RE: [isalist] Re: SSL Bridging FunActually, you already have my favorite choice in place; the internal domain name is based on the public domain name. This allows you to register only one name and still have two different cakes to eat.. http://isaserver.org/pages/articles.asp?art=64 should get you started on the split DNS question. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: Tony Lou To: [ISAserver.org Discussion List] Sent: Monday, July 15, 2002 5:24 PM Subject: [isalist] Re: SSL Bridging Fun http://www.ISAserver.org Hi Jim, Thanks for your response. In answer to your question, sort of. Our external domain name is "fpa.asn.au", Our internal is "nt.fpa.asn.au". Also, I do have an entry in the hosts file on the ISA server pointing to the internal address of the web server. A ping from the command prompt on the ISA server confirms that it resolves to the internal address. Thinking about it last night, I've come to realise that it may in fact be working for the outside world, but not for us internally because all of our clients point to the ISA server for DNS, (which then forwards external bound to our ISP's DNS servers). Therefore an internal client will see the "loop" error, whereas the outside presumably wouldn't? This is what I'll be testing in the next hour. Would appreciate a pointer to information on "split DNS structures". Particularly as we'll be moving to active directory and Exchange 2000 soon which, as I understand it, will require the use of our external domain name internally as well. Cheers, and Thanks, Tony Lou -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, 15 July 2002 11:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SSL Bridging Fun http://www.ISAserver.org ISA is resolving the web server name to its own external IP address (thus the proxy chain loop msg). As stated in the article, you'll need to help ISA resolve the name to the proper internal IP using either a hosts file entry or a 'spoof' DNS entry. This is another argument for a split DNS structure. You aren't using the same internal domain name as you use externally, are you? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: Tony Lou To: [ISAserver.org Discussion List] Sent: Sunday, July 14, 2002 11:52 PM Subject: [isalist] SSL Bridging Fun http://www.ISAserver.org Hi all, Having an issue with SSL bridging which is driving me spare. Would appreciate some assistance from any who have come out winners in this area. We have a Web server (W2K, IIS) running on our internal network. Published through ISA on standard ports (ie, HTTP - 80, SSL - 443) A Verisign Certificate installed on both IIS and ISA. I have worked through this document; (http://www.isaserver.org/pages/articles.asp?art=157) to the letter. The problem seems to relate to this line in the document; 9.15 "On the Rule Action window select "Redirect the request to this internal Web server" 9.16 "Make sure you enter the name of the internal web site being published (not the IP address or internal server name). This is the same as the certificate. NOTE: Make sure the ISA server can resolve this name to the internal Web servers IP address.The external DNS servers will resolve the published Web site name to the external IP address of the ISA server but the ISA server needs to resolve the name to the internal published Web server. You may have to create a HOST file locally on the ISA server to resolve the name to the internal Web server IP address" If I enter the "Web Site name" I get this error generated by the ISA Server; "The server has detected a proxy chain loop. This condition might indicate a configuration problem in proxy server". If I don't, and instead enter the internal IP address, all works fine except that SSL doesn't bridge and I get this error instead; "500 Internal Server Error - The target principal name is incorrect. (-2146893022) Internet Security and Acceleration Server" Would deeply appreciate any assistance. Thanks in Advance, Tony Lou This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify the FPA immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of the FPA. For information about how the FPA deals with personal information see the FPA Statement of Privacy Policy on www.fpa.asn.au This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal - For more information please visit www.marshalsoftware.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')