RE: SSL all the way. with OWA.
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 13 Jul 2005 08:50:20 -0500
OK, here's what I did to try and replicate this issue:
1. ISA firewall is domain member, running on Windows Server 2003 SP1,
ISA 2004 SP1 installed. Win2003 func level domain
2. tshinder and administrator are domain admins in the domain
3. Administrator requests a Web site certificate on the OWA server to an
online enterprise CA
4. Administrator exports the certificate bound to the OWA site to a
file, including the private key
5. tshinder copies the file to the ISA firewall
6. tshinder imports the certificate, with its private key, into the ISA
firewall's *machine* certificate store
7. tshinder exports the CA certificate from the Web site certificate,
and imports the CA certificate into the ISA firewall's Trusted Root
Certification Authorities *machine* certificate store
8. tshinder logs off the ISA firewall
9. Administrator logs onto the ISA firewall
10. Administrator creates a Web listener for SSL connections
11. Administrator clicks the Select button in the wizard, and selects
the certificate that *tshinder* imported into the ISA firewall's
*machine* certificate store
12. Administrator creates a Web Publishing Rule publishing the OWA site
13. Bozo connects to the OWA site from a Windows XP Service Pack 2
machine via the OWA Web Publishing Rule
Conclusion:
It doesn't matter who creates or installs the certificate
HTH<
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, July 13, 2005 8:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> Dan,
>
> Exactly what steps were followed in each installation case?
> Are both of you operating on the server simultaneously?
>
> I've done this dozens of times and have never encountered this problem
> *when the certificate is installed in the right location*.
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, July 13, 2005 5:12 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> Okay, I got a chance to test this out with my co-worker this morning.
> Since "I" installed the certificate the last time, if "he"
> goes into the
> web listener and clicks Select, it delays for about 30 seconds, then
> tells him that there is no certificate installed on the
> server. If "I"
> go in and do the same thing, it brings up a box showing the installed
> certificate.
>
> How would you like to test this?
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Monday, July 11, 2005 9:52 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> This location holds a reference to the certificate handed to the
> upstream server for client authentication of the ISA itself.
> As stated in the UI selectbox in the "Bridging" tab:
> "Use a certificate to authenticate to the SSL Web server"
>
> This is completely unrelated to the server certificate
> installed in the
> web listener.
>
> Basically:
> Listener == server certificate
> Rule == client certificate
>
> Also, if one admin can see it, but another can't, it's
> installed in the
> wrong store.
> - Server certificates must be installed in the "local
> computer" personal
> store.
> - Client certificates must be installed in the firewall
> service personal
> store.
>
> NeverEverEverEver install the certificate in a "user"
> personal store if
> you want ISA to "see" them.
>
> All this is covered in the ISA help, Tom's books, articles on
> www.microsoft.com/isaserver/guidance and www.isaserver.org.
>
> Jim
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, July 11, 2005 4:33 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> Okay, I was testing it out this morning, to see if it was still doing
> it.
>
> I found that if I go into the current web listener, or create
> a new one,
> the certificate will show up. If I go into the "Bridging" menu of a
> publishing rule, it tells me there are no certificates
> installed on the
> server.
>
> I still have to test the multiple user aspect we experienced before,
> this is just with a single login.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, July 07, 2005 9:02 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> It's possible - or even one in ISA.
> Can you still repro the behavior?
> If so, would you be willing to run a test script for me?
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, July 07, 2005 2:29 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> Yes, it does act like it is a situation where it is in the "user"
> personal store. Actually, that does explain a lot of the problems.
>
> I just know for a fact (I had others verify my steps) that it was
> installed in the "local computer" store. I've followed the
> instructions
> (both from isaserver.org and Microsoft's KB) step-by-step many times
> over, reading each and every step closely to make sure it was done
> "correctly".
>
> It is possible there is a bug in 2003 server?
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, July 07, 2005 9:51 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> What you describe is what happens when you install the certificate in
> the "user" personal store; not the "local computer" personal store.
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, July 07, 2005 4:25 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
>
> http://www.ISAserver.org
>
> I ran into this on ISA2004 many times, it appeared (at the time) to be
> partly a permissions problem.
>
> We have discussed it before in this forum, I described it as this:
>
> If one person installs a certificate, any other
> administrators will get
> that message that there are no certificates installed (from the ISA
> console), even though it clearly shows up in the certificates MMC.
>
> If a second administrator installs the same certificate
> again, the first
> then gets that message (where he didn't before), and the
> second one can
> then see it from the ISA console.
>
> I don't think it was ever resolved because I could get the certificate
> installed with the work-around.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
