ISA 2006 Service Pack 1 Fixes Multiple SAN Problem
I haven't done too many articles on Exchange 2007 on this site for a number of reasons, but mostly because of the Exchange Team's lack of documentation on what key configuration settings do, and how they work with an Internet connected Exchange Server. In addition, many critical configuration options are still missing from the Exchange Management console, making it something less than a pleasure to work with the product.
However, I have done one article on how to publish Exchange 2007 Web services. When doing that article, I discovered there was a problem with how the ISA firewall deals with subject alternative names that the Exchange server's Web site certificate included. It turned out that the ISA firewall could only use the subject/common name or the first SAN name and the common/subject name had to be the same as the first SAN, so essentially, the ISA firewall could not take advantage of the SANs on the Exchange Web site certificate.
This caused some problems regarding publishing the autodiscover service on the Exchange Server. While this is only an issue for Exchange 2007 with Outlook 2007 clients, the problem was big enough to prevent people who are using ISA firewalls from upgrading to Exchange 2007.
The good news is that ISA 2006 SP1 will introduce full support for SANs, so that when the Exchange Server presents a certificate with multiple SANs to the ISA firewall, the ISA firewall will be able to use "consume" those SANs entries. This should help simplify creating Web Publishing Rules, although since it never worked before, I haven't tested out the details to see how this will make things easier for the ISA firewall admin.
BTW -- this fix has nothing to do with SAN certificates that might be used on a Web Listener. You can use SAN certificates on ISA firewall Web Listeners, no problem with that. The problem isn't with the ISA firewall, the problem is with the clients. When the ISA firewall presents the Web site certificate to the clients, the clients must be able to check the SANs and see if there's a match with the request made by the client. Unfortunately, I'm not aware of any browsers that will "consume" SAN entries.
Does Outlook 2007 use them? I believe so, since the Exchange team implies that you should use an autodiscover SAN entry on your Exchange Web site certificate. In that case, you should be able to create a certificate that has the name used to connect to OWA and ActiveSync and a SAN for autodiscover, and use that same certificate for OWA/ActiveSync and Autodiscover publishing rules. It's worth a try and I'll test it out when I get a chance.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)