Saturday 2 August 2008

SBS 2K3 Premium - Configuring an SSL Wildcard Cert

Finding information on getting a third party SSL certificate installed on SBS Premium is a struggle.

In our case, we are looking to get away from the SBS self-issued certificate as much as possible. The amount of support related issues around that setup can be eliminated with the addition of a rather inexpensive investment in a third party certificate.

The process for setting up for the certificate is rather straight forward. The Official SBS Blog has a post on the initial part: How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003.

We create a dummy Web site in IIS, issued the certificate request from there, obtained the certificate from DigiCert, import it into the Intermediate Certification Authorities, and finally imported the certificate via the dummy site's certificate wizard. All of these steps are clearly outlined in the above blog post.

The blog author indicates that a further blog post is forthcoming on installing that certificate into ISA but none appear to be found.

The Configure Email and Internet Connection Wizard (CEICW) does have the ability to import a third party certificate, but it wants a *.cer file that does not seem to work from the many times we tried to get things configured that way.

So, that left us in a quandry: How do we get that certificate tied into ISA.

Having a little understanding as to how the CEICW configures both IIS and ISA together is a really important step to discovering how we need to get that certificate working.

With ISA installed on SBS, the configuration used to keep an end to end SSL tunnel between the user and IIS is called an SSL Bridge (MS TechNet Article).

When the browser requests https://rww.mydomain.com/remote and an SSL tunnel is established, ISA actually decrypts the tunnel to inspect the packets. ISA then re-encrypts the packets by establishing a subsequent SSL tunnel into the local IIS server.

When we look at the SBS ISA and IIS SSL setup from the user's perspective we see:

In this bridging setup, the key to realizing how we need to install the third party certificate can be discovered.

It is the Internet facing site that needs that certificate along with OWA, OMA, and direct SharePoint access.

The process is very simple:
  1. On the SBS server open the ISA manager.
  2. Click on the Firewall Policy item.
  3. Double click on any SBS xxx Publishing Rule that uses the SBS Web Listener.
  4. Click the Listner tab.
  5. Click the Properties button beside "SBS Web Listener".
  6. Click the Preferences tab.
  7. Under SSL: Click the Select button.
  8. The new third party certificate should be one of the available ones, click on it.
  9. OK.
  10. Apply & OK.
  11. Double click on the SBS Windows SharePoint Services Web Publishing Rule.
  12. Listener tab.
  13. Properties button.
  14. Preferences tab.
  15. Select button
  16. Choose the correct certificate as above.
  17. OK.
  18. Apply & OK.
  19. Apply in ISA Manager.
From an external client, connect to the Remote Web Workplace and view the certificate. It should reflect the newly installed third party certificate. Connect directly to the SharePoint Companyweb site: https://rww.mydomain.com:444/ and verify the certificate there.

An important note regarding SSL wildcard certificates: For Outlook 2003/2007 clients using Outlook Anywhere (RPC/HTTPS), the msstd:rww.mydomain.com setting in Outlook needs to be changed to: msstd:*mydomain.com in order to avoid this:


Microsoft Office Outlook

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site rww.mydomain.com.

Outlook is unable to connect to the proxy server. (Error Code 0)
Some helpful links:
Now that we have discovered the process order and configuration steps, we are migrating all of our clients over to third party certificates.

Managing our client's SSL certification needs is one small service addition we have made to our managed services portfolio.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: