Microsoft ISA Server 2006 – Certificate troubleshooting (Part 2)

If you would like to read the first part in this article series please go to Implementing and Troubleshooting Certificate Deployment in ISA Server 2006.

Introduction

In this article, I will give you some additional information about how ISA Server 2006 uses digital certificates in web chaining and reverse publishing scenarios. This is the second article of my series on ISA Server 2006 certificate deployment, published in July 2008 on www.ISAserver.org


Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Let us get to it…

Let us start with a short explanation of the type of certificates used in secure publishing scenarios and move on to explain what functionality SAN certificates (SAN = Subject Alternate Name) provides and what distinguishes them from classic certificates, like wildcard certificates.

Certificate Types

There are three types of certificates which are often used:

  • Normal certificates
  • Wildcard certificates
  • Subject Alternate Name certificates (SAN)

Normal certificates

A normal certificate is the “classic” certificate. This type of certificate is issued for only one FQDN = Fully Qualified Domain Name aka a DNS hostname like owa.it-training-grote.de.

Wildcard certificates

A Wildcard certificate is often used when a company needs to publish different hostnames with the same domain name. Instead of using multiple normal certificates, it is possible to use this type of certificate. As an example if you buy a wildcard certificate for *.it-training-grote.de, it is possible to use the certificate to publish webservers with, for example, the names owa.it-training-grote.de and www.it-training-grote.de.

SAN certificates

SAN (Subject Alternate Name) certificates are also often called multi domain certificates or Unified Communication (UC) certificates. With the help of SAN certificates it is possible to publish multiple FQDN with the same or other Top Level Domain (TLD) name.

For example:

owa.it-training-grote.de

www.it-training-grote.de

Server01

Server01.exchange.internal

Autodiscover.exchange.internal

Autodiscover.it-training-grote.de

A SAN certificate is widly used in Exchange Server publishing scenarios with or without ISA Server 2006.

ISA Server 2006 Service Pack 1 certificate enhancements

ISA Server 2006 Service Pack 1 supports the use of SAN certificates. Prior to ISA Server 2006 Service Pack 1, ISA Server only checked the first name in the certificate and ignored the additional names in the SAN field of the certificate.

Using self signed certificates

One way to use certificates for ISA Server publishing is to use the SELFSSL.EXE tool from the IIS 6 resource kit . With the help of the SELFSSL tool administrators can create certificates which every Common Name (CN) they want.


Figure 1: SELFSSL from the IIS 6 Resource Kit

Because a self signed certificate is not issued by a trusted Root Certificate Authority you must manually place the self signed certificate in the Trusted Root CA store on the local ISA Server.


Figure 2: Add certificate Snap-In

Next, select the local Computer account as the certificate store to see all local installed certificates, which ISA Server uses for publishing and webchaining scenarios.


Figure 3: Display certificates in certificate store

Trusted Root CA certificates

ISA Server ensures that each certificate used can be verified against the issuing Certificate Authority. ISA Server checks the certificate chain of the certificate to the Root CA. The list of trusted Root Certificate Authorities can be found in the local computer certificate store on the ISA Server 2006 machine.


Figure 4: Trusted Root CA certificates

Certificates used in Web chaining scenarios

One of the less used features in ISA Server 2006 is the use of certificates in ISA Server web chaining scenarios. Web chaining is used to chain the Web traffic from ISA Server with another Webproxy like ISA Server. To use a certificate in a webchaining scenario, the following prerequisites must be present:

  • Have a client authentication certificate
  • Be trusted by the issuing Root Certificate Authority
  • Have a private key installed in the local computer certificate store
  • Be installed in the Firewall service account personal certificate store




Figure 5: Select certificates in web chaining scenarios

Exchange Remote Connectivity Analyzer

The Microsoft Exchange Remote Connectivity Analyzer is a helpful tool to test different types of Exchange Server publishings with and without ISA Server, without the use of the required tools like Microsoft Outlook.The Exchange Remote Connectivity Analyzer is also very helpful to verifiy the correct Deployment of certificates on the Exchange Client Access Server (CAS) or/and on the ISA Server.


Figure 6: Exchange Remote Connectivity Analyzer checks

ISA Server 2006 Best Practice Analyzer

On helpful troubleshooting utility for certificate issues with ISA Server 2006 is the well known ISA Server 2006 Best Practice Analyzer which analyzes the ISA Server installation against a database with best practices from Microsoft to find possible missconfigurations or other problems. For certificate troubleshooting purposes, ISABPA checks the ISA Server configuration and looks if certificates are used in publishing or web chaining scenarios, if the corresponding certificates can be found in the local computer certificate store.


Figure 7: ISA Server Best Practices Analyzer

To give you some information about how ISABPA displays certificate related issues, I deleted all certificates from the local computer store.

Conclusion

In this article, I tried to give you some more information about ISA Server 2006 certificate deployment and troubleshooting. We also covered some new features of ISA Server 2006 Service Pack 1 which extends ISA Server 2006 capabilities to use SAN certificates in webserver publishing scenarios.

Related links

If you would like to read the first part in this article series please go to Implementing and Troubleshooting Certificate Deployment in ISA Server 2006.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top