Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Henrik Walther Blog » Blog Archive » Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Wed, 29 Aug 2007 20:11:15 GMT

PingBack from http://blogs.msexchange.org/walther/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing/

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Marc Grote aka Jens Baier — Wed, 29 Aug 2007 22:33:16 GMT

Hi Jim,

great information about SAN certificates on ISA. Do you know when the solution from the ISA team will be available?

regards Marc Grote

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

isablog — Wed, 29 Aug 2007 22:46:39 GMT

Marc,

We're examining our options. We can't discuss an ETA until we're satisified with the scope of the problem and the solution options we have.

I'll comment here when we reach a decision.

ISA Server 2006 a certifkáty s SAN jmény

TechNet Blog CZ/SK — Thu, 30 Aug 2007 13:32:30 GMT

Pokud jste se někdy snažili o publikaci služeb Exchange Server 2007 skrze ISA Server 2006, dost pravděpodobně

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Elan Shudnow — Fri, 31 Aug 2007 04:31:10 GMT

If you want your other SAN names to work, just keep your TO: tab to be either the CN or 1st SAN name as the article suggests, and just change the Public Name tab to be the name of another SAN name and it'll work just fine.

An example is included in my blog entry below where I explain how to get this to work with both Exchange web services as well as autodiscover using a SAN cert. So for those wanting to get Autodiscover, Web Services, EAS, OA, OWA, etc. using a SAN cert all published on ISA 2006, check out the following article:

http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

isablog — Fri, 31 Aug 2007 18:26:07 GMT

Elan,

Actually, what you do at the web listener itself has no bearing on how ISA acts as a "certificate consumer". Based on recent threads in the isapros list and some other offline comments, this seems to be a common point of confusion.

While it's true that OL operates similarly to ISA regarding SAN enteirs, this only means that you make "autodiscover" the Subject or first SAN entry in the cert associated with the web listener.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

tshinder — Tue, 04 Sep 2007 22:36:04 GMT

Jim,

This is interesting in that seems to contrast with what Steven Hope has found in his investigations of how ISA acts as a "consumer" of server certificates of a published Web site. Over at:

http://isaserver.org/tutorials/Generating-SSL-Certificates-Exchange-2007-ISA-Server-2006.html#

He says:

"To top all this, ISA 2006 has a bug regarding Common Names (CNs) and Subject Alternative Names (SANs). When ISA Server bridges a SSL Connection to a web server with a certificate containing SANs, it ignores the CN and only does a name match with the FIRST SAN entry! To work around this make sure the FIRST SAN listed is the same as the CN which in this scenario is MAIL.VIRCOM.CO.UK"

So, if I read it correctly, you say that ISA will use *either* the common/subject name or the first SAN. Steven says that the common/subject name is ignored and only the first SAN is used.

Tom

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Jim Harrison — Tue, 04 Sep 2007 23:46:09 GMT

Hi Tom,

That's interesting. My testing (yes, I really did test this <g>) was quite different; ISA 2006 recognized the Subject name just fine. Could be there's someting in his environment that caused his observaations..?

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Mohit Saxena — Sun, 09 Sep 2007 12:15:13 GMT

In the test I did I only saw ISA using the CN only if there was no SAN present. If multiple SAN were present it would only use the SAN and not the CN.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Steven Hope — Wed, 19 Sep 2007 19:01:11 GMT

Hi Jim and Tom

ISA 2006 behaved in the following way during my testing:

If there was a cert on the exchange server 2007 that had NO SAN entry then the CN was used - as expected. However, if there was a cert on the exchange server that had at least one SAN entry then ISA ONLY looked at the first SAN entry and ignored the CN completely. In conclusion it seemed that ISA 2006 would ONLY look at the CN if there were NO SAN entries at all.

My recommendation is thus to always make the first SAN entry the same as the CN so ISA behaves the way you would expect it to, i.e. appears to use the CN even though its actually using the first SAN. It would be nice if ISA would FIRST look at the CN and if a match isn’t found, SECOND run through the list of SAN’s, but that isn’t the case.

