ISA 2006 and SAN/UC Certificates

Much has been written about ISA 2006 "not supporting SAN certificates".

And, to some degree, this is true: the RTM version of ISA 2006 will only recognize the first subject alternative name in a certificate.

So what do you do if the name you need to use is not the first SAN in the certificate? You fake it out. :-)

What you publish using ISA 2006 is the entire certificate, to the outside. What's important to ISA is how you use it, inside. Clear as mud?

This is the three-step work-around:

  1. For the rule that you have an issue with, open the Property sheet.
  2. On the "Web Farm" tab, the "Internal site name" must be the first subject alternative name published on the certificate.
  3. On the "Public Name" tab, add both names - the name you want to use (e.g., mail.contoso.com) as well as the first SAN on the certificate (e.g., autodiscover.contoso.com).

That's all it takes. And, of course, if you add the first SAN first when you create the certificate, none of this is a problem either. And most Certification Authorities will re-issue certificates within a few days for free, if you messed the request up.

Truly, much ado about little...

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Published Wednesday, May 07, 2008 5:49 AM by michael
Filed under: ,

Comments

Wednesday, May 07, 2008 6:25 PM by eshudnow

# re: ISA 2006 and SAN/UC Certificates

Michael,

I created a blog entry like this a while ago and I have a question for you.

First off, you can see what I did here:

www.shudnow.net/.../publishing-exchange-2007-autodisover-in-isa-2006

One of the things I had to do to get this to work was removed Authenticated Users and use All Users.  This was back in July of 2007 and I heard this would be fixed with Exchange 2007 SP1.  Unfortunately, this was for a client and they have not deployed SP1 yet.  Because of that, I cannot test this.  Hence my comment.

My question is, when you did this with ISA 2006, did you use SP1 for Exchange?  And if so, did it work just fine using Authenticated Users?  Also, did you install the ISA 2006 supportability update?  This update also came out after I did this for a client.

Thanks much,

Elan Shudnow

Thursday, May 08, 2008 6:17 AM by Michael's meanderings...

# Other Certificate Limitations with Exchange/OCS/WM

This is turning out to be SSL certificate week here at TheEssentialExchange.... not planned that way

Friday, May 09, 2008 11:37 AM by subject: exchange

# Weekend reading

How to set the default client language to be used in Outlook Web Access Distribution groups marked as

Friday, May 09, 2008 4:54 PM by (e)Mail Insecurity

# A certificate roundup

A certificate roundup

Friday, October 31, 2008 8:58 PM by dmzfirewall.com » Blog Archive » A certificate roundup

# dmzfirewall.com » Blog Archive » A certificate roundup

Pingback from  dmzfirewall.com  » Blog Archive   » A certificate roundup