Announcement

Collapse
No announcement yet.

Site Certificate Expired - Proxy specific

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site Certificate Expired - Proxy specific

    Our pieced together company has multiple proxy servers. OWA is managed from our home office. PCs that utilize one proxy server can acces OWA without any issues. The machines that point to the other proxy server receive a certificate warning indicating the certificate has expired. The OWA site works fine from my ISP. It's just the machines using this specific ISA.

    I'm not ISA specialist and was thrown into the role. I've lurked around some but cannot find what the problem is. Any ideas???
    Last edited by UKJoe; 17th June 2008, 18:22.

  • #2
    Re: Site Certificate Expired - Proxy specific

    ISA has a certificate on it for your OWA as well if it is publishing it and this cert has expired. Do the users of the other ISA server use a different URL for the server?
    Is the certificate public or home grown?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Site Certificate Expired - Proxy specific

      The other users use the same url. If you click on the properties of the page and view the certificate, it's up to date. They never get prompted with any cert errors.

      The cert is public I believe. It is from Thawte but maybe that doesn't matter?

      It's like the one ISA is allowing the new cert to go out with the site. The other ISA doesn't allow the new cert to publish.

      Comment


      • #4
        Re: Site Certificate Expired - Proxy specific

        I don't understand your setup.
        Can you clarify a bit more?

        Do you have one or multiple ISA servers?

        Ps, this topic should be in the General Security Forum. I've requested the mods/admins to move this one.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Site Certificate Expired - Proxy specific

          We have multiple ISA servers. Machines that connect to one of them have the problem I explained previously.

          Comment


          • #6
            Re: Site Certificate Expired - Proxy specific

            Hmm.. To publish OWA using https then the ISA server has a certificate installed as well. It doesn't just show the webpage directly from the Exchange server (it decrypts and encrypts everything itself). Therefore it is probably ok to assume the ISA server has an expired cert. Exchange is ok because it works elsewhere. Key question is do the ISA servers all publish the same server?

            On the ISA in question if you open an MMC and then certificates for the local machine then the personal directory what do you have (are they all valid?)
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Site Certificate Expired - Proxy specific

              To clarify, OWA is not published from any of the ISA's I managed.

              The other ISA's do not have a specific cert installed for this specific OWA site. My home machine has no specific cert either. When I do go to the page from home, there are no cert warnings. The page displays with an updated cert verified through the page properties, and the cert is not required to install. If I do try to install it, it installs to the Other People cert directory.

              I exported the updated cert to the ISA and install it to the same location on the ISA and no change. And again, the other ISA not experiencing this problem have no specific cert installed referencing the OWA site.

              I'm not sure where the Exchange servers fall into this scenario but I have no authority over that.

              Is there something in the ISA which forces certain certs to be manually authenticated/verified/installed?

              Comment


              • #8
                Re: Site Certificate Expired - Proxy specific

                I can't imagine that the caching of ISA server does this.
                AFAIK ISA don't cache https sites and ssl certificates.
                However you can try it to clear or disable the caching.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Site Certificate Expired - Proxy specific

                  ISA not publishing does change things.
                  I'm with Dumber on this one (why does that make me laugh?). ISA wouldn't cache the cert.

                  Can you test a user with an issue so that they use the working ISA? From what you have written it gives you an error but when you check it the cert is actually still valid? Do you users have certs to authenticate themselves to ISA or anything else that uses certificates?
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Site Certificate Expired - Proxy specific

                    Are the certificates installed locally on the clients and aren't they updated?
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Site Certificate Expired - Proxy specific

                      I hate this. I just tested the "working" proxy and the same error occurs. I received bad info from the tech the other day.

                      There is no site specific cert that requires installation.

                      If it is a caching issue it's on both ISAs which seems unusual.

                      Is there something about the way the site publishes the certificate that might be causing the issue? Now I am leaning back toward the publishing server...

                      Again, using Comcast, I have no issues from home. No cert is installed. The site does publish an updated cert when displayed.

                      Comment


                      • #12
                        Re: Site Certificate Expired - Proxy specific

                        Can you draw a diagram of your setup?
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: Site Certificate Expired - Proxy specific

                          As I mentioned earlier, I was kind of thrown into the suppor role for these servers and not familiar with them. The proxy servers contained an old unnessary host file pointing to the, now retired\retiring OWA server which was still publishing the old cert. Removing the entry and restarting the ISA services did the trick.

                          Simple enough if you know where to look I guess. Stupid host file!

                          Thanks for everyone's input!

                          Comment


                          • #14
                            Re: Site Certificate Expired - Proxy specific

                            A key bit of info indeed.
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: Site Certificate Expired - Proxy specific

                              So although the old OWA server was retired he was still online??
                              Yeah, that gives weird errors

                              Glad you solved it
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X