Re: Publish SSL Web Server behind SBS2003

Edward,

Thanks for the help! Unfortunately, we are still stuck on the same problem.
When I create a new web listener, I get the following error and cannot
proceed:

<<A web listener that listens on similar IP and port is already in use by
the rule "SBS Outlook via the Internet Web Publishing Rule". Web listener
IP addresses and ports used by different rules cannot overlap.>>

What next?

-Trevor

"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:5Kmg3eR2FHA.3220@xxxxxxxxxxxxxxxxxxxxxxxx
> Dear Trevor:
> Thank you for posting here.
>
> From the description, I understand that you want to publish an internal
> SSL
> website for external access. If I have misunderstood your concern, please
> do let me know.
>
> Based on my research, this KB article may be helpful:
>
> How to configure a certificate for use with a Web publishing rule in ISA
> Server 2004
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;838244
>
> As we know, the SBS is a highly integrated server including RWW/OWA and
> other web sites. By default, the port 443 has already been occupied by the
> RWW/OWA for SSL encryption. If you want to publish this addition SSL
> website using the same port, we should have multiple public FQDN. For
> example, external users can access OWA via https://owa.domain.com and
> access this internal SSL website via https://abc.domain.com (or whatever
> you like). In this way, we should register these two URLs "owa.domain.com"
> and "abc.domain.com" on the ISP's DNS Server. That is to say, both of
> these
> two URLs can be resolved to your public IP address of the SBS Server.
>
> Based on my experience, to publish this internal SSL website, you can try
> the following steps:
>
> Step 1: Ensure the SSL site is working internally.
>
> First we should make sure the SSL website can be accessed internally using
> https://servername:443 so that it reveals the web site is correctly
> configured.
>
> Step 2: Export the certificate including the private key and import it to
> the SBS Server.
>
> Since this is an SSL web site, you should have created your own
> certificate. (In this sample, the certificate name should be
> abc.domain.com
> which can be resolved to the external IP address of your SBS Server).
> Please perform the following steps to export the certificate.
>
> 1. In the Internet Information Services (IIS) Manager console, expand the
> Web Sites node in the left pane of the console and then click the SSL web
> site. Right click the SSL Web Site and click Properties.
> 2. In the Default Web Site Properties dialog box, click the Directory
> Security tab.
> 3. On the Directory Security tab, click the View Certificate button in the
> Secure communications frame.
> 4. In the Certificate dialog box, click the Details tab. On the Details
> tab, click the Copy to File button.
> 5. Click Next on the Welcome to the Certificate Export Wizard page.
> 6. On the Export Private Key page, select the Yes, export the private key
> option and click Next.
> 7. On the Export File Format page, select the Personal Information
> Exchange
> ?PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates
> in
> the certification path if possible checkbox and remove the checkmark from
> the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)
> checkbox. Click Next.
> 8. On the Password page, enter a Password and then enter it again in the
> Confirm Password field. Click Next.
> 9. On the File to Export page, enter c:\sslcert in the File name text box.
> Click Next.
> 10. Click Finish on the Completing the Certificate Export Wizard page.
> 11. Click OK in the Certificate dialog box.
> 12. Click OK in the Default Web Site Properties dialog box.
> 13. Copy the sslcert.pfx file to the root of the C:\ drive on the SBS
> Server.
>
> Step 3: Import the certificate into the ISA Server.
>
> You can refer to this document to import the certificate:
>
> Exporting Your SSL Certificate from IIS 6.0 and Importing To ISA Server
> 2004
> http://www.isaserver.org/articles/exportsslcert.html
>
> Step 4: Create a new Web listener as following, and import the certificate
> onto this new listener:
>
> Name: SSL site
> IP Addresses: External
> Port Specification: Enable SSL (Add the certificate you just imported, and
> uncheck the option "Enable HTTP")
>
> Step 5: Create a new secure web server publishing rule as following:
>
> Publishing Mode: SSL Bridging
> Rule Action: Allow
> Bridging Mode: Secure connection to clients and Web server
> Computer name or IP address: abc.domain.com
> Public Name: abc.domain.com
> Web Listener: the one we created before
> User Sets: All users
>
> Step 6: Perform the following steps on the ISA firewall to create the
> HOSTS
> file entry that maps the SSL site to its Internal address:
>
> Open Windows Explorer, navigate to \WINDOWS\system32\drivers\etc directory
> and open the hosts file.
> In the Open With dialog box, select Notepad and click OK.
> The HOSTS file is opened in Notepad. Add a line at the end of the hosts
> file that resolves the name in the redirect to the IP address that can
> reach the OWA server on the internal network. In the current example, add
> the following line at the end of the HOSTS file:
>
> 10.0.0.2 abc.domain.com
>
> Here I assume 10.0.0.2 is the IP address of the SSL server machine on the
> internal network. Ensure that you press ENTER after you add this line to
> the hosts file to ensure that there is an empty line at the end of the
> file.
>
> Close Notepad and click Yes to save the changes made to the file.
>
>
> After completing the above configurations, we will be able to access this
> SSL Site using https://abc.domain.com, while we can still access OWA via
> https://www.domain.com.
>
> NOTE: You can also use the certificate www.domain.com which is issued by
> the CEICW Wizard for OWA/RWW. In this way, we don't need to export the
> certificate of the SSL site. We should change the settings of the Web
> Publishing Rule to the following and use the original Web Listener called
> "SBS Web listener" which is created by the CEICW Wizard:
>
> Computer name or IP address: abc.domain.com
> Public Name: www.domain.com
>
>
> Moreover, we can use the Tunneling method to publish this SSL web site. In
> this way, we don't need to export the certificate of the SSL site, we just
> need to create a secure web publishing rule as following:
>
> Publishing Mode: SSL Tunneling
> Server IP address: the IP address of the internal web site
> IP addresses: External
>
> Note: If we use the SSL Tunneling method, the ISA Server will not take the
> responsibility to authenticate the requests but just forward the requests
> to the internal IIS Server. And the most important thing is that we should
> use another port instead of port 443. For example, you can use the port
> 442
> so that external users can access this SSL site using
> https://www.domain.com:442
>
> More information:
>
> 838244 How to configure a certificate for use with a Web publishing rule
> in
> ISA
> http://support.microsoft.com/?id=838244
>
> 837834 How to publish an SSL Web site by using SSL tunneling in ISA Server
> 2004
> http://support.microsoft.com/?id=837834
>
> Hope the above information helps. If any steps are unclear, please feel
> free to let me know. I will try my best to explain it more clearly.
>
> Thank you for your time. Have a nice day!
>
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Trevor" <thetrev68@xxxxxxxxx>
> | Subject: Publish SSL Web Server behind SBS2003
> | Date: Mon, 24 Oct 2005 12:24:36 -0500
> | Lines: 16
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <OUroP$L2FHA.1332@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: mail.tadano-cranes.com 66.162.85.234
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164089
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hello,
> |
> | SBS2003 Premium with SP1 / ISA2004.
> |
> | I would like to publish a webserver behind ISA2004 that runs on SSL.
> | However, it is getting confused with the SSL certificate for OWA/RWW.
> Can
> | anybody point me to kb articles or something that would help me with
> this?
> | I can't seem to find any.
> |
> | My 2-NIC SBS Server faces the web with a public IP and is running all
> the
> | usual SBS services. I need to redirect SSL traffic to my internal web
> | server for ecommerce. thanks!
> |
> | -Trevor
> |
> |
> |
>


.