SAN certificates are widely used in publish scenarios of Exchange Server with or without ISA Server 2006.
These enhancements in ISA Server 2006 Service Pack 1
ISA Server 2006 Service Pack 1 supports the use of SAN certificates. Before ISA Server 2006 Service Pack 1, ISA Server only checked the certificate name and ignored the additional names in the SAN field of the certificate.
Use a self-signed certificate
One way to use certificates for publishing ISA Server is to use the SELFSSL.EXE tool from the IIS 6 kit. With the help of the SELFSSL tool, administrators can create certificates for Common Name (CN).
Because the self-signed certificate is not issued by a trusted Root CA, the user must manually place the self-signed certificate in the trusted Root CA repository on the local ISA Server.
Next, select the local computer account as the certificate store to see all the installed certificates, which are the certificates that ISA Server will use for publishing and webchain scenarios.
Trusted Root CA certificates
ISA Server ensures that each certificate used can be authenticated against the issuing CA. ISA Server checks the certificate chain for Root CA. A list of trusted root CAs can be found in the local computer repository on ISA Server 2006 machines.
Certificates are used in the Web chain scenario
One of the bad features used in ISA Server 2006 is the use of certificates in web chain scenarios. Web chain is used to string web traffic from ISA Server with other Webproxy like ISA Server. To use a certificate in the webchain script, the user must have the prerequisites below:
Figure 5: Select certificates in the Web chain scenario
Exchange Remote Connectivity Analyzer
Microsoft Exchange Remote Connectivity Analyzer is a very useful tool for testing different types of publishes with or without ISA Server, not using the required tools like Microsoft Outlook. Exchange Remote Connectivity Analyzer is also useful for validating the correct deployment of certificates on the Exchange Client Access Server (CAS) or on ISA Server.
ISA Server 2006 Best Practice Analyzer
Another useful troubleshooting utility with certificate issues for ISA Server 2006 is the ISA Server 2006 Best Practice Analyzer, this is the database ISA Server analyzer with best practices from Microsoft to find possible configuration errors or related issues. For the purpose of troubleshooting certificates, ISABPA checks the ISA Server configuration and searches to see if the certificates are used in the publishing and web chain scenarios, plus the corresponding certificates. Whether found in the local computer certificate store.
To give you some information about how ISABPA displays certificate-related issues, we have removed all certificates from the internal computer archive.
Conclude
In this article, I have provided you with some more information about ISA Server 2006 certificate deployment and troubleshooting. In addition, I also introduced some new ISA Server 2006 Service features. Pack 1 can extend ISA Server 2006's ability to use SAN certificates in a webserver publishing script.