Re: CEICW after loading third party certificate

Tech-Archive recommends: Fix windows errors by optimizing your registry

I've been known to disagree with Dr Tom however, yes, the one remaining part of the puzzle is DNS in/outside the LAN.

We don't want to be responsible for 'domain.com' but we do want 'ourname.domain.com' to work inside the LAN. ISA, unlike most commodity routers, doesn't really care if references to ourname.domain.com resolve to its internal or external IP. The requests will be handed to ISA anyway and processed through forward/reverse proxy by the actions of the ISA Firewall Client, which should be on all ISA client PCs.

So we create a DNS ZONE (not host) for ourname.domain.com to point to the IP address (ISA internal or external). The zone consists of one 'same as parent' host entry. We DO NOT create the host 'ourname' in the DNS zone 'domain.com' because that would require us to maintain host entries for other servers in the zone (www. ftp. whatever.).

hosts files are for people who do not have control of their local DNS.

"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:82780135-0234-4F90-A381-060895667F1E@xxxxxxxxxxxxxxxx
If I may, I'd like to mention a couple of fine tuning mentionables.

When setting up the server with the CEICW wizard, I inevitably chose
mail.mydomain.com. In an effort to resolve the issue you mention below
"mail.etc probably does not resolve optimally", there was something I noted
slightly by error. Most of the sites recommended re-running the CEICW for
this and I left out the mail.mydomain.com. It came back with
publishing.mydomain.local. After running again with mail.mydomain.local it
appears to have resolved many of the errors listed in the Best Practices but
not the issue of resolving the companyweb from within the domain.

This BPA finds this error:

The name of the server certificate attached to a Web publishing rule does
not match the public name.

Dr Shindler mentions in one of his articles that OWA looks for the first
name on the certificate so from the outside, it hits the GoDaddy first and
the resolution of the trust resolves immediately. However, from inside, due
to the name mail.mydomain.com being the name on the CA as well as the
internal, the resolution does not occur as the internal certificate is not
the GoDaddy certificate and thus the FQDN is resolved by alternate means (I
may not be fully understanding this) Somewhere else, and I can't find this
now, recommended adding a record to the hosts file for mail.mydomain.local
which I have also tried.

It seems that if I am planning to add a Sharepoint 3.0, there will be yet
another certificate involved with similar issues.

Dr Shindler says: "you do not want the www.mydomain.com request to be
forwarded back to the Incoming Web Requests listener! You want the request
forwarded to the internal network Web server."

and I suspect this means that it will require a rule in ISA 2004 to add
Sharepoint access to the domain user.

--
Regards,
Jamie


"SuperGumby [SBS MVP]" wrote:

records in a public DNS zone are inherently viewable (DNS wouldn't work
otherwise). As soon as you supplied the me the zone (real 'company.com') I
queried it, discovered mentioned info.

There's still a piece of the puzzle to put in place, mail.etc probably does
not resolve optimally inside the network and it is desirable that it do so
(or you'll have it working outside but a name mismatch internally).

Confirm that all is well from outside and we can add the last bit.


"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:759C2EF8-3E83-4EDE-96A4-D9B2515A7BE1@xxxxxxxxxxxxxxxx
> Mail will work. Once again, thanks for the help. Not sure how you
> figured
> that mail is a public name, but it makes things much easier.




.

Relevant Pages

  • OAB and OOF Assistant
    ... SRV record configured by ISP be becouse they hosting our public dns and mail. ... Attempting to test Autodiscover for e.habna@xxxxxxxxxxxx ... Attempting to resolve the host name sunshine.com in DNS. ...
    (microsoft.public.exchange.admin)
  • Name resolution in .Net - arrrrrggghhhh!
    ... "The Resolve method queries a DNS server for the IP address associated ... "When hostName is a DNS-style host name associated with multiple IP ... documentation, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: MX-only domains dying?
    ... I've always thought of the www host as being an artifact of the good old days of the web where DNS was used as part of the maintenance methodology - if you needed to service a box you switched the IP in DNS to the hot spare. ... Using service names allows you to have each respective serviceresolve to different address, thus allowing you to spread services across different hosts. ... If you are wondering why I have A records for domainN.tld verses a CNAME record, I have never been able to get CNAME records to co-exist with any other record type for a given name. ...
    (comp.mail.sendmail)
  • Re: Please help me get hands around this issue...
    ... ISA think that this host will be internal. ... Your internal DNS server is authoritative for this zone and will respond "does not exist". ... You'll want to place that host under "public.rzim.org" to avoid such name conflicts. ...
    (microsoft.public.isa.configuration)
  • DNS Resolver Questions
    ... If my host is on a domain named mydomain.com my primary suffix will be ... Now when I try to resolve a host name my unqualified ... resolve it in dns. ...
    (microsoft.public.win2000.dns)