Export (0) Print
Expand All
ABS
AND
ASC
COS
DAY
DDB
EXP
FV
IF
INT
LEN
LN
LOG
MAX
Me
MID
MIN
MOD
NOT
IS
NPV
ODD
OR
PI
PMT
PV
SIN
SLN
SUM
SYD
T
TAN
VAR
Expand Minimize

Configuring SSL certificates for SSL bridging on the Web server and ISA server

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

You must now configure the SSL certificates to use on the Web servers running Windows SharePoint Services and the proxy servers running ISA Server. All of the SSL certificates must meet the following criteria:

  1. The "Issued to" name on the certificate must match the internal DNS name you specify when you configure the Web publishing rule.

  2. The certificate must not be expired.

  3. The reverse proxy server must trust the certification authority (CA) that issued the SSL certificate on the servers running Windows SharePoint Services.

To accomplish this, during testing, a local certification authority was used for the certificates used on the internal connections between the reverse proxy and the Web servers. This ensures that the two servers trust the same certification authority.

To configure certificates, if you already have a commercial SSL server certificate installed on any of your Web server computers, do the following:

  1. Export the existing certificate from your Web server to ISA Server. For instructions, see Exporting a certificate from the Web server to ISA Server . If you do not want to use the name on the existing commercial certificate, you must purchase a new one.

  2. Do one of the following on the Web server:

    • Leave a copy of the existing certificate on the Web server (for this to work, the name on the To tab of the Web publishing rule must match the name on the certificate, the published name. Otherwise an error is generated when ISA Server sends an HTTPS request.

    • Request and install a new commercial certificate for the Web server. For instructions, see Requesting a certificate from a commercial certification authority , and then Submitting a certificate request file . The name on the certificate (Common Name or CN) must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule. If it does not match, you might encounter issues outlined in Microsoft Knowledge Base article 841664 .

    • Use a certificate from a local certification authority (CA) for the ISA Server computer to Web server connection. This saves the cost of a second commercial certificate, and the root certificate from the local CA can be stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority .

  3. Alternatively, instead of exporting the existing certificate from the Web server, you can choose to leave the existing commercial certificate on the Web server and request and install a new commercial certificate for the ISA Server computer. For procedures, see Appendix A: Configuring Certificates from a Commercial CA .

If you do not have a certificate already installed on the Web server, do the following:

  1. Obtain a certificate for ISA Server. Generally, for external sites, you will obtain a certificate from a commercial CA (such as Verisign or Thawte). To do this, create a certificate request from a commercial CA using the IIS Web Server Certificate Wizard, and submit the request file. For instructions, see Requesting a certificate from a commercial certification authority , and then Submitting a certificate request file . Because IIS is typically not installed on the ISA Server computer, you will request the certificate from the Web server computer, and export it to the ISA Server computer. Note that the name you use to publish the Web site in the Web publishing rule must match the name on the certificate. Currently there is no way to request a SSL Server certificate from ISA Server 2004 to the CA directly.

  2. Do one of the following on the Web server:

    • Leave a copy of the certificate you have requested on the Web server so that both the ISA Server computer and the Web server use the same certificate. The name on the To tab of the Web publishing rule must match the name on the certificate.

    • Request and install a new commercial certificate for the Web server. For instructions, see Requesting a certificate from a commercial certification authority , and then Submitting a certificate request file . The name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule.

    • Use a certificate from a local CA for the ISA Server computer to Web server connection. This would save you the cost of a second commercial certificate, and the root certificate from the local CA can be easily stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority .

You must also install an SSL certificate on the reverse proxy server. This SSL certificate must match the public FQDN that clients will be using to connect to your SharePoint sites. Note that if you are using Windows SharePoint Services in a multiple host names deployment, you will need a wildcard SSL certificate.

For more information about installing SSL certificates, see Client certificates and server certificates in the ISA Server 2000 documentation .

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft