| Author |
Message |
Tony Su
Guest
|
 Posted:
Thu Jan 20, 2005 4:35 am Post subject:
TLS Certificate problem - Only External |
|
|
Am testing using a laptop I can connect both from within the network and from
outside the network. By using a laptop which is a member of the Domain, at
the moment I can ensure that the Laptop trusts the Domain CA and I can verify
credentials connecting internally before testing across a firewall.
From within the network, the IM client can be configured for TLS on port
5061 and will connect fine.
From outside the ISA FW, I receive an error "There is a problem with the
certificate." Note this is a cert issue, not a FW issue. From outside I can
verify connectivity by telneting to the LCS on port 5061 (service is
listening). Also for those who might be wondering since I'm Server Publishing
credentials should be evaluated by the Destination Resource, not the ISA
Server. In other words, in this configuration ISA is transparent to any
credential issues.
The cert is issued by a Domain CA, configured with the name of the public
FQDN.
This leads me to question...
- Why did I not get an error earlier connecting from within when the cert CN
obviously should not match the internal FQDN used? At first I assumed that
the cert was used only for encryption, not authentication.
- When I configure the "Next hop - Fully qualified domain name" I've been
entering the local machine's Windows Domain FQDN, I'd like to verify this is
proper. This is the only LCS in the network, I'm not configuring
frontend/backend, etc.
- How can I verify the correct certificate is installed? Although I believe
I have installed the correct cert each time, there doesn't seem to be a way
to verify since the MMC displays only machine, issued by and dates valid. It
does not display the CN. Otherwise, as for the cert itself, it should be
configured properly for both Server and Client authentication.
TIA,
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect |
|
| Back to top |
|
 |
Sankaran (MS)
Guest
|
| Posted:
Sat Jan 22, 2005 1:44 am Post subject:
Re: TLS Certificate problem - Only External |
|
|
You can find the CN of the external edge certificate by going to the public
tab of AP properties. Its the same as
the "Issued To" field in the "Certificate associated with this network
address" box.
The server that you specify in Windows Messenger must match this CN. So,
what FQDN are you configuring your
client to connect to the access proxy ? are you using automatic
configuration or manual configuration ?
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:04EE8BEC-544A-41CA-9B4F-6E45EE13D238@microsoft.com...
| Quote: | Am testing using a laptop I can connect both from within the network and
from
outside the network. By using a laptop which is a member of the Domain, at
the moment I can ensure that the Laptop trusts the Domain CA and I can
verify
credentials connecting internally before testing across a firewall.
From within the network, the IM client can be configured for TLS on port
5061 and will connect fine.
From outside the ISA FW, I receive an error "There is a problem with the
certificate." Note this is a cert issue, not a FW issue. From outside I
can
verify connectivity by telneting to the LCS on port 5061 (service is
listening). Also for those who might be wondering since I'm Server
Publishing
credentials should be evaluated by the Destination Resource, not the ISA
Server. In other words, in this configuration ISA is transparent to any
credential issues.
The cert is issued by a Domain CA, configured with the name of the public
FQDN.
This leads me to question...
- Why did I not get an error earlier connecting from within when the cert
CN
obviously should not match the internal FQDN used? At first I assumed that
the cert was used only for encryption, not authentication.
- When I configure the "Next hop - Fully qualified domain name" I've been
entering the local machine's Windows Domain FQDN, I'd like to verify this
is
proper. This is the only LCS in the network, I'm not configuring
frontend/backend, etc.
- How can I verify the correct certificate is installed? Although I
believe
I have installed the correct cert each time, there doesn't seem to be a
way
to verify since the MMC displays only machine, issued by and dates valid.
It
does not display the CN. Otherwise, as for the cert itself, it should be
configured properly for both Server and Client authentication.
TIA,
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect |
|
|
| Back to top |
|
|
Tony Su
Guest
|
| Posted:
Sat Jan 22, 2005 4:03 am Post subject:
Re: TLS Certificate problem - Only External |
|
|
Thanks for responding,
But I'm unclear what you are referring to.
I assume that I should be able to view the certificate in the LCS MMC, but I
don't see a way to do that.
I'm not sure what "AP" you may be referring to, and nothing in the LCS MMC
looks like an AP or has a Public folder.
In case you are somehow referring to something viewable in the Certificate
Manager or otherwise inspecting certificates, <that won't accomplish what I
need>. I suppose I can re-issue a new cert with a new date by now, but the
existing certs on this machine all have nearly the same properties/attributes
at the moment... at least, the viewable... and the CN is not viewable so I
would be able to tell one from another.
Tony
"Sankaran (MS)" wrote:
| Quote: | You can find the CN of the external edge certificate by going to the public
tab of AP properties. Its the same as
the "Issued To" field in the "Certificate associated with this network
address" box.
The server that you specify in Windows Messenger must match this CN. So,
what FQDN are you configuring your
client to connect to the access proxy ? are you using automatic
configuration or manual configuration ?
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:04EE8BEC-544A-41CA-9B4F-6E45EE13D238@microsoft.com...
Am testing using a laptop I can connect both from within the network and
from
outside the network. By using a laptop which is a member of the Domain, at
the moment I can ensure that the Laptop trusts the Domain CA and I can
verify
credentials connecting internally before testing across a firewall.
From within the network, the IM client can be configured for TLS on port
5061 and will connect fine.
From outside the ISA FW, I receive an error "There is a problem with the
certificate." Note this is a cert issue, not a FW issue. From outside I
can
verify connectivity by telneting to the LCS on port 5061 (service is
listening). Also for those who might be wondering since I'm Server
Publishing
credentials should be evaluated by the Destination Resource, not the ISA
Server. In other words, in this configuration ISA is transparent to any
credential issues.
The cert is issued by a Domain CA, configured with the name of the public
FQDN.
This leads me to question...
- Why did I not get an error earlier connecting from within when the cert
CN
obviously should not match the internal FQDN used? At first I assumed that
the cert was used only for encryption, not authentication.
- When I configure the "Next hop - Fully qualified domain name" I've been
entering the local machine's Windows Domain FQDN, I'd like to verify this
is
proper. This is the only LCS in the network, I'm not configuring
frontend/backend, etc.
- How can I verify the correct certificate is installed? Although I
believe
I have installed the correct cert each time, there doesn't seem to be a
way
to verify since the MMC displays only machine, issued by and dates valid.
It
does not display the CN. Otherwise, as for the cert itself, it should be
configured properly for both Server and Client authentication.
TIA,
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect
|
|
|
| Back to top |
|
|
Tony Su
Guest
|
| Posted:
Sat Jan 22, 2005 5:11 am Post subject:
Re: TLS Certificate problem - Only External |
|
|
OK,
I think I figured out what is happening but still have a question...
The reason why TLS works within my LAN is likely because I'm issueing the
certificate incorrectly... I've been applying for a machine cert and therefor
the machine's internal name is the the CN.
Am applying to a Certificate Server 2.0.
What is the correct procedure for creating the proper request?
When I generate an online request to my Cert Srvr, if I submit an Advanced
Request I only see three Certificate Templates(User, Auth Session and EFS),
and none of them appear to support the special configuration (both Server and
client authentication) I need. Seems to me Cert Srvr 1.0 a long time ago
provided those options...
Thx.
Tony
"Tony Su" wrote:
| Quote: | Thanks for responding,
But I'm unclear what you are referring to.
I assume that I should be able to view the certificate in the LCS MMC, but I
don't see a way to do that.
I'm not sure what "AP" you may be referring to, and nothing in the LCS MMC
looks like an AP or has a Public folder.
In case you are somehow referring to something viewable in the Certificate
Manager or otherwise inspecting certificates, <that won't accomplish what I
need>. I suppose I can re-issue a new cert with a new date by now, but the
existing certs on this machine all have nearly the same properties/attributes
at the moment... at least, the viewable... and the CN is not viewable so I
would be able to tell one from another.
Tony
"Sankaran (MS)" wrote:
You can find the CN of the external edge certificate by going to the public
tab of AP properties. Its the same as
the "Issued To" field in the "Certificate associated with this network
address" box.
The server that you specify in Windows Messenger must match this CN. So,
what FQDN are you configuring your
client to connect to the access proxy ? are you using automatic
configuration or manual configuration ?
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:04EE8BEC-544A-41CA-9B4F-6E45EE13D238@microsoft.com...
Am testing using a laptop I can connect both from within the network and
from
outside the network. By using a laptop which is a member of the Domain, at
the moment I can ensure that the Laptop trusts the Domain CA and I can
verify
credentials connecting internally before testing across a firewall.
From within the network, the IM client can be configured for TLS on port
5061 and will connect fine.
From outside the ISA FW, I receive an error "There is a problem with the
certificate." Note this is a cert issue, not a FW issue. From outside I
can
verify connectivity by telneting to the LCS on port 5061 (service is
listening). Also for those who might be wondering since I'm Server
Publishing
credentials should be evaluated by the Destination Resource, not the ISA
Server. In other words, in this configuration ISA is transparent to any
credential issues.
The cert is issued by a Domain CA, configured with the name of the public
FQDN.
This leads me to question...
- Why did I not get an error earlier connecting from within when the cert
CN
obviously should not match the internal FQDN used? At first I assumed that
the cert was used only for encryption, not authentication.
- When I configure the "Next hop - Fully qualified domain name" I've been
entering the local machine's Windows Domain FQDN, I'd like to verify this
is
proper. This is the only LCS in the network, I'm not configuring
frontend/backend, etc.
- How can I verify the correct certificate is installed? Although I
believe
I have installed the correct cert each time, there doesn't seem to be a
way
to verify since the MMC displays only machine, issued by and dates valid.
It
does not display the CN. Otherwise, as for the cert itself, it should be
configured properly for both Server and Client authentication.
TIA,
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect
|
|
|
| Back to top |
|
|
Tony Su
Guest
|
| Posted:
Sat Jan 22, 2005 6:48 am Post subject:
Re: TLS Certificate problem - Only External |
|
|
Addendum:
Because I see some other posts in the past on this subject but my situation
may be a bit different and in anticipation of some suggestions:
My Domain CA is Certificate Server running on Win2K (not Win2K3), configured
as an "Enterprise and Stand-alone Capable" -- And although I thought that all
Win2K Certificate Servers should be version 2.0, this Policy Module says it's
1.0.
Tony
"Tony Su" wrote:
| Quote: | OK,
I think I figured out what is happening but still have a question...
The reason why TLS works within my LAN is likely because I'm issueing the
certificate incorrectly... I've been applying for a machine cert and therefor
the machine's internal name is the the CN.
Am applying to a Certificate Server 2.0.
What is the correct procedure for creating the proper request?
When I generate an online request to my Cert Srvr, if I submit an Advanced
Request I only see three Certificate Templates(User, Auth Session and EFS),
and none of them appear to support the special configuration (both Server and
client authentication) I need. Seems to me Cert Srvr 1.0 a long time ago
provided those options...
Thx.
Tony
"Tony Su" wrote:
Thanks for responding,
But I'm unclear what you are referring to.
I assume that I should be able to view the certificate in the LCS MMC, but I
don't see a way to do that.
I'm not sure what "AP" you may be referring to, and nothing in the LCS MMC
looks like an AP or has a Public folder.
In case you are somehow referring to something viewable in the Certificate
Manager or otherwise inspecting certificates, <that won't accomplish what I
need>. I suppose I can re-issue a new cert with a new date by now, but the
existing certs on this machine all have nearly the same properties/attributes
at the moment... at least, the viewable... and the CN is not viewable so I
would be able to tell one from another.
Tony
"Sankaran (MS)" wrote:
You can find the CN of the external edge certificate by going to the public
tab of AP properties. Its the same as
the "Issued To" field in the "Certificate associated with this network
address" box.
The server that you specify in Windows Messenger must match this CN. So,
what FQDN are you configuring your
client to connect to the access proxy ? are you using automatic
configuration or manual configuration ?
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:04EE8BEC-544A-41CA-9B4F-6E45EE13D238@microsoft.com...
Am testing using a laptop I can connect both from within the network and
from
outside the network. By using a laptop which is a member of the Domain, at
the moment I can ensure that the Laptop trusts the Domain CA and I can
verify
credentials connecting internally before testing across a firewall.
From within the network, the IM client can be configured for TLS on port
5061 and will connect fine.
From outside the ISA FW, I receive an error "There is a problem with the
certificate." Note this is a cert issue, not a FW issue. From outside I
can
verify connectivity by telneting to the LCS on port 5061 (service is
listening). Also for those who might be wondering since I'm Server
Publishing
credentials should be evaluated by the Destination Resource, not the ISA
Server. In other words, in this configuration ISA is transparent to any
credential issues.
The cert is issued by a Domain CA, configured with the name of the public
FQDN.
This leads me to question...
- Why did I not get an error earlier connecting from within when the cert
CN
obviously should not match the internal FQDN used? At first I assumed that
the cert was used only for encryption, not authentication.
- When I configure the "Next hop - Fully qualified domain name" I've been
entering the local machine's Windows Domain FQDN, I'd like to verify this
is
proper. This is the only LCS in the network, I'm not configuring
frontend/backend, etc.
- How can I verify the correct certificate is installed? Although I
believe
I have installed the correct cert each time, there doesn't seem to be a
way
to verify since the MMC displays only machine, issued by and dates valid.
It
does not display the CN. Otherwise, as for the cert itself, it should be
configured properly for both Server and Client authentication.
TIA,
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in