OK, to start off, I've found and read a lot of articles about publishing OWA 2007 using ISA 2006. So, what's my problem? I have several problems, mostly because they don't match what I got before my eyes (on my screen): 1. For instance, I've found this: http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html At the step under Figure 7 , I just don't know where and how he's got all those certificates already available for his ISA server!? I mean, I've set up an Enterprise CA, requested a cert in a member PC, but how am I supposed to install this cert into ISA? It's not written at all in that article! 2. I've also found another article: http://technet.microsoft.com/en-us/library/bb794751.aspx However, in this article, all those related to IIS is for IIS6 . My problem is I'm using Windows Server 2008 and the IIS manager interface is totally different! And it's not (always) possible to find the equivalence of what's written in this article! For instance, it's written that I should delete the self-signed certificate in the Default Web Site . But I just don't see how.... In other articles, some authors seem to suppose that the ISA server is actually a part of the domain, ie ISA server is a domain member server! Which is, sorry to say, very stupid... So, my question is, is there any article to teach us to set up a (unihomed) ISA 2006 , which is in the DMZ, to publish OWA 2007 (Exchange 2007) from a Windows Server 2008 ? I'd appreciate if someone could help me. PS: There's something I forgot to say: please assume that my ISA 2006 DOES NOT use public CA certificate, ie please give procedure to request private CA certificate. That's something which is missing in that MS article... Thanks.

I think I've found some partial answers to my own questions.... I've found an article teaching us to use LDAP authentication from ISA 206 to Active Directory. That means the ISA 2006 server is not needed to be a domain member server, which seems to make sense if it's to be put in the DMZ. However, that article was for Exchange 2003 (and probably for AD 2003). I've followed it to set everything up. But when I tried an web browser from an Internet PC, something is broken. Something like "some certificate is not trusted..."! I had no idea if it's talking about the certificate between ISA and the web browser, or ISA and Exchange!? And I don't see anyway to check this ... It's late now and I need to sleep...

You probably won't be able to install certificates on all computers and devices that users will use to access Exchange. For example, some users may try to access Outlook Web Access from a kiosk or from a friend's computer Since you are using Private Trusted Root Certification Authorities (Windows CA), it would be expected behavior that web browser will receive a not trust warning on an internet PC since you didnt installed root certificate to the Trusted Root certificate store on that PC Check info: 1. Please provide the detailed error info when attempting to access OWA on the internet 2. Could the OWA still be accessed after receiving the warning messages? 3. Have you installed the root certificate on that internet PC? 4. Please try to access OWA internally on a client PC a. In a client PC, open the hosts file, and point ISAs FQDN to the IP address of exchange CAS server b. If the OWA can be accessed successfully after point ISA to CAS server, we can confirm the issue isnt caused by exchange part Resources: About the certificates you saw in the picture, they need to be imported into ISA server, as shows in here To request a private CA certificate, we can use cmdlet without using IIS GUI. Please refer the answer of Xiu Zhang in this thread

Thanks for the reply. I had actually solved this problem weeks ago already. But "for the record", here are the answers/solutions: This "some certificate is not trusted.." problem is actually Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019) The problem exists between ISA and Exchange (CAS) server. This matter (or its solution) wasn't clearly written in MS articles or similar places. I had to gather ideas from several articles and had to make up my own procedure to overcome difficulties. First, somewhere I've learnt that we have to import the private-public key-pair certificate of Exchange server into ISA server. However, one important difficulty is that my Exchange server is having IIS7 manager , so even though I've found many articles teaching me how to export certificate's private-public key-pair from IIS6 Manager into Exchange server, I can't find the equivalent way to do so in IIS7 ! But I finally found out that this isn't necessary: no need to import the private key into ISA server; the public key is enough. So my solution to this part is simple: just run Internet Explorer to open anything from the Exchange server's website (in https, of course). The certificate (containing the public key) was then reachable and can be exported (saved) to a file. Then I copied this certificate file to ISA server and import it into Trusted Root Certification Authorities store of the computer account. Other than this, there's another possible pitfall: the default self-signed certificate of Exchange server is not issued to the FQDN of the Exchange server. Clearly explained: Suppose the Exchange server computer name is EXCH and is residing in a domain called mydomain.com . Exchange server computer's FQDN is of course exch.mydomain.com But the default self-signed certificate is issued to EXCH, not EXCH.mydomain.com!! So, in order to avoid potential problem, better specify the firewall policy to user EXCH (ie computer name instead of FQDN) as "Internal site name ", or else in some situation you might get this error message: Error Code: 500 Internal Server Error. The pipe is being closed. (232) And then finally, just like any other Microsoft products, when something is not working as expected, it's always a good idea to reboot the WHOLE computer . This never hurts. ----- About that article in isaserver.org that you suggested on exporting private key certificate, I had found it as well actually. But it didn't help much because I can't follow it in IIS7 manager (as I stated earlier). But also as I stated, it's not necessary. That article taught us to do so, perhaps because his ISA server is publishing OWA using the same name as his Exchange server. But even in this situation, it's still possible to do it otherwisely: create a new certificate to reflect the publish FQDN in a 3rd computer other than Exchange server, export the key-pair certificate and import it to ISA. As to Xiu Zhang's article: since my problem had been solved long ago, I just take a brief look at her article. Nevertheless, that doesn't seem to be my problem because I was not in the problem of "requesting any certificate". Anyway...