RE: Getting rid of a rogue SSl certificate
- From: "Godfrey Nicholson" <godfrey at ofektech dot com>
- Date: Thu, 21 Apr 2005 02:04:03 -0700
Charles: I have replied in line
> Please follow the steps below to check the certificate on ISA. Now open the
> ISA mmc on your SBS and go to "servers and arrays" and rt. click on your
> server name, select prop. Click on the "Incoming Web Request" tab. Choose
> your server and click Edit, Could you see the certificate you create in the
> CEICW, please select the certificate you just assigned in CEICW to see if
> the problem still exist?
As I mentioned at the very beginning, I cannot enter a commercial
certificate in CEICW. It tells me "no certificate has been requested for the
default web site in IIS...". This is not true. I can create a self signed
certificate and, yes, this shows up in the ISA Ïncoming Web Request".
>
> Please also paste the icwdetailed.htm to the public newsgroup, you can find
> the file at the location %sbsprogramdir%\Networking\ICW.
Here is the most recent file. Let me know if I can send you anything else,
such as an earlier version. GOdfrey
SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET
CONNECTION WIZARD
This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.
NETWORKING CONFIGURATION SUMMARY
After the wizard completes, the following network connection
settings will be configured:
Connection type: Do not change
FIREWALL CONFIGURATION SUMMARY
After the wizard completes, the following firewall settings
will be configured:
Internet Security and Acceleration (ISA) Server will be
configured as follows:
Disable existing filters that may create a filter
conflict.
Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and
Support.
Create the following additional filters:
Virtual Private Networking (VPN)
Terminal Services
FTP
For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and
Support.
Create the following custom filters:
SBS Remote Web Workplace CustomFilter, 4125, TCP
Add the internal domain name for Windows Small
Business Server to the local domain table (LDT) of ISA
Server to allow ISA Server to route internal network
requests on the local network.
Enable IP routing.
Disable automatic discovery as this interferes with
IIS as both ISA Server and IIS attempt to bind to port 80.
Configure the Web listeners to receive incoming http
requests using Small Business Reverse Proxy Listen Entry.
Disable the H.323 Application Filter for video and
audio conferencing for security.
Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Add the loopback adapter IP address of 127.0.0.1 to
support the http://localhost for IIS.
Create an incoming Web request listener and bind to
IP address of server’s local network adapter to allow ISA
Server to handle Web requests from the Internet.
Set the incoming Web request listeners to allow a
maximum of 300 connections from the outside. This improves
system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Ensure that the publishing rules created by the
wizard are listed first in the order.
Create publishing rules to route appropriate
incoming Web requests to the server’s local network
adapter.
Create a Web publishing rule for Outlook Web Access
that publishes the following IIS Web site directories:
/exchange, /exchweb, and /public. This publishing rule
routes appropriate incoming Web requests to the server’s
local network adapter. Additionally, Outlook Web Access will
be configured for Forms Based Authentication (also called
Cookie Authentication). The Public folder is also configured
to accept Windows Integrated Authentication.
Create a Web publishing rule for the Remote Web
Workplace that publishes the /remote IIS Web site
directory.
Create a Web publishing rule for the Server
performance and usage reports that publishes the /monitoring
IIS Web site directory.
Create a Web publishing rule for Outlook Mobile
Access that publishes the following IIS Web site
directories: /OMA and /Microsoft-Server-ActiveSync.
Create a Web publishing rule for Outlook via the
Internet that publishes the /rpc IIS Web site directory.
NOTE: Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
connections.
Internet Information Services (IIS) will be configured as
follows:
Configure http.sys driver to only bind to the local
network adapter to prevent IIS from conflicting with ISA
Server on the ISP network adapter.
Disable socket pooling.
Set DNS to listen to only to the local network
adapter.
To only listen on the local network adapter. This
allows ISA Server to monitor incoming Web requests from the
Internet.
SECURE WEB SITE CONFIGURATION SUMMARY
After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
Do not change current Web server certificate Create a
Web server certificate named ISAcert.cer in the \sbscert
folder and also install this certificate into ISA Server.
This certificate is required so that you can access secure
Web sites on the computer running Windows Small Business
Server if ISA Server is installed. ISAcert.cer is configured
for ISA Server for external Web clients. Create an
additional Web server certificate named Sbscert.cer and
install this certificate in IIS, which is used by internal
clients and by redirected Web requests from ISA Server.
The incoming Web listener is configured to use the
ISAcert.cer certificate.
E-MAIL CONFIGURATION SUMMARY
After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
e-mail.
Keep the existing Internet e-mail configuration.
After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
updated.
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so
on.
.
- Follow-Ups:
- RE: Getting rid of a rogue SSl certificate
- From: "Charles Yang [MSFT]"
- RE: Getting rid of a rogue SSl certificate
- References:
- RE: Getting rid of a rogue SSl certificate
- From: Godfrey Nicholson
- RE: Getting rid of a rogue SSl certificate
- From: "Charles Yang [MSFT]"
- RE: Getting rid of a rogue SSl certificate
- From: Godfrey Nicholson
- RE: Getting rid of a rogue SSl certificate
- From: Paul Campanale
- RE: Getting rid of a rogue SSl certificate
- From: Godfrey Nicholson
- RE: Getting rid of a rogue SSl certificate
- From: Paul Campanale
- RE: Getting rid of a rogue SSl certificate
- From: Godfrey Nicholson
- RE: Getting rid of a rogue SSl certificate
- From: "Charles Yang [MSFT]"
- RE: Getting rid of a rogue SSl certificate
- From: Godfrey Nicholson
- RE: Getting rid of a rogue SSl certificate
- Prev by Date: RE: Unusual Login using SP_Who
- Next by Date: Re: VPN difficulties since last updates
- Previous by thread: RE: Getting rid of a rogue SSl certificate
- Next by thread: RE: Getting rid of a rogue SSl certificate
- Index(es):
Relevant Pages
|
