[isalist] Re: ISA Server 2006 Intra-Array Communication
- From: Steve Moffat <steve@xxxxxxxxxx>
- To: ISA Mailing List <isalist@xxxxxxxxxxxxx>
- Date: Fri, 24 Oct 2008 14:28:01 -0300
voodoo....
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Friday, October 24, 2008 2:07 PM
To: ISA Mailing List
Subject: [isalist] Re: ISA Server 2006 Intra-Array Communication
No, no.
For the cert that I was attempting to assign to the listener, no reason was
given. ISA just said it was invalid. We were guessing that the reason for
flagging it as invalid was because it didn't have a private key.
The "no private key" error was on the machine certs installed by our Enterprise
CA (and not listed as a potential cert for assignment). The "strange behavior"
was that sometimes ISA would say no private key and at other times say they are
just fine. Not sure what changed between yesterday and today but today ISA is
consistently showing those as all good - today.
On Fri, Oct 24, 2008 at 12:36 PM, Jim Harrison
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------
??
that shouldn't give you a "no private key" error..?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Friday, October 24, 2008 8:31 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: ISA Server 2006 Intra-Array Communication
Something else to add to the list of possible causes.
Turns out an expired intermediary certificate (thanks VeriSign :P) existed in
the Intermediate Certification Authorities Computer Store. The new one was
being dropped into the Personal Computer Store. By deleting the expired
certificate and moving the new one to the Intermediate Certification
Authorities Computer Store, the issue was resolved.
On Thu, Oct 23, 2008 at 10:19 PM, Jim Harrison
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org<http://www.isaserver.org/>
<http://www.isaserver.org/>
-------------------------------------------------------
This can also happen when you dbl-click on the cert, import it to your
personal store, realize your mistake and copy it to the machine store.
When you do this, the private key stays in your personal store.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Thursday, October 23, 2008 9:10 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: ISA Server 2006 Intra-Array Communication
Actually, I did. :(
On Thu, Oct 23, 2008 at 12:02 PM, Steve Moffat
<steve@xxxxxxxxxx<mailto:steve@xxxxxxxxxx>> wrote:
You haven't exported the private key along with the cert.
S
From:
isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Thursday, October 23, 2008 12:39 PM
To: ISA Mailing List
Subject: [isalist] Re: ISA Server 2006 Intra-Array Communication
So... this is what I see (see attachment) after I import the SSL
cert received from VeriSign on both servers and attempt to assign it to a
listener. It's driving me nuts. :(
Thoughts?
On Thu, Oct 23, 2008 at 10:54 AM, Jim Harrison
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org<http://www.isaserver.org/>
<http://www.isaserver.org/> <http://www.isaserver.org/>
-------------------------------------------------------
This is set in the "Communication" tab of each server properties.
You tell ISA what IP address to use and the interface is selected
on that basis.
Er..
Why do you want them to communicate with each other via the
external interface?
There can be no web proxy listener operating there an so no
intra-array communications can take place.
Do the certs exist on all array members? They must if you want
to assign them to a VIP.
-----Original Message-----
From:
isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Thursday, October 23, 2008 7:18 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] ISA Server 2006 Intra-Array Communication
All,
I seem to recall reading something that talked about a Registry
entry that can be used to tell ISA Server which interface to use for
intra-array communication. This is not the same as the
UnicastInterHostCommSupport Registry value.
Right now, I'm in the process of standing up a pair of ISA
Servers in an array but am waiting for the network engineers to properly
configure the switch port to which the external interface on one the servers is
connected. Until that time, the two servers can't communicate with each other
over the external interfaces. I'm running into some strange behavior (machine
certs sometimes show as installed correctly, not installed correctly, or can't
be found) when attempting to assign a certificate (different from the machine
cert) to a listener that runs on top of an NLB VIP on the external interfaces
and I'd like to rule out network connectivity between the two as a potential
cause.
Does anyone know of which I write or did I somehow muddle and
morph something I read into something that doesn't exist?
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
<http://www.techgenix.com/> <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to
listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
