TMG Server Web listener not accepting OWA Cert

Hi All,

On ForeFront TMG server, I am trying to add a cert on web listener for OWA, but I am not able to add it, when I try to add the cert (GoDaddy Cert), its saying the cert is not trustable.
This cert I exported it from Exchange server under IIS and imported it to Personal and Trusted Root Certification Authority.
what do I have to do?

Thanks.
LVL 8
LeoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Did you import certificate in computer store?
Start, Run, type mmc, add snap-in Certificates and select for Computer account.
LeoAuthor Commented:
i did that....
Jeff GloverSr. Systems AdministratorCommented:
Import the Intermediate Certificates in to the TMG Intermediate Certificates store. You should have got them with your GoDaddy Certificate. If you cannot find them, you can go back on Godaddy and re-download the zip file with your Certificate. The G2-GD_iis_intermediates.p7b is what you import to the store.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LeoAuthor Commented:
Where is TMG Intermediate Certificate Store?
Jeff GloverSr. Systems AdministratorCommented:
Should have said the TMG server's Certificate Store. Go to Start>Run and type MMC. Add the Certificates Snap-in. Choose for the computer account of the computer you are on (it is a wizard as you add the Snap-in. Once the MMC is up, Expand Certificates and you will see the Intermediate Certificate Authorities. Expand it and select the Certificates folder inside. Import the Intermediate certificates there.
LeoAuthor Commented:
That's done, now whats the next step? and how can I get the keyicon on certificate? I have attached a screenshot...TMG only wants to accept certs which have key icon....
CertKey.jpg
Jeff GloverSr. Systems AdministratorCommented:
When you exported the Certificate from your exchange server, did you export the Private Key with it?
LeoAuthor Commented:
Yes I did....I can delete it and do it again.....
I am getting this error when selecting a cert on TMG.
See Attached.
WebList.jpg
Jeff GloverSr. Systems AdministratorCommented:
Do you have more than one TMG server? Are all the Forefront TMG Services (5) started on the TMG server? If you have more than one server in the array, they all have to have the services started.
Jeff GloverSr. Systems AdministratorCommented:
If the services are started and it is the only server, I would kill the OWA listener and recreate from scratch.
LeoAuthor Commented:
This is the only server, and what you mean by kill the OWA listener, you mean delete the rule?
and what are the instructions to recreate from start?
Jeff GloverSr. Systems AdministratorCommented:
Yes, Delete the rule. How to create a new rule is a little involved but IsaServer.org has some good articles detailing how to do it. TMG 2010 does not strictly support Exchange 2013 but this article gives the steps to make it work.

http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-
web-app-forefront-threat-management-gateway-tmg-2010.html
Jeff GloverSr. Systems AdministratorCommented:
The link was too long for the comment box. You need to copy both lines to get there.
LeoAuthor Commented:
ok, we are using exchange 2007, and that link didn't open for me :-(
Jeff GloverSr. Systems AdministratorCommented:
LeoAuthor Commented:
Thanks, but still on the cert icon, I cant see the key icon, and unless that appears, I wont be able to add it in to web listener :-(
Jeff GloverSr. Systems AdministratorCommented:
Then it means you did not export the private Key with the certificate or the key did not export correctly. Go to your Exchange server and instead of using Exchange to export the Certificate, use the Certificate snap-in in the MMC. Make sure to export the private key with the certificate. (it is a selection in the wizard), Import the certificate into the TMG and see what happens. From what you are describing, you exported the certificate without the private key. That is pretty much the only way you would not see the key icon.
LeoAuthor Commented:
ok, I did managed to export the key with the icon, but the error attachment, which I attached earlier,  i.e. WebList.jpg, is still coming.
Jeff GloverSr. Systems AdministratorCommented:
Running out of ideas here. Is this an existing TMG that worked before and you are replacing the certificate? Did you import the certificate into the Computers Personal store and not into your own? Do you see any issues under Monitoring (in the TMG console)> Alerts, Services or Configuration?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LeoAuthor Commented:
No Solution was found, closing off the question
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.