Can so; neener-neener-boo-boo; thpthpthpthp -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Friday, August 31, 2007 6:44 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs That's why he can't communicate ;) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Thursday, August 30, 2007 8:36 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > But that doesn't answer the question. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Thursday, August 30, 2007 10:13 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > ISA Web Listeners don't care about SAN certificates. > There is no specific support nor lack thereof. > > The web listener response is limited to an SSL Server Hello message, > which includes the certificate associated with that IP listener. The > certificate is received by the client and it processes the certificate > without any assistance from ISA whatever. > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Thursday, August 30, 2007 7:12 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > Hmmm. OK. So to use active terminology: > > "ISA Web Listeners support SANs and therefore we are able to publish > multiple SSL sites with different FQDNs with a single IP address using > a > single certificate since the Web listener will respond not only to the > common name on the certificate, but will also respond to any of the > subject names" > > That is what you are saying in 2a. > > Tom > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Thursday, August 30, 2007 8:34 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > " implies that ISA doesn't support SANs on the Web listener " - how do > you come to this contusion? > > I state very clearly: > <quote> > There are two things that I wish to make very clear about this problem; > it: > 1. can only appear in two ISA Server bridging scenarios (as described > in this ISABLOG entry); > a. HTTP Asymmetric > b. HTTPS Symmetric > 2. does not affect > a. Certificates that are associated with ISA Server Web > Listeners. > b. User connections to ISA Server Web listeners > </quote> > > how is that vague in any way? > > > Jim > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Thursday, August 30, 2007 4:32 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > I'd think that Jim might need to update his SAN article. The article > implies that ISA doesn't support SANs on the Web listener, however I > have a guy who has the autodiscover FQDN as a second SAN on the > certificate bound to his Web listener and he's shown me strong evidence > that it actually works, even though it shouldn't. > > I wish the Exchange or ISA UE teams could get it together to explain > how > to get autodiscovery working correctly and more importantly, show us > how > it works with and without DNS SRV records. It looks like once you have > DNS SRV records, its a no brainer. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- > Microsoft Firewalls (ISA) > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Wednesday, August 29, 2007 2:38 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > > Never mind :) > > I found it: > > http://support.microsoft.com/kb/940881 > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- Microsoft Firewalls (ISA) > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Wednesday, August 29, 2007 2:35 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > > OK, that's an interesting sentence in a KB OL update > article. But there's no mention of this anywhere else on the ms.com > site. > > In addition, how do we configure the SRV records? > > Service? > Protocol? > Priority? > Weight? > Port number? > Host offering this service? > > > > I try to read minds best as I can, but I'm flailing on > this one :)) > > > > > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > Sent: Wednesday, August 29, 2007 2:27 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > DatzDeWun! O'curse it works in real life; I tested > it. > > > > http://support.microsoft.com/kb/939184 > > OL 2K7 seeks a "autodiscovery" SRV record first, and > only if > > that fails, > > it'll seek the A record. This is based on the same > domain suffix as > > specified in the mail domain. > > If your OL client is behind a CERN proxy (and it knows > it), it can't > > specify that the proxy should look up a SRV record for > > autodiscover.sfx. > > The proxy assumes that any CERN request will be for a > "host" > > and makes a > > DNS query for an A record. > > > > OL 2K7 uses the SRV record to discover the host > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Wednesday, August 29, 2007 12:15 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > BAM!!!! > > > > I think I get it. On the TO tab for the > autodiscover.msfirewall.org, I > > can still use owa.msfirewall.org since it resolves to > the same IP > > address as autodiscover.msfirewall.org on the internal > network -- and > > the path is going to /autodiscover, so that's cool. > It's all making > > sense on paper -- now to see if it works in real life > :) > > > > BTW -- why do I need a SRV record for OL > autodiscovery? I haven't seen > > any documentation on that requirement on the Exchange > side. > > > > Thanks! > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jim Harrison > > > Sent: Wednesday, August 29, 2007 2:09 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > Yes; I'd forgotten about the OL client's "SAN > problem". > > > It amazed me how much noise the Exch folks make > about the same > > > limitation for ISA.. ..but I digress. > > > > > > "Web Publishing Rule that is publishing the > > > autodiscover.msfirewall.org/autodiscover path must > be > > > configured on the > > > TO tab to use autodiscover.msfirewall.org " - how do > you > > cone to that > > > contusion? > > > Why do you think you need to use "autodiscover" in > the ISA rule > > > published hostname? Use whatever works for ISA and > let the > > > client be as > > > stupid as you want. > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thomas W Shinder > > > Sent: Wednesday, August 29, 2007 12:05 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > Hi Jim, > > > > > > CIL... > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Jim Harrison > > > > Sent: Wednesday, August 29, 2007 1:49 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > All good points, but really orthogonal to the > question of how ISA > > > > handles SAN certs. Actually, I wrote that because > some folks were > > > > whining about how ISA handled SAN certs in > general. In > > > fact, I tried > > > > not to delve into the variant forms of > self-inflicted ISA > > manglement > > > > pain that were filling other blogs. > > > > > > > > Q1 - Why do you need a second listener? Use your > DNS to point > > > > autodiscover to the same Exch listener. The > public name is a > > > > rule; not > > > > a listener arttribute. > > > > > > TOM: We need a second listener because we can't have > two > > certificates > > > with different common names listening on the same > listener using the > > > same IP address. OK, in ISA 2006 I *can* use > multiple > > > certificates using > > > the same listener, but each of the certificates must > be > > assigned to a > > > different IP address, so no big deal there -- so I > create two > > > different > > > Web Publishing Rules -- one for owa.msfirewall.org > and a second Web > > > Publishing Rule for autodiscover.msfirewall.org. So > far so > > > good and SANs > > > aren't even an issue. > > > > > > > Q2 - why does the external OL client give a rats > bahootie > > > > what's listed > > > > in the cert used at the CAS? It never sees it. > > > > > > TOM: That's true and I didn't mean to imply that it > did. The > > > concern is > > > that common name and the first SAN on the Web site > > > certificate bound to > > > the Client Access Server site is owa.msfirewall.org. > The > > second SAN is > > > autodiscover.msfirewall.org > > > > > > > > > > Q3 - why is the lack of the autodiscover.suffix > public > > name make the > > > > /autodiscover path "useless"? "Incomplete" > perhaps, but > > > > hardly useless. > > > > > > TOM: Because the OWA publishing rule is listening > for > > > owa.msfirewall.org, NOT autodiscover.msfirewall.org. > Since > > > there are two > > > certificates involved here, one with the common name > > > owa.msfirewall.org > > > and a second with autodiscover.msfirewall.org -- we > have to use two > > > different IP addresses, and owa.msfirewall.org is > NOT going > > to resolve > > > to the same IP address as > autodiscover.msfirewall.org. Thus, > > > adding the > > > /autodiscover path to the owa.msfirewall.org Web > Publishing > > Rule won't > > > work and is extraneous. The /autodiscover path only > applies to the > > > autodiscover.msfirewall.org Web Publishing Rule. > > > > > > > > > > > IOW, create your SRV and A records for > autodiscover.suffix, add > > > > "autodiscover.suffix" to the public names (ISA > 2006 only) and > > > > make sure > > > > the cert used in the ISA web listener includes > > > > "autodiscover.suffix" in > > > > the SAN. > > > > > > Again, the issue isn't with the Web listeners, I > have no > > problem with > > > that. The issue is with the connection between the > ISA > > > Firewall and the > > > Client Access Server. The Web site certificate bound > to the Client > > > Access Server has a common name and a first SAN name > of > > > owa.msfirewall.org and a second SAN name of > > > autodiscover.msfirewall.org. > > > > > > Given that, the Web Publishing Rule that is > publishing the > > > autodiscover.msfirewall.org/autodiscover path must > be > > > configured on the > > > TO tab to use autodiscover.msfirewall.org -- > HOWEVER, and > > this is THE > > > QUESTION -- with the ISA Firewall when establishing > the SSL channel > > > between itself and the Client Access Server, be able > to use > > the SECOND > > > SAN on the Client Access Server Web site certificate > to allow the > > > connection? > > > > > > Make sense? > > > > > > > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Wednesday, August 29, 2007 11:33 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > This is a good step in understanding some of the > issues, > > > but I suspect > > > > the major problems people are running into relates > to > > publishing the > > > > autodisocvery site. You'll notice that when you > run the Exchange > > > > Publishing Wizard in ISA 2006 that is includes an > > > /autodiscover path, > > > > which is completely useless, since the client is > looking for > > > > autodiscover.domain.com/autodiscover and not the > Client > > > Access Server > > > > Public Name, which would be something like > owa.domain.com. > > > > > > > > OK, easy problem to solve, right? All we need to > do is > > > create a second > > > > Web listener on a second IP address and configure > it to listen for > > > > public name autodiscover.company.com. HOWEVER, > the Client Access > > > > Server's common/subject name and first SAN is > owa.company.com. The > > > > second SAN is autodiscover.company.com. > > > > > > > > So, if we put on the TO tab > autodiscover.company.com, will > > > ISA 2006 be > > > > able to "consume" the second SAN to support to the > Outlook 2007 > > > > autodiscovery service? > > > > > > > > Thanks! > > > > Tom > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Jim Harrison > > > > > Sent: Wednesday, August 29, 2007 1:10 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] ISA and SAN Certs > > > > > > > > > > > > > > > Another isablog for your reading pleasure. > > > > > > > > > > > > > > > > http://blogs.technet.com/isablog/archive/2007/08/29/certificat > > > > > es-with-mu > > > > > > ltiple-san-entries-may-break-isa-server-web-publishing.aspx > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > All mail to and from this domain is GFI-scanned. > > > > All mail to and from this domain is GFI-scanned.