master.
The RSA master is fine and works with RADIUS from firewall.
OWA works, with certificate errors, but allows us in, on forms-based auth.
We have a new SSL certificate, created for our owa / exchange use, with an intermediate, all in a pfx file which imports into the ISA server mmc as well as the OWA server mmc.

If we try import the pfx into EMC we get "certificate is invalid for exchange server usage"
ISA 2006 listener also does not like the certificate, saying "private key not installed"
If I install RSA AM onto the OWA box, as a replica, it finds the replica package but then errors later. The installation then finishes but I can see it is not 100%. We have copied the sdconf.rec file as required, and if we recreate the replica package and apply it, we get "SHFileOperation copy failed"

Setting up an ISA publish rule, with correct settings, gives us the RSA "106 - server too busy" error.
We had a successful RSA SecureID with ISA 2004 and OWA 2003.

If we browse to the internal ISA NIC, we get through the NAT and can connect to OWA, with SSL errors.
If we browse to the external ISA NIC, we get nothing !

ISA is working, and we were able to publish a basic http page on the OWA box. The minute SSL is selected, it no worky !

Does anyone have a list of steps to follow, to get the SSL to behave, as well as the ISA to publish the RSA correctly ?  Do you have to follow the "Exchange certificate request" wizard ?
Or am I pushing my luck trying to get this all working together ?

Thanks in advance
  • 3
2 Solutions
Not sure if this will help but I don't use ISA so I cannot give you any real world exp on it.

DoveSupportAuthor Commented:
Thanks, steinmto. That is part of what  I am doing with the SSL. I've requested a cert in addition to the wildcard we have.

I believe I can use a wildcard on the ISA, but need a specific cert for OWA.
DoveSupportAuthor Commented:
OK, now I have SSL working and the ISA can publish a basic OWA page properly.

I am now using a 32 bit RSA replica which is giving me nightmares. The version 6.1 master works perfectly, and the replica is able to run replication cycles to the primary, however, the test utility still reckons the replica server is unavailable and an auth test does not work . . .

Anyone with RSA experience ?
Why not just drop the RSA AM, and use RADIUS pre authentication on the  isa2006. Just add a RADIUS server to ISA.

Create a web listener on the ISA, using RADIUS authentication as the authentication. Make sure the public name of the Listener matches the installed certificate.

I have experience with other RADIUS OTP solutions, and we published OWA using OTP from ActivIdentity and using Kerberos Constrained Delegation with ISA 2006. There was no plugins used... This works from the box using ISA 2006.
DoveSupportAuthor Commented:
Ok, problems solved eventually. SSL certificates were aligned and RSA was reset to 32 bit box.
New RSA agent-hosts were created and extra sdconf files were created for both sides of a NAT translation.
Thanks for the advice guys.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now