BAAAA! Whoa. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Friday, August 31, 2007 9:16 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > Nice. If only it worked on outbound traffic too :-p > > t > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, August 31, 2007 7:13 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > I prefer to think of it as the "SNR improvement filter"... > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Friday, August 31, 2007 7:11 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > Yes, you can. But only after you turn off the "Jim only > sees what he > > wants" application level filter :-p > > > > t > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Friday, August 31, 2007 7:01 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > Can so; neener-neener-boo-boo; thpthpthpthp > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thor (Hammer of God) > > > Sent: Friday, August 31, 2007 6:44 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > That's why he can't communicate ;) > > > > > > t > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > Sent: Thursday, August 30, 2007 8:36 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > But that doesn't answer the question. > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Jim Harrison > > > > Sent: Thursday, August 30, 2007 10:13 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > ISA Web Listeners don't care about SAN certificates. > > > > There is no specific support nor lack thereof. > > > > > > > > The web listener response is limited to an SSL Server Hello > > message, > > > > which includes the certificate associated with that IP listener. > > The > > > > certificate is received by the client and it processes the > > > certificate > > > > without any assistance from ISA whatever. > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Thursday, August 30, 2007 7:12 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > Hmmm. OK. So to use active terminology: > > > > > > > > "ISA Web Listeners support SANs and therefore we are able to > > publish > > > > multiple SSL sites with different FQDNs with a single IP address > > > using > > > > a > > > > single certificate since the Web listener will respond > not only to > > > the > > > > common name on the certificate, but will also respond to any of > the > > > > subject names" > > > > > > > > That is what you are saying in 2a. > > > > > > > > Tom > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Jim Harrison > > > > Sent: Thursday, August 30, 2007 8:34 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > " implies that ISA doesn't support SANs on the Web listener " - > how > > > do > > > > you come to this contusion? > > > > > > > > I state very clearly: > > > > <quote> > > > > There are two things that I wish to make very clear about this > > > problem; > > > > it: > > > > 1. can only appear in two ISA Server bridging scenarios (as > > > described > > > > in this ISABLOG entry); > > > > a. HTTP Asymmetric > > > > b. HTTPS Symmetric > > > > 2. does not affect > > > > a. Certificates that are associated with ISA Server Web > > > > Listeners. > > > > b. User connections to ISA Server Web listeners > > > > </quote> > > > > > > > > how is that vague in any way? > > > > > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Thursday, August 30, 2007 4:32 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > I'd think that Jim might need to update his SAN article. The > > article > > > > implies that ISA doesn't support SANs on the Web > listener, however > > I > > > > have a guy who has the autodiscover FQDN as a second SAN on the > > > > certificate bound to his Web listener and he's shown me strong > > > evidence > > > > that it actually works, even though it shouldn't. > > > > > > > > I wish the Exchange or ISA UE teams could get it together to > > explain > > > > how > > > > to get autodiscovery working correctly and more > importantly, show > > us > > > > how > > > > it works with and without DNS SRV records. It looks > like once you > > > have > > > > DNS SRV records, its a no brainer. > > > > > > > > Tom > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org <http://www.isaserver.org/> > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- > > > > Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W > Shinder > > > > Sent: Wednesday, August 29, 2007 2:38 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > Never mind :) > > > > > > > > I found it: > > > > > > > > http://support.microsoft.com/kb/940881 > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org <http://www.isaserver.org/> > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W > Shinder > > > > Sent: Wednesday, August 29, 2007 2:35 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > OK, that's an interesting sentence in a > KB OL update > > > > article. But there's no mention of this anywhere else on the > ms.com > > > > site. > > > > > > > > In addition, how do we configure the > SRV records? > > > > > > > > Service? > > > > Protocol? > > > > Priority? > > > > Weight? > > > > Port number? > > > > Host offering this service? > > > > > > > > > > > > > > > > I try to read minds best as I can, but > I'm flailing on > > > > this one :)) > > > > > > > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim > > > > Harrison > > > > > Sent: Wednesday, August 29, 2007 2:27 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > DatzDeWun! O'curse it works in real > life; I tested > > > > it. > > > > > > > > > > http://support.microsoft.com/kb/939184 > > > > > OL 2K7 seeks a "autodiscovery" SRV > record first, and > > > > only if > > > > > that fails, > > > > > it'll seek the A record. This is > based on the same > > > > domain suffix as > > > > > specified in the mail domain. > > > > > If your OL client is behind a CERN > proxy (and it knows > > > > it), it can't > > > > > specify that the proxy should look up > a SRV record for > > > > > autodiscover.sfx. > > > > > The proxy assumes that any CERN > request will be for a > > > > "host" > > > > > and makes a > > > > > DNS query for an A record. > > > > > > > > > > OL 2K7 uses the SRV record to > discover the host > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > On Behalf Of Thomas W Shinder > > > > > Sent: Wednesday, August 29, 2007 12:15 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > BAM!!!! > > > > > > > > > > I think I get it. On the TO tab for the > > > > autodiscover.msfirewall.org, I > > > > > can still use owa.msfirewall.org > since it resolves to > > > > the same IP > > > > > address as > autodiscover.msfirewall.org on the internal > > > > network -- and > > > > > the path is going to /autodiscover, > so that's cool. > > > > It's all making > > > > > sense on paper -- now to see if it > works in real life > > > > :) > > > > > > > > > > BTW -- why do I need a SRV record for OL > > > > autodiscovery? I haven't seen > > > > > any documentation on that requirement > on the Exchange > > > > side. > > > > > > > > > > Thanks! > > > > > Tom > > > > > > > > > > Thomas W Shinder, M.D. > > > > > Site: www.isaserver.org > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > Book: http://tinyurl.com/3xqb7 > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > > > > Jim Harrison > > > > > > Sent: Wednesday, August 29, 2007 2:09 PM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > Yes; I'd forgotten about the OL > client's "SAN > > > > problem". > > > > > > It amazed me how much noise the > Exch folks make > > > > about the same > > > > > > limitation for ISA.. ..but I digress. > > > > > > > > > > > > "Web Publishing Rule that is publishing the > > > > > > > autodiscover.msfirewall.org/autodiscover path must > > > > be > > > > > > configured on the > > > > > > TO tab to use > autodiscover.msfirewall.org " - how do > > > > you > > > > > cone to that > > > > > > contusion? > > > > > > Why do you think you need to use > "autodiscover" in > > > > the ISA rule > > > > > > published hostname? Use whatever > works for ISA and > > > > let the > > > > > > client be as > > > > > > stupid as you want. > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > > On Behalf Of Thomas W Shinder > > > > > > Sent: Wednesday, August 29, 2007 12:05 PM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > Hi Jim, > > > > > > > > > > > > CIL... > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > Site: www.isaserver.org > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > > > > Jim Harrison > > > > > > > Sent: Wednesday, August 29, 2007 1:49 PM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > > > All good points, but really > orthogonal to the > > > > question of how ISA > > > > > > > handles SAN certs. Actually, I > wrote that because > > > > some folks were > > > > > > > whining about how ISA handled SAN certs in > > > > general. In > > > > > > fact, I tried > > > > > > > not to delve into the variant forms of > > > > self-inflicted ISA > > > > > manglement > > > > > > > pain that were filling other blogs. > > > > > > > > > > > > > > Q1 - Why do you need a second > listener? Use your > > > > DNS to point > > > > > > > autodiscover to the same Exch > listener. The > > > > public name is a > > > > > > > rule; not > > > > > > > a listener arttribute. > > > > > > > > > > > > TOM: We need a second listener > because we can't have > > > > two > > > > > certificates > > > > > > with different common names > listening on the same > > > > listener using the > > > > > > same IP address. OK, in ISA 2006 I *can* use > > > > multiple > > > > > > certificates using > > > > > > the same listener, but each of the > certificates must > > > > be > > > > > assigned to a > > > > > > different IP address, so no big > deal there -- so I > > > > create two > > > > > > different > > > > > > Web Publishing Rules -- one for > owa.msfirewall.org > > > > and a second Web > > > > > > Publishing Rule for > autodiscover.msfirewall.org. So > > > > far so > > > > > > good and SANs > > > > > > aren't even an issue. > > > > > > > > > > > > > Q2 - why does the external OL > client give a rats > > > > bahootie > > > > > > > what's listed > > > > > > > in the cert used at the CAS? It > never sees it. > > > > > > > > > > > > TOM: That's true and I didn't mean > to imply that it > > > > did. The > > > > > > concern is > > > > > > that common name and the first SAN > on the Web site > > > > > > certificate bound to > > > > > > the Client Access Server site is > owa.msfirewall.org. > > > > The > > > > > second SAN is > > > > > > autodiscover.msfirewall.org > > > > > > > > > > > > > > > > > > > Q3 - why is the lack of the > autodiscover.suffix > > > > public > > > > > name make the > > > > > > > /autodiscover path "useless"? > "Incomplete" > > > > perhaps, but > > > > > > > hardly useless. > > > > > > > > > > > > TOM: Because the OWA publishing > rule is listening > > > > for > > > > > > owa.msfirewall.org, NOT > autodiscover.msfirewall.org. > > > > Since > > > > > > there are two > > > > > > certificates involved here, one > with the common name > > > > > > owa.msfirewall.org > > > > > > and a second with > autodiscover.msfirewall.org -- we > > > > have to use two > > > > > > different IP addresses, and > owa.msfirewall.org is > > > > NOT going > > > > > to resolve > > > > > > to the same IP address as > > > > autodiscover.msfirewall.org. Thus, > > > > > > adding the > > > > > > /autodiscover path to the > owa.msfirewall.org Web > > > > Publishing > > > > > Rule won't > > > > > > work and is extraneous. The > /autodiscover path only > > > > applies to the > > > > > > autodiscover.msfirewall.org Web > Publishing Rule. > > > > > > > > > > > > > > > > > > > > IOW, create your SRV and A records for > > > > autodiscover.suffix, add > > > > > > > "autodiscover.suffix" to the > public names (ISA > > > > 2006 only) and > > > > > > > make sure > > > > > > > the cert used in the ISA web > listener includes > > > > > > > "autodiscover.suffix" in > > > > > > > the SAN. > > > > > > > > > > > > Again, the issue isn't with the Web > listeners, I > > > > have no > > > > > problem with > > > > > > that. The issue is with the > connection between the > > > > ISA > > > > > > Firewall and the > > > > > > Client Access Server. The Web site > certificate bound > > > > to the Client > > > > > > Access Server has a common name and > a first SAN name > > > > of > > > > > > owa.msfirewall.org and a second SAN name of > > > > > > autodiscover.msfirewall.org. > > > > > > > > > > > > Given that, the Web Publishing Rule that is > > > > publishing the > > > > > > > autodiscover.msfirewall.org/autodiscover path must > > > > be > > > > > > configured on the > > > > > > TO tab to use autodiscover.msfirewall.org -- > > > > HOWEVER, and > > > > > this is THE > > > > > > QUESTION -- with the ISA Firewall > when establishing > > > > the SSL channel > > > > > > between itself and the Client > Access Server, be able > > > > to use > > > > > the SECOND > > > > > > SAN on the Client Access Server Web > site certificate > > > > to allow the > > > > > > connection? > > > > > > > > > > > > Make sense? > > > > > > > > > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > > > On Behalf Of Thomas W Shinder > > > > > > > Sent: Wednesday, August 29, 2007 11:33 AM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > > > > > > > > > This is a good step in > understanding some of the > > > > issues, > > > > > > but I suspect > > > > > > > the major problems people are > running into relates > > > > to > > > > > publishing the > > > > > > > autodisocvery site. You'll notice > that when you > > > > run the Exchange > > > > > > > Publishing Wizard in ISA 2006 > that is includes an > > > > > > /autodiscover path, > > > > > > > which is completely useless, > since the client is > > > > looking for > > > > > > > > autodiscover.domain.com/autodiscover and not the > > > > Client > > > > > > Access Server > > > > > > > Public Name, which would be something like > > > > owa.domain.com. > > > > > > > > > > > > > > OK, easy problem to solve, right? > All we need to > > > > do is > > > > > > create a second > > > > > > > Web listener on a second IP > address and configure > > > > it to listen for > > > > > > > public name > autodiscover.company.com. HOWEVER, > > > > the Client Access > > > > > > > Server's common/subject name and > first SAN is > > > > owa.company.com. The > > > > > > > second SAN is autodiscover.company.com. > > > > > > > > > > > > > > So, if we put on the TO tab > > > > autodiscover.company.com, will > > > > > > ISA 2006 be > > > > > > > able to "consume" the second SAN > to support to the > > > > Outlook 2007 > > > > > > > autodiscovery service? > > > > > > > > > > > > > > Thanks! > > > > > > > Tom > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > Site: www.isaserver.org > > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Jim Harrison > > > > > > > > Sent: Wednesday, August 29, 2007 1:10 PM > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > Subject: [isapros] ISA and SAN Certs > > > > > > > > > > > > > > > > > > > > > > > > Another isablog for your > reading pleasure. > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://blogs.technet.com/isablog/archive/2007/08/29/certificat > > > > > > > > es-with-mu > > > > > > > > > > > > ltiple-san-entries-may-break-isa-server-web-publishing.aspx > > > > > > > > > > > > > > > > All mail to and from this > domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain > is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > >