2010 CAS w/ ISA Certificate Questions
Hi Everyone, I am going to be implementing a CAS this weekend and had a few questions in regards to certificates and ISA. This will be the first Exchange 2010 server introduced into our environment. We are currently running 2003 with multiple mailbox, front-end, and bridgehead servers. We are also running an ISA 2006 server to handle two-factor authentication to webmail. We are currently running an externally-signed wildcard certificate on our ISA server and an internally-signed (ADCS Enterprise CA) wildcard certificate for webmail. Would this strategy still work okay? I have read a number of posts where "SAN" or "UC" certs were recommended over wildcard certs due to having different internal and external domains (webmail.company.local versus webmail.company.com), but in my situation the ISA server will be acting as a "Go Between" and the only cert the user will see logging in to webmail will be the externally-signed wilcard cert, and ISA will create its own connection back to the CAS with the internally-signed wildcard cert. Does that make sense? I'm just trying to save time and complexity (well, complexity beyond already having an ISA server thrown into the mix). Also, for what it's worth, I will be adding additional CASs later on to create an array (load-balanced by something like a NetScaler), if that makes a difference. Thanks in advance!
January 17th, 2012 5:24pm

Take a look at this overly long article on ISA 2006 and Exchange 2010: http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx http://technet.microsoft.com/en-us/library/bb331961.aspx http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/ Wildcard certs are support, you just have to watch out for the mobile devices you use to connect remotely via the ISA 2006 server.JAUCG
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 9:23pm

Take a look at this overly long article on ISA 2006 and Exchange 2010: http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx http://technet.microsoft.com/en-us/library/bb331961.aspx http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/ Wildcard certs are support, you just have to watch out for the mobile devices you use to connect remotely via the ISA 2006 server.JAUCG
January 18th, 2012 5:12am

Any updates on this?JAUCG
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2012 5:34pm

Hi JAUCG, Thank you for the links. We're actually putting in the first CAS of the pilot project tonight. :) I'll reply again later on or sometime tomorrow.
January 21st, 2012 8:22pm

We ended up running into an issue with our DR site, which is where we were testing the ISA configuration before making the changes to the corporate server; the Internet connection died. :( we're hopefully going to try again this week. I'll let you know how she does. Thanks again.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2012 11:17am

Sure, no problem. Just keep us in the loop if we can provide any assistance.JAUCG
January 23rd, 2012 10:27pm

Hi JAUCG, No, not yet. We were notcing that our ISA server is giving a ton of denial errors to ActiveSync users (Statuses 64, 10022, 1460, 1236, 1790, 10053, 10054) that my boss wanted to remediate before introducing another layer of complexity.
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 9:53am

Try to import the public certificate for one of the test user manually in trusted root certificate then try to access the owa in the DR site...Also check if it work internally ...if not repeat the same in the for internal ca published in Trusted root certificate... Check out the certificate service is assigned properly for the exchange servers and binding is set properly in Inetmgr.. Exchange Queries
February 25th, 2012 10:07pm

Hi Paul Have you applied the latest service pack for Exchange 2010 - currently SP2 Rollup 1. There was a thread here last week where that fixed the OWA red-x problem. Cheers, Steve
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 4:51am

Hi Paul Have you applied the latest service pack for Exchange 2010 - currently SP2 Rollup 1. There was a thread here last week where that fixed the OWA red-x problem. Cheers, Steve
February 26th, 2012 12:46pm

Thanks, Steve. One of the other members of my team looked at it (gave it another "set of eyes") and completely re-configured the ISA rules and it was working after that (for OWA, anyway), so I think we're okay there. Since RU1 is out, and since we haven't gone anywhere near "Live" yet, I may just go ahead and update all of the servers I have set up so far. I ended up looking up the Exchange Blog and read this link regarding the newest RU and an issue it created for CAS-to-CAS proxying(http://blogs.technet.com/b/exchange/archive/2012/02/17/exchange-2010-sp2-ru1-and-cas-to-cas-proxy-incompatibility.aspx). Now, since 2010 doesn't "Proxy" to 2003 Front-End (does complete redirection), I figure this won't affect OWA, but will this have an effect on ActiveSync? I know that ActiveSync uses RPC-proxy for 2003 mailboxes, and while CAS-proxy is different, I just want to make sure. Lastly, when I go ahead and apply this update, what all "prep" work needs to be done before installing an Exchange patch these days? Having moved to a new organization, I haven't done one in almost a year now. I remember that it was "Good Practice" to disable the "Check for publisher's certificate revocation" in IE (or via reg-hack); is that still the case? I know to run "StartDagServerMaintenance.ps1" if your MB servers are in a DAG and to disable any "Exchange-Aware" applications (AV, backup, etc), but is there anything else? Should one stop the Exchange services? Thanks again, everyone!
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 4:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics