2010 CAS w/ ISA Certificate Questions
Hi Everyone,
I am going to be implementing a CAS this weekend and had a few questions in regards to certificates and ISA.
This will be the first Exchange 2010 server introduced into our environment. We are currently running 2003 with multiple mailbox, front-end, and bridgehead servers. We are also running an ISA 2006 server to handle two-factor authentication to webmail.
We are currently running an externally-signed wildcard certificate on our ISA server and an internally-signed (ADCS Enterprise CA) wildcard certificate for webmail. Would
this strategy still work okay? I have read a number of posts where "SAN" or "UC" certs were recommended over wildcard certs due to having different internal and external domains (webmail.company.local versus webmail.company.com), but in my situation
the ISA server will be acting as a "Go Between" and the only cert the user will see logging in to webmail will be the externally-signed wilcard cert, and ISA will create its own connection back to the CAS with the internally-signed wildcard cert.
Does that make sense? I'm just trying to save time and complexity (well, complexity beyond already having an ISA server thrown into the mix). Also, for what it's worth,
I will be adding additional CASs later on to create an array (load-balanced by something like a NetScaler), if that makes a difference.
Thanks in advance!
January 17th, 2012 5:24pm
Take a look at this overly long article on ISA 2006 and Exchange 2010:
http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx
http://technet.microsoft.com/en-us/library/bb331961.aspx
http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/
Wildcard certs are support, you just have to watch out for the mobile devices you use to connect remotely via the ISA 2006 server.JAUCG
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 9:23pm
Take a look at this overly long article on ISA 2006 and Exchange 2010:
http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx
http://technet.microsoft.com/en-us/library/bb331961.aspx
http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/
Wildcard certs are support, you just have to watch out for the mobile devices you use to connect remotely via the ISA 2006 server.JAUCG
January 18th, 2012 5:12am
Any updates on this?JAUCG
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2012 5:34pm
Hi JAUCG,
Thank you for the links. We're actually putting in the first CAS of the pilot project tonight. :) I'll reply again later on or sometime tomorrow.
January 21st, 2012 8:22pm
We ended up running into an issue with our DR site, which is where we were testing the ISA configuration before making the changes to the corporate server; the Internet connection died. :(
we're hopefully going to try again this week. I'll let you know how she does.
Thanks again.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2012 11:17am
Sure, no problem. Just keep us in the loop if we can provide any assistance.JAUCG
January 23rd, 2012 10:27pm
Hi JAUCG,
No, not yet. We were notcing that our ISA server is giving a ton of denial errors to ActiveSync users (Statuses 64, 10022, 1460, 1236, 1790, 10053, 10054) that my boss wanted to remediate before introducing another layer of complexity.
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 9:53am
Try to import the public certificate for one of the test user manually in trusted root certificate then try to access the owa in the DR site...Also check if it work internally ...if not repeat the same in the for internal ca published in Trusted root certificate...
Check out the certificate service is assigned properly for the exchange servers and binding is set properly in Inetmgr..
Exchange Queries
February 25th, 2012 10:07pm
Hi Paul
Have you applied the latest service pack for Exchange 2010 - currently SP2 Rollup 1. There was a thread here last week where that fixed the OWA red-x problem.
Cheers, Steve
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 4:51am
Hi Paul
Have you applied the latest service pack for Exchange 2010 - currently SP2 Rollup 1. There was a thread here last week where that fixed the OWA red-x problem.
Cheers, Steve
February 26th, 2012 12:46pm
Thanks, Steve.
One of the other members of my team looked at it (gave it another "set of eyes") and completely re-configured the ISA rules and it was working after that (for OWA, anyway), so I think we're okay there. Since RU1 is out, and since we haven't gone anywhere
near "Live" yet, I may just go ahead and update all of the servers I have set up so far.
I ended up looking up the Exchange Blog and read this link regarding the newest RU and an issue it created for CAS-to-CAS proxying(http://blogs.technet.com/b/exchange/archive/2012/02/17/exchange-2010-sp2-ru1-and-cas-to-cas-proxy-incompatibility.aspx).
Now, since 2010 doesn't "Proxy" to 2003 Front-End (does complete redirection), I figure this won't affect OWA, but will this have an effect on ActiveSync? I know that ActiveSync uses RPC-proxy for 2003 mailboxes, and while CAS-proxy
is different, I just want to make sure.
Lastly, when I go ahead and apply this update, what all "prep" work needs to be done before installing an Exchange patch these days? Having moved to a new organization, I haven't done one in almost a year now.
I remember that it was "Good Practice" to disable the "Check for publisher's certificate revocation" in IE (or via reg-hack); is that still the case? I know to run "StartDagServerMaintenance.ps1" if your MB servers are in a DAG and to disable any
"Exchange-Aware" applications (AV, backup, etc), but is there anything else? Should one stop the Exchange services?
Thanks again, everyone!
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 4:52pm