I was working with a customer the other day and found there really is not much information on how to setup an environment where one of the ISA servers is also a Configuration Storage Server (CSS).  The setup allows you setup the ISA server with the CSS on the same server but leaves a couple of critical steps out of the process.  This problem really does not show up until you try to add a second ISA server to the array.  This problem occurs when the ISA servers are setup in workgroup and not a member of a domain.

So what is missing out of the process.  First is that you need to install a certificate on the CSS server to allow other ISA servers to connect.  Second, setup inter-array credentials for the second ISA server.

Below are directions for completing this process.  The assumption here is that you have already setup an ISA server with the CSS.

Compete the following setups on the ISA server with the CSS service.

  • Change the security mode of CSS from Windows Authentication to “Authenticate over SSL encrypted channel”.  This configuration is available when you right click on the array name, select Properties and the select the Configuration Storage” tab.
  • Next you will need to create a certificate for this CSS server.  First create a rule from the local network to the internal network to allow web traffic to connect to the CA server.  You will need to create  a “Server Authentication Certificate” for the computer account.  Also mark the keys as exportable.  Later we will need to export the keys, so we can import them into the CSS for authentication.  Once you have created the certificate, install the certificate.
  • Using the Certificate MMC snapin, export the keys to a file name ISA.PFX or something easy to remember.
  • Now that the certificate has been created, installed and exported, you now need to import the keys into the CSS.  Do you this you will need to download the ISACertTool and install the certificate.  You download the tool at http://www.microsoft.com/downloads/details.aspx?familyid=F8F60164-C5A5-4716-9FF4-2D56C86506C3&displaylang=en.  Read through the ISACertTool readme file for instruction on how to use this tool and install the certificate.
  • Now you will need to specify the Intra-Array credentials.
    • In the ISA Server 2006 Management Console, expand Arrays in the left pane, and then right-click the array you created earlier.
    • Select Properties, and then click the Intra-Array Credentials tab.
    • Select the Authenticate using this account (for workgroup configuration only).
    • Click Set Account and enter the Administrator account and password for the mirrored Administrator accounts on the firewall computers.
    • Click OK to close the Properties dialog box.
    • Click Apply in the upper pane of the Management Console to apply the changes.
  • As a final step, add the second ISA server to the Array Members group in the ISA console.

Here are the steps for setting up the ISA array members to connect to the CSS.

  • On the second ISA server, go to the CA and save the Root Certificate to a file so that it can be used during install to allow the second ISA server to communicate with the CSS service. 
  • During the install process follow the directions below for connecting to the CSS
    • On the Locate Configuration Storage Server page, specify the CSS server. On this page, you will have to provide the credentials of an enterprise or array administrator, in order to connect to the Configuration Storage server. Select Connect using this account, enter the account specified above, specify the correct password, and then click Next.
    • On the Array Membership page, select Join an Existing Array, and then click Next.
    • On the Join an Existing Array page, click Browse to open the Arrays to join dialog box, and then select the array from the list. Click Next.
    • On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel.
    • Select Install a trusted Root CA certificate, browse to the location of the root certificate which you copied locally in the previous procedure.