RE: Secure Publishing beginner questions

• From: Christian.Schramm@xxxxxxxxxxxxxx
• To: isalist@xxxxxxxxxxxxx
• Date: Tue, 20 May 2003 11:22:06 +0200

Hi Tom.
 
It was the IIS 4 certificate. However, it is not possible to import the .key
file which was exported from IIS 4 directly in the W2K certificates mmc
snap-in. If you do so, ISA server will not recognize this as an installed
certificate...
 
In order to get IIS 4 certificates to work on W2K and the ISA server you
have to import it into a web site with the Internet Services Manager (as
described in http://support.microsoft.com/default.aspx?scid=kb;EN-US;324167
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;324167> ) After the
import the certificate shows up in the peronal certificates store and - more
important - the ISA server recognize it as an installed certificate.
 
Unfortunately, I already fell over above kb article yesterday, but since I
have disabled IIS on my isa server i thought it would not function this way
;-) 
 
Well, as we say in Germany "Trying is better than studying"...
 
Greets and thanks for your support..
 
Christian
 
 

-----Ursprüngliche Nachricht-----
Von: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Gesendet: Dienstag, 20. Mai 2003 02:26
An: [ISAserver.org Discussion List]
Betreff: [isalist] RE: Secure Publishing beginner questions


http://www.ISAserver.org


Hi Christian,
 
I think the issue is IIS 4. There is a procedure for exporting IIS 4 certs
and importing them to the ISA Server, but I don't recall the specifics and
I've done actually done it myself. Check the KB for the details and let us
know what you find out!
 
Thanks!
Tom

Thomas W Shinder 
www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>  
Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp>  

-----Original Message-----
From: Christian.Schramm@xxxxxxxxxxxxxx
[mailto:Christian.Schramm@xxxxxxxxxxxxxx] 
Sent: Monday, May 19, 2003 10:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Secure Publishing beginner questions


http://www.ISAserver.org


OK Tom,
 
I agree this article was wrong. I do not want to use client certificates.
 
But anyway, my problem is not solved! 
 
I want to secure publish a web site using web publishing rules. If I
understand things correct, there is no way to just TUNNEL the incoming ssl
request to the internal web server. With web publishing its only possible to
BRIDGE the ssl request either as HTTP or SSL (establishing a new ssl
connection to internal web server)... Correct?
 
However, to terminate the incoming ssl request at the ISA server it needs a
SERVER certificate. I imported a X.509 certificate (exported from the
internal web server running iis 4.0) to the local machine in the folder
"personal"... After restarting the services and even rebooting the machine
it is not posible for me to set up an incoming web request listener to use
this imported certificate. I just get the error "there are no certificates
configured on this server"... I already read your "Questions of the week"
http://www.isaserver.org/tutorials/Tom_Shinders_ISA_Server_Questions_of_the_
Week__August_5_2002.html
<http://www.isaserver.org/tutorials/Tom_Shinders_ISA_Server_Questions_of_the
_Week__August_5_2002.html>  issue which covers this problem. But even
changing the certificate properties to "Enable only the following purpose
(Server authentication)" did not solve my problem...
 
I followed each step exactly as mentioned in your first book. Maybe you have
another idea?
 
Greets.
 
Christian
 
 

-----Ursprüngliche Nachricht-----
Von: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Gesendet: Montag, 19. Mai 2003 17:12
An: [ISAserver.org Discussion List]
Betreff: [isalist] RE: Secure Publishing beginner questions


http://www.ISAserver.org


Hi Christian,
 
Be very clear that this article explains what's required when the Web site
on the internal network request client certificate AUTHENTICATION. Make
sense? Its NOT required to create an SSL link for SSL to SSL bridging.
 
HTH,
Tom
 
Thomas W Shinder
 <http://www.isaserver.org/shinder> www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> 
Configuring ISA Server:  <http://tinyurl.com/1llp> http://tinyurl.com/1llp

 

-----Original Message-----
From: Christian.Schramm@xxxxxxxxxxxxxx
[mailto:Christian.Schramm@xxxxxxxxxxxxxx] 
Sent: Monday, May 19, 2003 10:04 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Secure Publishing beginner questions


http://www.ISAserver.org


First, I found an answer to my first question (it is only possible with
server publishing)...
 
To the second point: in the meatime I found an article (
<http://support.microsoft.com/support/kb/articles/Q281/1/06.ASP>
http://support.microsoft.com/support/kb/articles/Q281/1/06.ASP) explaining
that the certificate should be imported under service account (and selecting
"Microsoft Web Proxy Service")... Anyway, same error occurs even after
restarting the server ;-((
 
Does nobody has a comment on this one??
 
 
Greets
Christian
 

-----Ursprüngliche Nachricht-----
Von: Christian.Schramm@xxxxxxxxxxxxxx
[mailto:Christian.Schramm@xxxxxxxxxxxxxx] 
Gesendet: Montag, 19. Mai 2003 14:42
An: [ISAserver.org Discussion List]
Betreff: [isalist] Secure Publishing beginner questions


http://www.ISAserver.org



Hi all... 

1. Is it possible to pipe ssl requests through isa to the internal web
server without installing a certificate on isa itself? Only possible with
server publishing?

2. I have problems installing a certificate exported from iis 4.0 on the isa
server computer. The certificates-mmc shows up the certificate in "Personal
\Certificates". The certificate was installed using "Local machine". I also
reconfigured the certificate properties to "Only Enable the follwing
purposes (Server authentication)"... However, when I want to set the
incoming web request listener to use a certificate it says "there are no
certificates configured on this server"... I restarted ISA management and
the whole computer but no change... Anyone has some other tips??

Greets, 

Christian

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
christian.schramm@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » Secure Publishing beginner questions
• » Secure Publishing beginner questions
• » RE: Secure Publishing beginner questions
• » RE: Secure Publishing beginner questions
• » RE: Secure Publishing beginner questions
• » RE: Secure Publishing beginner questions
• » RE: Secure Publishing beginner questions

1. Home
2. isalist
3. Archive
4. 05-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---