ISA 2006 and SAN/UC Certificates
Much has been written about ISA 2006 "not supporting SAN certificates".
And, to some degree, this is true: the RTM version of ISA 2006 will only recognize the first subject alternative name in a certificate.
So what do you do if the name you need to use is not the first SAN in the certificate? You fake it out. :-)
What you publish using ISA 2006 is the entire certificate, to the outside. What's important to ISA is how you use it, inside. Clear as mud?
This is the three-step work-around:
For the rule that you have an issue with, open the Property sheet.
On the "Web Farm" tab, the "Internal site name" must be the first subject alternative name published on the certificate.
On the "Public Name" tab, add both names - the name you want to use (e.g., mail.contoso.com) as well as the first SAN on the certificate (e.g., autodiscover.contoso.com).
That's all it takes. And, of course, if you add the first SAN first when you create the certificate, none of this is a problem either. And most Certification Authorities will re-issue certificates within a few days for free, if you messed the request up.
Truly, much ado about little...
Until next time...
As always, if there are items you would like me to talk about, please drop me a line and let me know!