Announcement

Collapse
No announcement yet.

Problem with publishing OMA using ISA 2006

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with publishing OMA using ISA 2006

    Hi all

    I'm trying to configure OMA.

    I'm using exchange 2003 and ISA 2006.
    The ISA is placed at the DMZ of my firewall.
    The exchange is a single server.

    I've followed every guide I was able to find, but still have problems

    From the lan, OMA is working.
    But when trying to connect from the internet, it failed.
    Since it's a test, I'm trying to connect using IP address, and not by domain name.

    When typing the ipaddress/oma , I can see the certificate, and after pressing yes, I'm getting the ISA screen with the username and password.

    After inserting username & password, I'm getting the following error :

    Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)

    Where is my mistake?

    Thanks

    Yaniv

  • #2
    Re: Problem with publishing OMA using ISA 2006

    Found this interesting article, albeit ISA '04

    Is this a purchased certificate?

    Comment


    • #3
      Re: Problem with publishing OMA using ISA 2006

      The source of the cert is key.
      If you generated it yourself the get the root certificate from the CA (you can use the certsrv site to download the chain) or if it is public then get the public root cert from the authority.
      Don't forget as well that the certificate is for the name so typing an IP address isn't going to make it work.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Problem with publishing OMA using ISA 2006

        Thanks for the reply

        the certificate is self generated.

        AndyJG247, i didn't fully understand you, how do i "download the chain"?

        I've imported the certificate to the ISA server into personal.

        Yaniv

        Comment


        • #5
          Re: Problem with publishing OMA using ISA 2006

          I would highly recommend purchasing a cert as it saves a lot of hassle and it is minimal cost.

          If you must use a locally generated cert you will need to import the root certificate onto every device and PC (the PCs can be given it through a GPO though) if you want them to trust your cert.

          ISA needs your cert imported into the local computer personal store and the root into the local computer trusted root cert authorities.


          Have a look at the final paragraph here for example:
          http://www.exchangeninjas.com/cascert
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Problem with publishing OMA using ISA 2006

            Maybe I'll parches a certificate in the future.
            Right now I want to test if it's working, and how

            Can I test it with ip address instead of using fqdn?

            yaniv

            Comment


            • #7
              Re: Problem with publishing OMA using ISA 2006

              Fair enough.
              The certificate is for the name so use that otherwise it will fail so test with the name not the IP. If you have a problem with resolution on a PC you can just edit the hosts file.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Problem with publishing OMA using ISA 2006

                just tested it using host file.

                but I'm getting the same error

                maybe I'm creating the certificate wrong?

                Comment


                • #9
                  Re: Problem with publishing OMA using ISA 2006

                  This is OMA not OWA yes?
                  If you open your cert does it show as trusted now you have imported the root cert?
                  If you open the site from the ISA server does ISA trust it too?
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Problem with publishing OMA using ISA 2006

                    Yes, this is OMA

                    The certificate is shown as not trusted.

                    When I open it from the ISA server Certificates, it shows a red X, and :
                    This certificate cannot be verified up to a trusted certification authority.

                    When pressing on the certification path tab, the root server is shown with a red X
                    ( this is my exchange server and also a DC)
                    Pressing this server name show this message at the certificate status :

                    This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

                    When I open the certificate on the exchange server, everything is shown as correct.


                    Yaniv

                    Comment


                    • #11
                      Re: Problem with publishing OMA using ISA 2006

                      Does the certificate show another certificate above it when you look at it?
                      You need to add the root certificate to the root certificates store like I said a few posts down?

                      (From the link)
                      a. Go to the certsrv page of the CA(ex: http://ca-server/certsrv
                      Note: If the CAS server where you imported and enabled the certificate is also your CA, then you must connect to the certsrv page over https because SSL is now required on the Default Web Site due to running the cmdlet in step 4.
                      b. Choose the Download a CA certificate, certificate chain, or CRL" option.
                      c. Choose the "Download CA certificate" option.
                      d. Save the .cer file to the hard drive(ex: c:\ca_root_cert.cer).
                      e. Copy the root cert file to the device.
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Problem with publishing OMA using ISA 2006

                        Ok, I've downloaded the certificate as you instructed.

                        Now, when I'm trying to connect to the server from the ISA server, the certificate is shown as correct.

                        but now, which certificate is to be used in the web listener?

                        Comment


                        • #13
                          Re: Problem with publishing OMA using ISA 2006

                          The website one for the listener.
                          The root certificate is also needed on all devices that will connect as well. IE has root certificates for people like Verisign, Thawte etc already which is why you don't need to go to the hassle of installing them. Mobile5/6 devices also have a limited selection. With a home grown cert you don't get those benefits.
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment


                          • #14
                            Re: Problem with publishing OMA using ISA 2006

                            I've installed the server certificate on the test client, and now i get a new error message :

                            Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)

                            Any ideas?

                            Comment


                            • #15
                              Re: Problem with publishing OMA using ISA 2006

                              Found my mistake and solved it

                              In the publishing rule, under TO, at "this rule applies to this published site"
                              i wrote the servername/oma, instead of the published address.

                              Now i can tight the security and then test it on the mobile device.

                              Here is a link to my solution :
                              http://forums.msexchange.org/m_18004...htm#1800433444

                              It's also working if i'm using IP address instead

                              AndyJG247 thanks for your help


                              Yaniv
                              Last edited by Yaniv Hoobian; 15th July 2008, 12:43.

                              Comment

                              Working...
                              X