"An HTTP 500 was returned to ISA because the certificate on the published server doesn't match the name in the publishing rule."

All of a sudden my users stopped getting email on their Droids, saying cannot connect to server, and some invalid certificate error.  I have been all over the place on this and now have frustrated users.  Not a fan of ISA 2004, so my knowledge is limited.

Any help would be greatly appreciated.

michellechabotSr. IT Security EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bruno PACIIT ConsultantCommented:

In your ISA server there is a publishing rule so that external users can reach an internal server (in your case I suppose it an OWA/ActiveSync Exchange server).
In this rule you have configured the way ISA reaches the internal server: you have typed the DNS name or the IP address of the internal server, you have configured the protocol to use between ISA and the internal server (obviously here you have configured HTTPS between ISA and internal server, else you would not have this type of error), etc...

HTTPS requires the reached server to have a SSL certificate (in your case the OWA Exchange server must have a certificate).
A SSL certificate is issued for a name. This name must match the name you use to reach the server (let's say your internal Exchange server is named myowaserver.mydomain.local, then the certificate on Exchange should been issued for the name myowaserver.mydomain.local).

ISA must reach the internal server using a name that is mentionned in the certificate. As an example, if your certificate is issued for the name myowaserver.mydomain.local and ISA publishing rule is configured to use an IP address to reach the internal server there is no match between the IP and the name in the certificate, and then ISA server receives a security alert when it tries to reach the published server and refuses the connection. You must configure the publishing rule to reach the internal server using a DNS name that is present in the internal server certificate.

Have a good day.
michellechabotSr. IT Security EngineerAuthor Commented:
Thank you! I changed the "to" to match... Now I get a plain HTTP 500 response was retuned from ISA
michellechabotSr. IT Security EngineerAuthor Commented:
I checked all authentication and it seems fine. What is happening I think, is we use mail.original-domain.com which directs to currendomain.com. The SBS 2003 server is server.currentdomain.local
When the cert used has that name in it I get an SSL certificat verification error. When I use mail.original-domain.com I get HTTP 500 error.

Hope that makes sense...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Keith AlabasterEnterprise ArchitectCommented:
No offence - but many people are not fans of products they have not been trained on. The error is specific - and the rule required to allow the traffic needs to be equally so.
Neither SBS or ISA will make changes to these rules 'on the fly' so somebody must have been making config changes - deliberately or accidentally.

The public certificate will be in two places - first it will be installed on the SBS Server default IIS instance (put in place using the SBS install a certificate wizard) and second it must be associated to the listener used by the publishing rule in the ISA gui. The ISA rule will use the public name in both cases - it will NOT use the internal certificate nor the internal name. Try that and you will get the straight 500 error.

For the initial error message you have posted, traffic was passing correctly but was simply being blocked for the sole reason it states - someone has possibly re-run the CEIC wizard on the SBS console which reinstates much of the out-of-the-box correct settings that the server relies upon. However, there are other wizards that also need to be re-run which includes the certificate wizard.

michellechabotSr. IT Security EngineerAuthor Commented:

Thanks. I was being sarcastic when I said I'm not a fan... it's just an older version and well, as time goes I tend to forget the old stuff.... lol

The firm is in the middle of a merger.... so we have several "cooks in the kitchen" so to speak. I will re-run the SBS install cert wizard and see what happens... thanks for your help!!
On SBS, in the properties of the SBS OMA Web Publishing rule, you should be able to leave the TO field as "publishing.yourdomain.local", and then just change the properties of the SBS Web Listener so that it uses your publicly trusted certificate.  Of course, this assumes that you haven't changed the certificate used for your default website away from "publishing.yourdomain.local", which you shouldn't need to do.  Also, in the properties of the rule you should have the Public Name the same as your certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sorry, I should have thought things through more before I hit submit.  I should amend my statement above.  While the above will work, depending on how your DNS is configured, it may be preferable to change the certificate associated with your default website, and hence the TO field for your Web publishing rules to match.

I'll give an example.  If you have a split DNS setup, where externally "mail.domain.com" resolves to your public IP, but internally it resolves to the private IP of your SBS, then if your setup is as I described in my previous post, when an external user goes to "mail.domain.com", they will get to correct web site and the certificate will match.  However, when an internal user goes to "mail.domain.com", they will get to the correct web site, but there will be a certificate mismatch.

So it depends on how your users are accessing your system which determines how far you have to go so that everything appears correct.
michellechabotSr. IT Security EngineerAuthor Commented:

Thank you. I understand your post, what i do need to know is if i can use a self signed trusted certificate?
michellechabotSr. IT Security EngineerAuthor Commented:

when we access the server from outside we use: mail.old-domain.com/exchange (or microsoft-active-sync) for the mobiles.  Internally, the server is. server01.newdomain.local

just so you have the info :)
michellechabotSr. IT Security EngineerAuthor Commented:
when i run the remote access analyzer i get the following :
 Host name mail.sinoway-mcenery.com doesn't match any name found on the server certificate CN=publishing.Sinoway.local.
You can use a self-signed certificate.  I have successfully used them with iPhones and iPads.  I don't have a DROID to test with, but my understanding is that if you choose the setting "Accept all certificates" it works fine.

Have you been using a self-signed cert up till now or a public one?  Did the cert expire?  Did you change domain names?  Just wondering what caused things to stop working.

Sounds like you have the "publishing.sinoway.local" certificate listed in the properties of the web listener.  Change it to your certificate for "mail.sinoway-mcenery.com.  If this isn't the case, let us know.
michellechabotSr. IT Security EngineerAuthor Commented:
I have NO idea what caused this.... wish I knew.
I think all along we have been using self-signed... I only took on the IT 3mos ago, and now the firm is dividing, so there are two IT departments...

so, i change the web listener to mail.sinoway-mcenery.com will i still get a name mismatch?
Here's what should match:

CN of certificate used by web listener <-> DNS name used by rule under the "Public Names" tab
CN of certificate used by IIS default web site <-> DNS name used by rule under the "To" tab
Keith AlabasterEnterprise ArchitectCommented:
The web listener MUST have mail.sinoway-mcenery.com  if that is the name on the certificate. If you think about it, it CANNOT be the internal certifcate/name as this could never be resolved from a public internet connection. The web listener entry is the name that the ISA will respond to - if they do not match, game over so this needs to be the public name.

If you think about how this is done in SBS you create the cert request in SBS with the public name. You get the cert and install the certificate through the wizard onto the SBS box - if ISA is installed it will use the same certificate therefore the web listener needs to have the same entry in the listener and the TO field of the publishing rule.
therefore the web listener needs to have the same entry in the listener and the TO field of the publishing rule

@keith_alabaster - I disagree here.  On a default install of SBS, after running the CEICW, the name you used for the certificate field will be what is used by the SBS Web Listener.  While the TO field is set to "publishing.domain.local" for the web publishing rules.  This name matches up with an "A" DNS record which points to the internal IP of the SBS server.  And a certificate with a CN of "publishing.domain.local" is installed on the default web site.
The way I've always understood it is this.  The web publishing rule forwards any requests that it matches to the name in the TO field.  If you have the external name here, it's just going to back out and around, unless you've created a DNS entry on your internal servers that matches this to your internal IP.  Something which I don't oppose by the way - I'm a fan of split DNS.
Keith AlabasterEnterprise ArchitectCommented:
No problem, you disagree. That's fine :)
michellechabotSr. IT Security EngineerAuthor Commented:
Ok, I get the name matching the certificate stuff...
do i create a dns record to point to mail.sinoway-mcenery.com?
if so, which type of record should it be?

there are a ton of certificates... probably all the separate times the wizard was run, can i delete these?
Keith AlabasterEnterprise ArchitectCommented:
Yes, you should have a DNS record (internal DNS) for that public name or alternatively you can add the internal IP address of the SBS box inside the publishing rule (on the TO field at the bottom of the page)
@ keith_alabaster - :)  Usually I take your posts as gold, but...

@ michellechabot - Just for a little background.  If you run the CEICW, and create a new web certificate, it will generate a new certificate with the name you specified, and put it under the machine certificate store under Personal certificates, and it will also regenerate the "publishing.domain.local" certificate and put it under the machine certificate store, both under Personal and Trusted Root Certification Authorities.  So if you ran the CEICW multiple times, each time creating a new certificate but with the same name, you will see multiple copies of that certificate (with different dates) under Personal, but you will only see one "publishing" cert.  You can delete all the extra copies of the cert with your public domain name.

Before describing the creation of the DNS record, can you tell me what certificate you currently have set for the Default web site in IIS, and whether it is expired?
michellechabotSr. IT Security EngineerAuthor Commented:
This is the view from the default website. it is using the publishing.sinoway.local    cert.
You can decide which way you'd like to proceed, but since it only takes a minute to change the properties of the rule to point to publishing.sinoway.local, I would try that first.

If it's still not working, then to follow keith_alasbaster's advice you would change the rule to point to "mail.sinoway-mcenery.com", change the certificate on the default site to match and do an iisreset, then create the DNS entry by creating a new forward lookup zone with the name "mail.sinoway-mcenery.com" and in that zone create a new A record with a blank name (so that it is same as parent) and point it to the internal IP of the SBS.
michellechabotSr. IT Security EngineerAuthor Commented:

both the default website & the publishing rule already have the publishing.sinoway.local

michellechabotSr. IT Security EngineerAuthor Commented:
This is what i get when i test it.....
And the web listener points uses the "mail.sinoway-mcenery.com" cert as well?

If so, then I'm at a loss to explain what I see on SBS by default, or my memory of previous installs where I've changed the cert.  But I'll just have to concede and say follow keith_alabaster's advice.

BTW, this is the first time I've ever seen a screenshot posted as an FLV.  :)
michellechabotSr. IT Security EngineerAuthor Commented:
:) i thought it was helpful...

Both point to publishing.sinoway.local
If you're saying that the web listener points to publishing.sinoway.local for its certificate, this needs to be changed.
michellechabotSr. IT Security EngineerAuthor Commented:
michellechabotSr. IT Security EngineerAuthor Commented:
Excellent.  Glad you got it working!  It also means I'm not going crazy or senile.  :)

BTW, it's not a bad idea if in the future you want to follow the steps I laid out in post ID: 37259471,, as the split DNS setup can be quite helpful in certain cases.  One that always jumps to the front of my mind is the use of Outlook over the Internet (also goes by various other names, including Outlook Anywhere) when you've got users coming and going.

Take care.
Keith AlabasterEnterprise ArchitectCommented:
<smiles> Glad you got it working - that's the main thing.

PS - I expect an invite to the future engagement party please :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.