Certificates Exchange 2007 SP1 with ISA 2006
I have an environment with 2 Client Access servers behind an ISA 2006 server. I'm trying to plan out the certificates and I found a good article that explains how to do this with a single CA server but not multiple ones. As I understand, what I need to do is:
Get one public certificate for the ISA 2006 server. This can be a normal certificate and only needs the one external name associated with it, i.e. mail.externaldomain.com. If we want to take advantage of the autodiscover service we'd need to get another certificate, i.e. autodiscover.externaldomain.com, as ISA 2006 does not work with certificates that use SANs (it can only use the first name on a SAN cert).
For the private side I can use an internally generated cert. Our internal domain name is not the same as our external (split dns). We have two CA servers, so for this cert I'd need to generate a SAN cert with the following names:
autodiscover.internaldomain.local
ca01.internaldomain.local
ca02.internaldomain.local
internaldomain.local
mail.externaldomain.com (we actually do have our external domain setup internally as well but it is not the AD DNS just a zone added to our BIND DNS)
externaldomain.local ??
Is this correct? Also, I can just make this cert on one CA server and import it on both correct? I also assume that ISA 2006 will have a section to tell it both CA servers to point to? Or do Ineed to make up a new dns name for the two CA servers and do round-robin or something?
Thanks!
August 11th, 2008 10:25pm
Hi,
Since there are two CAS servers, I recommend you to do round-robin or NLB for these two CAS servers.
We need one certificate(Server certificate) for the public owa accessed website.
Then we need one client certificate. ISA Server passes the client certificate provided to a domain controller. (ISA Server must be a domain member.) The Active Directory directory service determines the match between certificates and accounts, and passes the information back to ISA Server for application of relevant firewall policy rules. Once a client has authenticated with ISA Server through use of the certificate, the user can provide the credentials needed by the Outlook Web Access server.
So for the client certificate, you can apply a Unified Communications Certificate also know as a Subject Alternative Name Certificate. So I think you may have below two Subject Alternative Names on a certificate.
autodiscover.internaldomain.local
internaldomain.local
Note: the certificate file should be in pfx , or p7b file but not cert file.
More detail information share with you:
CAS Load Balancing Best Practices (Part 1: Internet-facing: NLB, Authentication, InternalUrls, ExternalURLs, Certificates):
http://blogs.msdn.com/brad_hughes/archive/2007/09/10/cas-load-balancing-certificates-autodiscover-and-webservices.aspx
Publish Exchange 2007 with ISA 2006
http://technet.microsoft.com/en-us/library/bb794751.aspx
Hope it helps.
Xiu
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2008 10:40am
I thought the whole point of having ISA was to have it not be a part of the domain for security purposes? Do you have to use an Enterprise CA for the certificate that goes on the Client Access Server or can you use a stand-alone certificate server?
August 13th, 2008 5:21pm
Hi,
Yes, we need to put ISA in DMZ or premier network.
Since the internal name and the public name is not the same, so we need two certificates.
Certificate that we used on CAS,I think we can use local certificate generate from Certificate Authority.
For detail how to create local certificate, you can refer to the below article:
An end-to-end solution for publishing Exchange Server 2003/2007 with ISA Server 2006.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/publishing-exchange-client-access-isa-2006-complete-solution-part1.html
Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Hope it helps.
Xiu
Free Windows Admin Tool Kit Click here and download it now
August 14th, 2008 11:08am