In our case, we are looking to get away from the SBS self-issued certificate as much as possible. The amount of support related issues around that setup can be eliminated with the addition of a rather inexpensive investment in a third party certificate.
The process for setting up for the certificate is rather straight forward. The Official SBS Blog has a post on the initial part: How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003.
We create a dummy Web site in IIS, issued the certificate request from there, obtained the certificate from DigiCert, import it into the Intermediate Certification Authorities, and finally imported the certificate via the dummy site's certificate wizard. All of these steps are clearly outlined in the above blog post.
The blog author indicates that a further blog post is forthcoming on installing that certificate into ISA but none appear to be found.
The Configure Email and Internet Connection Wizard (CEICW) does have the ability to import a third party certificate, but it wants a *.cer file that does not seem to work from the many times we tried to get things configured that way.
So, that left us in a quandry: How do we get that certificate tied into ISA.
Having a little understanding as to how the CEICW configures both IIS and ISA together is a really important step to discovering how we need to get that certificate working.
With ISA installed on SBS, the configuration used to keep an end to end SSL tunnel between the user and IIS is called an SSL Bridge (MS TechNet Article).
When the browser requests https://rww.mydomain.com/remote and an SSL tunnel is established, ISA actually decrypts the tunnel to inspect the packets. ISA then re-encrypts the packets by establishing a subsequent SSL tunnel into the local IIS server.
When we look at the SBS ISA and IIS SSL setup from the user's perspective we see:
- https://rww.mydomain.com/ ---> ISA ---> https://publishing.mysbsdomain.local/
- SBS Self Issued to https://rww.mydomain.com/
- This certificate faces the Internet only.
- SBS Issued https://publishing.mysbsdomain.local/
- This certificate is only on the local LAN.
It is the Internet facing site that needs that certificate along with OWA, OMA, and direct SharePoint access.
The process is very simple:
- On the SBS server open the ISA manager.
- Click on the Firewall Policy item.
- Double click on any SBS xxx Publishing Rule that uses the SBS Web Listener.
- Click the Listner tab.
- Click the Properties button beside "SBS Web Listener".
- Click the Preferences tab.
- Under SSL: Click the Select button.
- The new third party certificate should be one of the available ones, click on it.
- OK.
- Apply & OK.
- Double click on the SBS Windows SharePoint Services Web Publishing Rule.
- Listener tab.
- Properties button.
- Preferences tab.
- Select button
- Choose the correct certificate as above.
- OK.
- Apply & OK.
- Apply in ISA Manager.
An important note regarding SSL wildcard certificates: For Outlook 2003/2007 clients using Outlook Anywhere (RPC/HTTPS), the msstd:rww.mydomain.com setting in Outlook needs to be changed to: msstd:*mydomain.com in order to avoid this:
Microsoft Office OutlookSome helpful links:
There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site rww.mydomain.com.
Outlook is unable to connect to the proxy server. (Error Code 0)
- MS KB 923575: Error message when Outlook 2007 tries to connect to a server by using an RPC connection or an HTTPS connection: "There is a problem with the proxy server's security certificate"
- MS KB 831051: How to use the RPC Ping utility to troubleshoot connectivity issues with the Exchange over the Internet feature in Outlook 2007 and in Outlook 2003
- TechNet Forums: Outlook RPC/HTTPS setup with a wildcard
Managing our client's SSL certification needs is one small service addition we have made to our managed services portfolio.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.
No comments:
Post a Comment