locked
TMG - Reverse proxy certificate mismatch RRS feed

  • Question

  • I have the web site rule set up but I am getting a certificate mismatch error. I have setup the rule using this walkthrough:  http://microsoftguru.com.au/2010/08/08/how-to-configure-reverse-proxy-using-forefront-tmg-2010-step-by-step/ (I'm aware of the typos)

    As a test I have already established a working rule without using https and that seems to work fine. I am somewhat new to TMG and SSL/Certs so it could be that there is something wrong with my certs. I am using a server in my domain as a CA (Win2003) and I have not had issues with other internal sites.

     This is a test environment. It is more of a proof of concept before we go into production so the domain CA should not be an issue. That is, if I have it setup correctly.

    IE8 simply tells me "Mismatched Address" but Firefox tells me

    The certificate is not trusted because no issuer chain was provided.
    The certificate is only valid for webserver.domain
    
    
    (Error code: sec_error_unknown_issuer)

    When I go to webserver.domain in IE it comes up with no errors or warnings but in firefox I get

    The certificate is not trusted because no issuer chain was provided.
    (Error code: sec_error_unknown_issuer)

    I imported the webserver cert into the Personal store of the TMG server and my internal CA is in my Trusted Root Certification Authorities. Other than that, I am not familiar enough with certs to know what I am missing.

    I read something about having the client install the cert but when this goes to production there will be hundreds of users so I don't know if that will be an option.
    • Edited by ncwang Wednesday, September 26, 2012 8:08 PM
    Wednesday, September 26, 2012 8:08 PM

Answers

  • Hi Amig@. The errror in the browser is telling you that the CA that issued the certificate is no trusted by the browser. IE will query the certificates inside the operating system stores but FF won't so you need to add to its own "store". That is a normal situation when using a private PKI to issue certificates. Furthermore you should make accesible the certificate revocation list and all the certificates of the CAs that make up the hierarchy so that the browsers can add them to the trusted list. Adcquiring a certificate from a commercial CA will avoid all of these issues

    Regards


    // Raúl - I love this game

    Thursday, September 27, 2012 8:08 AM

All replies

  • Hi Amig@. The errror in the browser is telling you that the CA that issued the certificate is no trusted by the browser. IE will query the certificates inside the operating system stores but FF won't so you need to add to its own "store". That is a normal situation when using a private PKI to issue certificates. Furthermore you should make accesible the certificate revocation list and all the certificates of the CAs that make up the hierarchy so that the browsers can add them to the trusted list. Adcquiring a certificate from a commercial CA will avoid all of these issues

    Regards


    // Raúl - I love this game

    Thursday, September 27, 2012 8:08 AM
  • Hi,

    Your client need also to have your internal root CA in the trusted root certifacte. You can deploy it with a GPO for exemple.

    Don't forghot also to place the root CA in the computer certifiacte store on your TMG server. You can do that with the MMC

    MMC.exe --> add remove snapin--> certificate --> computer

    Best Regards


    • Edited by RVTelLux Friday, October 19, 2012 9:08 AM
    • Proposed as answer by RVTelLux Friday, October 19, 2012 9:09 AM
    Friday, September 28, 2012 1:20 PM