[isalist] Re: SSL no longer responds after upgrading from ISA 2004 ->2006
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 11 Jan 2010 09:51:23 -0800
Just in case you didn't get it, use the MMC to export it with the private key.
:)
It will also require a password, which you might want to make complex just in
case. What they didn't tell you (actually, I think Jerry did) is to import it
into your "COMPUTER" certificate store under "Personal." When you run MMC, Add
a plug in, and select Computer Account. Then nav to the Personal certs folder,
right click, and import. You'll probably also want to export all chain
information when you do the export function so any other necessary certs will
come along with it (like with GoDaddy certs). You will also have the
opportunity to specify "mark as not exportable" when you export it from IIS.
This will prevent you from ever exporting the private key again from the ISA
box, but it will allow you to use it. Hopefully this was not selected when you
got it onto the IIS box. If you don't see an option to export the private key,
then that's the case, and it will not work.
Checking the cert export is the first thing for you to do, even before
installing ISA. If you see the little "key" icon on the cert, that means
you've got an associate private key for that cert (once you install it on ISA).
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Monday, January 11, 2010 5:56 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Yes, don't export the cert using IIS, use the certificate snap in on MMC and
choose to export the private key.
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Monday, January 11, 2010 8:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Remember & export it "with" the private key. And then import it into the
machine cert store using the MMC on the ISA box.
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mike Anderson
Sent: Monday, January 11, 2010 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Hey guys - my babysitter options blew up for the entire weekend!!!
So I am doing EVERYTHING this morning. I finished the server last night -
QuadCore, 4 gigs RAM, 3.4 GHz - this should hopefully be a more powerful
platform and tackle the requests for the day. Mondays are the BUSIEST day for
our website, so I need to hustle and get my butt into the NOC. It's a bummer I
can't put Win2k3 64-bit on there, but it's my understanding that ISA 2006 won't
install on a 64-bit Operating System right?
I still have to install ISA 2006 and setup all the rules. That isn't a big
deal - it's just the Cert that I am worried about.
I am about to export it from the internal web server - so I hope there isn't
any magic to it. Remember, it failed last time I tried this - the Cert didn't
show up in the list of installed Certs. I am about to try this again and this
is the critical part of my morning.
Wish me luck :)
Mike
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Sunday, January 10, 2010 11:52 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
One day you'll see the light and as a matter of natural progression do what you
know is best.
*tongue-->cheek* let's not go their again :)
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, 11 January 2010 4:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
It's twu, it's twu! (three anti-social points for that quote)
I've been running virtualized ISA since ISA 2000.
Started with VMWare Server (that was Tom's fault), moved to Virtual Server, and
now run Hyper-V almost exclusively.
Bear in mind that the MS Lifecycle Policy takes precedence. Neither ISA 2000
nor ISA 2004 are in mainstream support.
http://blogs.technet.com/isablog/archive/2009/10/05/mainstream-support-ending-for-isa-server-2004-standard-edition-sp3.aspx
discusses this.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Sunday, January 10, 2010 6:22 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
This is also a perfect scenario for virtual environments. I'm all HyperV all
the time, and personally, I'd never go back. Your restore options are
fantastic, and you can literally work out everything you need on your
development VM environment and literally just copy it over to production.
ISA is supported in a production HyperV environment, so you might want to look
at that, assuming you've not already done too much work on this.
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mike Anderson
Sent: Friday, January 08, 2010 10:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
I would have to use one of my own boxes to do it, but at this point, I think it
would be worth it. I have enough spare parts to build 3 new servers, so it
would actually be nice to have a spare machine all pre-built once this upgrade
is all done...
In fact, I could build the server tonight and it would give me the chance to
get the SSL stuff all ironed out. That way, I can have a preconfigured server
known to be working, before I even walk into the NOC tomorrow night.
That is a wonderful suggestion, and I think I will do just that...
Thanks again guys and ttys :)
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, January 08, 2010 11:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Is there any chance you can do a rolling upgrade rather than in-place?
Doing so would help you avoid outages while you work through the inevitable
problems...
Jim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on behalf of
Mike Anderson [mike@xxxxxxxxxxxx]
Sent: Friday, January 08, 2010 7:56 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Hello there,
That is precisely the information I was looking for - so thank you for clearing
that up :)
I am sure I will have more questions later this morning regarding this, so
please stay tuned - I have to do the upgrade to 2006 tomorrow evening and I
have no option for failure. That SSL Cert is the life-blood to this company,
and when https is not working, they literally are losing money every minute
it's not working. Pretty scary position for somebody like me to be in,
considering this entire task falls on my shoulders exclusively.
Again, thank you ALL for all your incredible help - we are indeed lucky to have
a resource like this list available.
Mike
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Friday, January 08, 2010 8:15 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL no longer responds after upgrading from ISA 2004
->2006
Mike,
My apologies; I hit the send button too soon. (O.o)
In answer to your question about CSR generation, if you're going to be
installing a certificate on the ISA Server and only plan on using it there,
you're going to have to create the CSR via IIS on another server. Once you get
the certificate back from your chosen certificate authority, you'll have to
install it on the surrogate IIS box, export it with the private key, and then
import it into ISA Server.
On Thu, Jan 7, 2010 at 9:36 PM, Mike Anderson
<mike@xxxxxxxxxxxx<mailto:mike@xxxxxxxxxxxx>> wrote:
Hello again,
I long ways back, we upgraded our ISA 2004 to ISA 2006 Enterprise and things
seemed to go just fine until we tried getting the SSL stuff working.
In 2004, what we did previously was export our cert from our internal web
server and installed it on our ISA Server. Then we simply published another web
server (1 regular and 1 secure), so we had 1 listener for our regular Port 80
and another listener for Port 443.
After upgrading to ISA 2006, no matter what I tried, I couldn't get the cert
recognized to save my life. Just a FYI, we couldn't run the upgrade from 2004
to 2006, because we were trying to upgrade from Standard to Enterprise. With
that said, in order to install 2006, I had to first uninstall 2004 and install
2006 fresh.
My question is: What is different about 2006 when it comes to certs? Must I
generate the key and install the actual cert on the ISA Server itself? Since
this is usually done from within IIS, can I generate a key within Windows
Server 2003 itself since IIS won't be running on the ISA Server?
This is where I am very confused...
Any help would be greatly appreciated :)
Thanks,
Mike
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
www.youngcss.com<http://www.youngcss.com/>
________________________________
avast!/SMTP2000 Antivirus: Inbound message clean.
Virus Database (VPS): 1/7/2010
Tested on: 1/8/2010 08:16:09 -0500
avast! - copyright (c) 1988-2010 ALWIL Software.
________________________________
avast!/SMTP2000 Antivirus: Inbound message clean.
Virus Database (VPS): 1/8/2010
Tested on: 1/8/2010 11:59:53 -0500
avast! - copyright (c) 1988-2010 ALWIL Software.
________________________________
avast!/SMTP2000 Antivirus: Inbound message clean.
Virus Database (VPS): 1/10/2010
Tested on: 1/10/2010 23:53:50 -0500
avast! - copyright (c) 1988-2010 ALWIL Software.
Other related posts:
