OWA 2007 on Server 2008 publishing through ISA 2006
To start with AAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH. Ok now that that is out of the way here is my scenario:
New install Exchange 2007 SP1 on a Server 2008 box, hub, mail, and client rolls installed on it.
ISA 2006 with all updates installed on a Server 2003 SP2 box.
I am having a heck of a time getting OWA to publish correctly, I think my biggest issue is our DN's are different externally and interally. External is ABCD.com and internal is alphabetacharliedelta.org. I'm creating the certificate as so
New-ExchangeCertificate -GenerateRequest -SubjectName "DC=alphabetacharliedelta, DC=org, O=alphabetacharliedelta, CN=mail.ABCD.com" -DomainName mail.ABCD.com, smtp.ABCD.com, autodiscover.ABCD.com, ABCD.com, exc2007.alphabetacharliedelta.org, lrcrems -FriendlyName "mail" -PrivateKeyExportable $true -Path c:\mailcert7.req
Yes thats attempt #7 ......after I started keeping track
I make the cert with an internal CA, assign to the exchange 2007 box with no issues. Export the cert and private key onto the ISA 2006 box and everything seems fine andno yellow ! on the cert.
Try to connect from external and recieve 500 error - The target principle name is incorrect. On ISA I see
Log type: Web Proxy (Reverse)
Status: 0x80090322
Rule: OWA 2007
Source: External (75.xxx.xxx.xxx)
Destination: (10.0.0.xxx:443)
Request: GET http://mail.ABCD.com/owa
Filter information: Req ID: 175cb5d6; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes
Protocol: https
User: alphabetacharliedelta\johndoe
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; Tablet PC 2.0; .NET CLR 1.1.4322; InfoPath.2; MS-RTC LM 8)o
object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 15 MIME type:
Now I can see that the GET request is HTTP?????? (but the names are right!!) Can anyone enlighten to what I am doing wrong please?
May 2nd, 2008 9:10pm
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
do you have multiple names (SAN) on the internal cert?
ISA have an issue with this
http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2008 2:08pm
No multiple names except autodiscover.abcd.com
As far as I can tell from the numerous deployement pages everything is correct. The only thing that I can see is that ISA 2006 refuses to redirect to https, instead is it is trying to resolve to http no matter what certificate I put in.
This is the last cert I tried:
New-ExchangeCertificate -GenerateRequest -SubjectName "DC=com,dc=ABCD,O=Alpa Beta Charlie Delta,CN=mail.abcd.com" -DomainName mail.abcd.com, exch2007,exch2007.alphabetacharliedelta.org, autodiscover.abcd.com -PrivateKeyExportable $true -Path c:\mailcert10.req
May 5th, 2008 5:33pm
ISA is connecting to IIS with the name on the To tab on the publishing rule, this name must be the CN on the cert and it must also be the first subject alternate name listed. as described in the the link provided in my last post.
in your case its mail.abcd.com
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2008 9:11pm