locked
How to publish an internal web page with UAG SP1? RRS feed

  • Question

  • I am trying to publish an administrative web page for mitel telephone system hosted internally on https://10.0.0.1.

    Ideally I would like to publish a link to the page on a portal.

    I have tried using SSTP VPN as an alternative but I cannot connect to the site that way either (I can't even seem to ping the device which I can internally).

    Does anyone have some handy tips that would point me in the right direction.

    Thanks in advance.

     


    Darren
    Friday, September 30, 2011 8:28 AM

Answers

  • Hi Darren,

    so UAG has some problems with the certificate chain. I recommend to reimport the certificates to the local computer certificate store(s). In addition make sure the destination site also trust the root CA, too. If intermediate CAs are involved, make sure those certificates are installed on both machines as well.

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    • Marked as answer by Darren Thorley Saturday, October 1, 2011 5:54 AM
    Friday, September 30, 2011 4:28 PM

All replies

  • Hi Darren,

    you should firstly make sure the network integration is setup correctly before starting to troubleshoot the publishing issues. So is your UAG able to ping the internal server? And are you able to open the internal webpage from the console of your UAG box (you may need to add a TMG packetfilter in this case)?

    If both test are successfull then could start to troubleshoot the publishing issues. To help you in this case we need some additional information on your configuration and the published application you've created...

    BTW: The VPN problem you experienced may be releated to some missing routes from your internal network to the VPN pool IP addresses. You have to make sure the VPN pool addresses are routed to the internal interface of your UAG box^^

    -Kai

     

     


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Friday, September 30, 2011 9:14 AM
  • Hi Kai,

    I can access the web page from the UAG box using the link https://10.0.0.1 and I can ping the IP address from the UAG box as well.

    My preferred choice is to use a portal link just for this site as I would rather not give full VPN access to this remote support company, but if I have no option then I will take the VPN option just to get it working.

    Thanks for responding.


    Darren
    Friday, September 30, 2011 9:32 AM
  • Hi Darren,

    please explain what you already did to publish the site and which application template / settings you've used.

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Friday, September 30, 2011 12:51 PM
  • I added a new web application by choosing the Other Web Application (application specific hostname). In the application type I set it to 1 (no idea what I should have put in).

    I then used a dodgy public host name to complete the setup (fully intending to get it added later on) - telephone.mydomain.co.uk.

    I then activated the configuration.

    Realising that this would also need to be added on to our certificate to work properly I then removed this, re-activated the configuration and then went with Other Web Application (portal hostname). I gave it a slightly different name and typed 2 in the Application Type (again - no idea what I should be typing in here but it seems to want a number).

    The Portal Link has an Application URL of https://10.0.0.1 as when I access this internally using http it redirects to https anyway.

    I then re-activated again.

    When I clicked on the link in the portal I get the following error The certificate chain was issued by an untrusted certification authority (CA).

    I had installed the certificate from the Mitel system using the system guidelines (went in to IE Options > Content > Certificates and imported their cert in to Trusted Root Certification Authorities) before I published the application.

    Realising this probably had added it to the user account rather than the computer I then went and imported using the Certificates MMC in to the Trusted Root Certification Authorities for the Local Computer.

    Now I get an error "An unknown error occurred while processing the certificate".

    This is where I am stuck at the moment.

    If you feel I have missed something please let me know.

    Thanks


    Darren
    Friday, September 30, 2011 1:28 PM
  • Hi Darren,

    > "An unknown error occurred while processing the certificate"

    What a great description :)

    Please take a look in the Windows Event Viewer to see if there are some releated error messages (e.g. Source = SCHANNEL)

    In addition you could also disable the UAG certificate checks for debugging purposes to see if this error is releated to the CRLs or AIA information. Enter each key seperately to see which one fix the problem and disable them after finishing the troubleshooting...

    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL\ValidateRwsCert=0

    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL\ValidateRwsCertCRL=0

    For additional information regarding the registry keys please refer to http://technet.microsoft.com/en-us/library/ee809087.aspx

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Friday, September 30, 2011 1:38 PM
  • Setting ValidateRwsCert=0 followed by an iisreset seems to allow the site to work.

    When I set it back to 1 the error happens again.

    There are 2 Schannel errors

    Log Name:      System
    Source:        Schannel
    Date:          30/09/2011 14:24:28
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Gallow-UAG.Gallowglass.local
    Description:
    The following fatal alert was generated: 43. The internal error state is 552.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2011-09-30T13:24:28.611213700Z" />
        <EventRecordID>91042</EventRecordID>
        <Correlation />
        <Execution ProcessID="532" ThreadID="9464" />
        <Channel>System</Channel>
        <Computer>Gallow-UAG.Gallowglass.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">43</Data>
        <Data Name="ErrorState">552</Data>
      </EventData>
    </Event>

    Log Name:      System
    Source:        Schannel
    Date:          30/09/2011 14:24:28
    Event ID:      36876
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Gallow-UAG.Gallowglass.local
    Description:
    The certificate received from the remote server has not validated correctly. The error code is 0x80092012. The SSL connection request has failed. The attached data contains the server certificate.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36876</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2011-09-30T13:24:28.611213700Z" />
        <EventRecordID>91043</EventRecordID>
        <Correlation />
        <Execution ProcessID="532" ThreadID="9464" />
        <Channel>System</Channel>
        <Computer>Gallow-UAG.Gallowglass.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="ErrorCode">0x80092012</Data>
        <Binary>3082045A308203C3A003020102020106300D06092A864886F70D0101050500308191310B3009060355040613024341310B3009060355040813024F4E31173015060355040A130E4D6974656C204E6574776F726B7331173015060355040B130E566F495020506C6174666F726D73311E301C060355040313154D6974656C204E6574776F726B73204943502043413123302106092A864886F70D01090116144C65655F44696C6B6965404D6974656C2E636F6D301E170D3032303132353135333035395A170D3239303631323135333035395A3082011F310B3009060355040613024341310B3009060355040813024F4E31173015060355040A130E4D6974656C204E6574776F726B7331173015060355040B130E566F495020506C6174666F726D73312630240603550403131D4D6974656C204E6574776F726B732049435020576562205365727665723123302106092A864886F70D01090116144C65655F44696C6B6965404D6974656C2E636F6D312630240603550403131D6D6974656C206E6574776F726B73206963702077656220736572766572311A30180603550403131167616C6C6F772D676C6173733A38303830311630140603550403130D31302E302E302E313A38303830311530130603550403130C67616C6C6F772D676C6173733111300F0603550403130831302E302E302E3130819F300D06092A864886F70D010101050003818D0030818902818100ACBA3D2A139741070DEA7653AAEDA0FE4C923D893FE0560A9B903C103BCF3F19CD75E660FF506A254EC998E539362576B1B344CFCAFDF20C429C8E68FA0D84CDA0F0F1128AF5063220C6375DE3C77B729B17F321077F932542F0F9418CCEBB5CD009795C22634F33DFA1E3CC0A71D43F6EF3D00F59A8B825803E1F59C38D65EF0203010001A382012F3082012B30090603551D1304023000302C06096086480186F842010D041F161D4F70656E53534C2047656E657261746564204365727469666963617465301D0603551D0E041604146B3B7469BC1C239825DE4B28314BB7B3D257D90D3081D00603551D230481C83081C5801475E9505278065B0E5AA2391CAD8D3E6E9165ACC0A181A9A481A63081A3310B3009060355040613024341310B3009060355040813024F4E310F300D060355040713064F747461776131173015060355040A130E4D6974656C204E6574776F726B7331173015060355040B130E566F495020506C6174666F726D73311F301D060355040313164D6974656C204E6574776F726B7320526F6F742043413123302106092A864886F70D01090116144C65655F44696C6B6965404D6974656C2E636F6D820102300D06092A864886F70D0101050500038181002843FADE777C26AE1A2545BAD5D2C8273A75A5A0B4181AF3C1E0E1665E3666C87EE00C1C327E721EF5AB2BDB5BDF8965BB65437D53666BC0114C7452BF116C5309B865D867F0A838C4BC7BB9726AF77E5C19E227AD11B95EE4A1F4496BAA80AC5BEBBD052707C6ACD88C91CEDF0A0B34ED3AF53E208EE045FAC56CB12C50FA0E</Binary>
      </EventData>
    </Event>


    Darren
    Friday, September 30, 2011 2:10 PM
  • Hi Darren,

    so UAG has some problems with the certificate chain. I recommend to reimport the certificates to the local computer certificate store(s). In addition make sure the destination site also trust the root CA, too. If intermediate CAs are involved, make sure those certificates are installed on both machines as well.

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    • Marked as answer by Darren Thorley Saturday, October 1, 2011 5:54 AM
    Friday, September 30, 2011 4:28 PM
  • Hi Kai,

    Thanks very much for this. I also had to take a couple of additional steps to get it working. The first was to change the portal link back to http instead of https and I think this is what did the trick. The second probably had no effect but I made it at the same time was to get the web page to open in it's own window.

    After saving and re-activating the internal web page came up perfectly.

    Thanks very much for your help


    Darren
    Saturday, October 1, 2011 5:57 AM