Regards,

Steven Hope

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Rick Engle — Wed, 10 Oct 2007 19:34:36 GMT

How would this configuration be enhanced to support an environment where on the front-end server there are two URLs and certificates, one for OWA and one for Exchange ActiveSync. There were some significant challenges when coming up with an ISA SSL configuration that could support a web farm of two FE servers hosting OWA, that certificate has a SAN and adding to that configuration support for EAS, leveraging that same web farm but using a different certificate and URL.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Jim Harrison (ISA SE) — Tue, 16 Oct 2007 00:01:07 GMT

You'd have to create separate rules for each VRoot that operates under a different certificate.

ISA redirects based on the published hostname, and if these differ between VRoots (whether they're separate servers or simply separate IIS listeners), then you need sepoarate rules.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

ilantz — Wed, 17 Oct 2007 01:50:17 GMT

Jim ! where was this wonderful guide when i needed it :)??

I had a terrible time to figure this out on ISA 2004 , now that i noticed both this article & the update to autodiscovery service i'll might just re-do this all over again...properly this time.

Thanks !

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Anonymous — Tue, 13 Nov 2007 22:23:12 GMT

What a nightmare. Is it too much to expect the “recommended” firewall for Exchange 2007 to “just work” correctly the first time? Did anyone bother piloting this before Exchange 2007 shipped?

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

isablog — Wed, 14 Nov 2007 19:28:35 GMT

There's a temporal disconnect you're overlooking.

ISA 2006 shipped before Exchange 2007.

SAN certificates didn't become part of the Exchange recommended deployment until after Exch 2007 shipped.

It's rather difficult for any product team to test "future scenarios", but we're working on it.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

Marty — Thu, 15 Nov 2007 07:18:47 GMT

The temporal disconnect is funny, but the sad reality is that the ISA team has had almost a year to release a hotfix or service pack that addresses this problem. And if we include the beta/RC period then you've had well over a year. How much time do you think is reasonable?

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

isablog — Wed, 28 Nov 2007 01:09:15 GMT

The reality (sad or not) is that SAN certificates were not in common use by ISA administrators until just before this blog was motivated (days; not years).

Had they been as commonly deployed in ISA web publishing scenarios as you seem to believe, you can certainly bet that ISA customers would have made plenty of noise before now (they haven't).

Because the problem and resolution are much more complex than they appear, we're planning on shipping the fix with ISA 2006 SP1 to ensure proper regression testing. The schedule for this SP will be released ASAP.

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

royal — Sat, 02 Feb 2008 09:47:48 GMT

Any update on this? When is ISA going to be patched so it can use all the SAN entries on a SAN cert?

Firewalls and Internet Based Client Management: Part 2: ISA Bridging with ConfigMgr 2007

Adam Meltzer's Configuration Manager Blog — Fri, 15 Feb 2008 03:37:53 GMT

I was going to save this for last, but there's been a lot of questions lately about this that I've been fielding, including a hot interest at TechReady 6 about ISA bridging. This is not a meant to be a step-by-step guide, and will require a bit of familiarity

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

isablog — Thu, 28 Feb 2008 20:02:30 GMT

Adam and I are working on a slightly different scenario for publishing SCCM through ISA. It's not specifically related to SAN certificates.

Jim

ISA Server 2006 Service Pack 1 Features

ISA Server Product Team Blog — Sat, 24 May 2008 02:06:02 GMT

ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)

Firewalls and Internet Based Client Management: Part 2: ISA Bridging with ConfigMgr 2007 (Take Two)

Adam Meltzer's Configuration Manager Blog — Wed, 02 Jul 2008 23:11:22 GMT

IMPORTANT: This post is being kept for archival purposes, but please reference http://technet.microsoft.com/en-us/library/cc707697(TechNet.10).aspx

Point sur l'utilisation des certificats SAN avec ISA Server

David Pekmez's Blog — Wed, 09 Jul 2008 00:36:13 GMT

Article très complet sur l'utilisation des certificats SAN avec ISA, http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

re: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing

HD Video Converter — Tue, 26 May 2009 10:56:05 GMT

Open Interoperability Lab http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx