none
2010 CAS w/ ISA Certificate Questions

    Question

  • Hi Everyone,

    I am going to be implementing a CAS this weekend and had a few questions in regards to certificates and ISA. 
    This will be the first Exchange 2010 server introduced into our environment.  We are currently running 2003 with multiple mailbox, front-end, and bridgehead servers.  We are also running an ISA 2006 server to handle two-factor authentication to webmail. 

    We are currently running an externally-signed wildcard certificate on our ISA server and an internally-signed (ADCS Enterprise CA) wildcard certificate for webmail.  Would this strategy still work okay?  I have read a number of posts where "SAN" or "UC" certs were recommended over wildcard certs due to having different internal and external domains (webmail.company.local versus webmail.company.com), but in my situation the ISA server will be acting as a "Go Between" and the only cert the user will see logging in to webmail will be the externally-signed wilcard cert, and ISA will create its own connection back to the CAS with the internally-signed wildcard cert. 

    Does that make sense?  I'm just trying to save time and complexity (well, complexity beyond already having an ISA server thrown into the mix).  Also, for what it's worth, I will be adding additional CASs later on to create an array (load-balanced by something like a NetScaler), if that makes a difference. 

    Thanks in advance! 

    mardi 17 janvier 2012 22:14

Réponses

Toutes les réponses

  • Take a look at this overly long article on ISA 2006 and Exchange 2010:

        http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx

        http://technet.microsoft.com/en-us/library/bb331961.aspx

        http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/

    Wildcard certs are support, you just have to watch out for the mobile devices you use to connect remotely via the ISA 2006 server.


    JAUCG
    • Marqué comme réponse Paul Newell lundi 27 février 2012 21:41
    mercredi 18 janvier 2012 02:12
  • Any updates on this?
    JAUCG
    vendredi 20 janvier 2012 22:29
  • Hi JAUCG,

    Thank you for the links.  We're actually putting in the first CAS of the pilot project tonight.  :)  I'll reply again later on or sometime tomorrow. 

    dimanche 22 janvier 2012 01:17
  • We ended up running into an issue with our DR site, which is where we were testing the ISA configuration before making the changes to the corporate server; the Internet connection died.  :( 

    we're hopefully going to try again this week.  I'll let you know how she does. 

    Thanks again. 

    lundi 23 janvier 2012 16:13
  • Sure, no problem.  Just keep us in the loop if we can provide any assistance.
    JAUCG
    mardi 24 janvier 2012 03:23
  • Any updates on this?
    JAUCG
    dimanche 29 janvier 2012 18:23
  • Hi JAUCG,

    No, not yet.  We were notcing that our ISA server is giving a ton of denial errors to ActiveSync users (Statuses 64, 10022, 1460, 1236, 1790, 10053, 10054) that my boss wanted to remediate before introducing another layer of complexity. 

    lundi 30 janvier 2012 14:48
  • Hi JAUCG,

    No issues with the certificate, which I am happy about, but we are having an issue where the OWA interface doesn't fully load for users with 2010 mailboxes, but it loads fine for users with 2003 mailboxes (forwarding to Legacy worked as expected).  The 2010 users just get a white page with plain text and the "Red-X" boxes. 

    Do you have any ideas here?  The only other tidbit is that we were using our DR site for testing, which is using a different external website address than our standard webmail address (altered our hosts files for testing).  The DR site has its own ISA server which forwards the requests to the Exchange servers at the corporate datacenter. 
    I was thinking that if we would have had any issues it would have been with the certificate, but there weren't any in that regard. 

    Thanks again!


    • Modifié Paul Newell lundi 20 février 2012 14:47 additional info
    lundi 20 février 2012 14:46
  • Try to import the public certificate for one of the test user manually in trusted root certificate then try to access the owa in the DR site...Also check if it work internally ...if not repeat the same in the for internal ca published in Trusted root certificate...

    Check out the certificate service is assigned properly for the exchange servers and binding is set properly in Inetmgr..


    Exchange Queries

    dimanche 26 février 2012 03:02
  • Hi Paul

    Have you applied the latest service pack for Exchange 2010 - currently SP2 Rollup 1.  There was  a thread here last week where that fixed the OWA red-x problem.

    Cheers, Steve

    • Marqué comme réponse Paul Newell lundi 27 février 2012 21:41
    dimanche 26 février 2012 09:46
  • Thanks, Steve. 

    One of the other members of my team looked at it (gave it another "set of eyes") and completely re-configured the ISA rules and it was working after that (for OWA, anyway), so I think we're okay there.  Since RU1 is out, and since we haven't gone anywhere near "Live" yet, I may just go ahead and update all of the servers I have set up so far. 

    I ended up looking up the Exchange Blog and read this link regarding the newest RU and an issue it created for CAS-to-CAS proxying(http://blogs.technet.com/b/exchange/archive/2012/02/17/exchange-2010-sp2-ru1-and-cas-to-cas-proxy-incompatibility.aspx).  Now, since 2010 doesn't "Proxy" to 2003 Front-End (does complete redirection), I figure this won't affect OWA, but will this have an effect on ActiveSync?  I know that ActiveSync uses RPC-proxy for 2003 mailboxes, and while CAS-proxy is different, I just want to make sure. 

    Lastly, when I go ahead and apply this update, what all "prep" work needs to be done before installing an Exchange patch these days?  Having moved to a new organization, I haven't done one in almost a year now. 
    I remember that it was "Good Practice" to disable the "Check for publisher's certificate revocation" in IE (or via reg-hack); is that still the case?  I know to run "StartDagServerMaintenance.ps1" if your MB servers are in a DAG and to disable any "Exchange-Aware" applications (AV, backup, etc), but is there anything else?  Should one stop the Exchange services? 

    Thanks again, everyone!

    lundi 27 février 2012 21:41