Microsoft ISA Server 2006 – Certificate troubleshooting (Part 2)
If you would like to read the first part in this article series please go to Implementing and Troubleshooting Certificate Deployment in ISA Server 2006.
Let us get to it
Let us start with a short explanation of the type of certificates used in secure publishing scenarios and move on to explain what functionality SAN certificates (SAN = Subject Alternate Name) provides and what distinguishes them from classic certificates, like wildcard certificates.
Certificate Types
There are three types of certificates which are often used:
- Normal certificates
- Wildcard certificates
- Subject Alternate Name certificates (SAN)
Normal certificates
A normal certificate is the 'classic' certificate. This type of certificate is issued for only one FQDN = Fully Qualified Domain Name aka a DNS hostname like owa.it-training-grote.de.
Wildcard certificates
A Wildcard certificate is often used when a company needs to publish different hostnames with the same domain name. Instead of using multiple normal certificates, it is possible to use this type of certificate. As an example if you buy a wildcard certificate for *.it-training-grote.de, it is possible to use the certificate to publish webservers with, for example, the names owa.it-training-grote.de and www.it-training-grote.de.
SAN certificates
SAN (Subject Alternate Name) certificates are also often called multi domain certificates or Unified Communication (UC) certificates. With the help of SAN certificates it is possible to publish multiple FQDN with the same or other Top Level Domain (TLD) name.
For example:
owa.it-training-grote.de
www.it-training-grote.de
Server01
Server01.exchange.internal
Autodiscover.exchange.internal
Autodiscover.it-training-grote.de
A SAN certificate is widly used in Exchange Server publishing scenarios with or without ISA Server 2006.
ISA Server 2006 Service Pack 1 certificate enhancements
ISA Server 2006 Service Pack 1 supports the use of SAN certificates. Prior to ISA Server 2006 Service Pack 1, ISA Server only checked the first name in the certificate and ignored the additional names in the SAN field of the certificate.
Using self signed certificates
One way to use certificates for ISA Server publishing is to use the SELFSSL.EXE tool from the IIS 6 resource kit . With the help of the SELFSSL tool administrators can create certificates which every Common Name (CN) they want.
Figure 1: SELFSSL from the IIS 6 Resource KitBecause a self signed certificate is not issued by a trusted Root Certificate Authority you must manually place the self signed certificate in the Trusted Root CA store on the local ISA Server.
Figure 2: Add certificate Snap-InNext, select the local Computer account as the certificate store to see all local installed certificates, which ISA Server uses for publishing and webchaining scenarios.
Figure 3: Display certificates in certificate storeTrusted Root CA certificates
ISA Server ensures that each certificate used can be verified against the issuing Certificate Authority. ISA Server checks the certificate chain of the certificate to the Root CA. The list of trusted Root Certificate Authorities can be found in the local computer certificate store on the ISA Server 2006 machine.
Figure 4: Trusted Root CA certificatesCertificates used in Web chaining scenarios
One of the less used features in ISA Server 2006 is the use of certificates in ISA Server web chaining scenarios. Web chaining is used to chain the Web traffic from ISA Server with another Webproxy like ISA Server. To use a certificate in a webchaining scenario, the following prerequisites must be present:
- Have a client authentication certificate
- Be trusted by the issuing Root Certificate Authority
- Have a private key installed in the local computer certificate store
- Be installed in the Firewall service account personal certificate store
Figure 5: Select certificates in web chaining scenariosExchange Remote Connectivity Analyzer
The Microsoft Exchange Remote Connectivity Analyzer is a helpful tool to test different types of Exchange Server publishings with and without ISA Server, without the use of the required tools like Microsoft Outlook.The Exchange Remote Connectivity Analyzer is also very helpful to verifiy the correct Deployment of certificates on the Exchange Client Access Server (CAS) or/and on the ISA Server.
Figure 6: Exchange Remote Connectivity Analyzer checksISA Server 2006 Best Practice Analyzer
On helpful troubleshooting utility for certificate issues with ISA Server 2006 is the well known ISA Server 2006 Best Practice Analyzer which analyzes the ISA Server installation against a database with best practices from Microsoft to find possible missconfigurations or other problems. For certificate troubleshooting purposes, ISABPA checks the ISA Server configuration and looks if certificates are used in publishing or web chaining scenarios, if the corresponding certificates can be found in the local computer certificate store.
Figure 7: ISA Server Best Practices AnalyzerTo give you some information about how ISABPA displays certificate related issues, I deleted all certificates from the local computer store.
Conclusion
In this article, I tried to give you some more information about ISA Server 2006 certificate deployment and troubleshooting. We also covered some new features of ISA Server 2006 Service Pack 1 which extends ISA Server 2006 capabilities to use SAN certificates in webserver publishing scenarios.
Related links
- Implementing and troubleshooting certificate deployment in ISA Server 2006
- Exporting Your SSL Certificate from IIS 6.0 and Importing To ISA Server 2004
- Digital Certificates for ISA Server 2004
- Certificate Revocation and Status Checking
- How to install and use certificates for SSL connections in ISA Server 2006
- Troubleshooting Outlook Web Access Publishing
- Exchange Remote Connectivity Analyzer
- Internet Information Services (IIS) 6.0 Resource Kit Tools
- Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer (BPA) Tool
If you would like to read the first part in this article series please go to Implementing and Troubleshooting Certificate Deployment in ISA Server 2006.
Author: Mark Grote
Marc Grote is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. He is working as a freelance IT Trainer and Consultant in the north of Germany and as an part time employee of Invenate GmbH in Hanover (Germany). He is working there as an consultant for Microsoft Server infrastructure. You will find more information about Invenate here http://www.invenate.de. He is specialized in ISA Server, Exchange, Security on Windows 2000 and Windows Server 2003 designs, migrations and implementations and Citrix Metaframe / Cisco implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server. You can visit his homepage on http://www.it-training-grote.de.
Set of free tools making the work of a Microsoft ISA Server administrator easier.
Software for monitoring the efficiency of your company's Internet bandwidth usage.
Using this product you can easily find out who, when, where to, where from and what accessed the Internet.
Works with Microsoft ISA Server and other proxy servers.
Software for monitoring the efficiency of your company's mail server operations.
Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent.
Works with Microsoft Exchange Server and other mail servers.
Software for monitoring your company's printers.
Using this product you can easily find out who, when and how many pages have been printed.
RSS