Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)ISA 2006 SSL publishing help please
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

#70666 28-Oct-2010 13:55
Send private message

I want to publish RD Gateway, Exchange and SharePoint, all of which require SSL, how do I map incoming traffic correctly? I suspect I need an IIS server between ISA and the rest?

Create new topic
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #396936 28-Oct-2010 17:23
Send private message

Think the solution is to define a all ssl traffic rule first for traffic to the Remote Desktop Gateway, then publish SharePoint and Exchange as addition rules with URL path redirects, therefore OWA and SharePoint traffic should (assuming mobile devices use \OWA paths) be picked up and directed to the appropriate server, while all others will terminate at the RD Gateway.



Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #397069 28-Oct-2010 22:33
Send private message

your easiest option is to terminate the SSL on the ISA server and then run over plain http tunnels to the internal servers.  if you do ssl end to end, you can run into a bunch of problems as SSL isnt meant to be intercepted, decrypted and then re-encrypted before reaching its final destination. 

you will also want to run either seperate virtual directories for each app, a wildcard ssl certificate on a single public IP, or three separate public IP addresses each with their own ssl cert.  ssl is a bit more tricky than http when you are publishing

your best site for ISA articles is http://www.isaserver.org/ 
publishing articles here: http://www.isaserver.org/articles_tutorials/publishing/
probably might find this one useful: http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.html




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #397180 29-Oct-2010 09:31
Send private message

excellent, thanks. I have been trying to use the MS white paper on OWA/SharePoint publishing as my basis, but that is Server 2003 and RD Gateway did not exist then.



lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #398141 31-Oct-2010 17:46
Send private message

hmmm, can I not use self-signed certificates when publishing via an ISA 2006 server? If not, can I do so with ForeFront?

Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #398476 1-Nov-2010 12:17
Send private message

you can use self-signed certs, as long as everyone trusts them. i find that for only $50 or so for a public issued ssl from www.certificatesforexchange.com that you might as well save the hassle of client configuration and just buy a legit one.

i'd still recommend terminating the SSL at the isa server and running over http internally, it will save you a few grey hairs :)

BTW: forefront is very much like isa 2006 for publishing, but will only run on 64bit platform




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #398510 1-Nov-2010 13:12
Send private message

SSL termination at ISA is what I'm planning to do, but in the interim I need to pass my existing traffic to the existing OWA server. My suspicion is that I have attempted to import a client side certificate (if this is even a real term), so I'm going to try to re-export it.

My new domain will indeed have a public issued certificate, but I need to get this working as a interim while I'm undergoing transition (which will be for a few months, as I have quite a few things I'm trying to implement, including physical infrastructre changes).

 
 
 
 

Shop now on AliExpress (affiliate link).
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #398515 1-Nov-2010 13:21
Send private message

OK, there is definitely a difference between the certificate SBS supplies for client use as opposed to an exported certificate. ISA accepted the exported cartificate/key as valid, so that's a start, I'll not attempt to apply the firewall change until later.

Interim solution looks like this.

Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #399100 2-Nov-2010 13:50
Send private message

always make sure you export the private key if you are exporting a certificate using the mmc.  If the web server does not have the private key, it cannot decode the data streams  that have been encoded using the public key




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #399102 2-Nov-2010 13:51
Send private message

and looking at your diagram, if the "firewall" is not ISA, then you're probably going to have problems splitting a single external IP down two separate paths for HTTPS/SSL traffic




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #399123 2-Nov-2010 14:19
Send private message

oh no, I wanted to avoid installing everything on one host. Frontside firewall is basic aDSL router, backside firewall is ISA. So far it appears to be working for the redirect but the client is not getting back what it was seeking, I'll look at it some more when I get home. I can move the existing host onto the internal segment if you think that would help?

Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #399400 2-Nov-2010 23:43
Send private message

your problem is going to be in splitting off requests coming in to tcp/443 (ssl/https) to two different locations. unless you have an advanced firewall - such as isa - handling all the initial requests then you have no way to do it.

there is nothing wrong with using ISA as your only firewall - its actually quite secure.

in your position, i would either ditch the nDSL modem and grab a pci nDSL card to stick directly in the isa server, or use half-bridge mode or such to get the external IP directly on to the ISA Server.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

 
 
 
 

Shop now for Dell laptops and other devices (affiliate link).
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #399450 3-Nov-2010 07:49
Send private message

I'm passing the 443 traffic directly to ISA and it appears to be reading the header correctly and redirecting the OWA traffic back to the DMZ and passing the remaining traiffic to the (internal) RD gateway, so that aspect seems to work, but there is one last piece missing. I went out on the booze last night so didn't work on it, I'll do some work on it tonight.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright