Thursday, November 19, 2009

Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006

Last week, a colleague and I have configured an Exchange 2003 SP2 for push mail. Since it was a joint effort, I want to thank Bram Poelaert for his help and expertise. All information in these posts are therefore the result of our teamwork.

First a small overview. We were installing and configuring an ISA 2006 server with 1 network adapter to publish the OMA and OWA functionalities to the external world for push mail functionalities. In the backend, an Exchange 2003 SP2 is serving as the mail server. We’ll be offloading the SSL on the ISA 2006 server. To complete the picture, a CheckPoint firewall is placing the ISA in the DMZ by using the three zones: untrusted, DMZ & trusted.

As always, the most difficult (and critical) part of the installation isn’t the configuration of Exchange or even ISA 2006, but the installation of the necessary certificate. This is what this post will be about.

Having an official authority create a certificate for you costs quite a bit money, so you don’t want to have to do it twice. For that reason, it’s always best to test your procedures by creating a certificate yourself and make sure your certificate request is correct.

To create and install a certificate yourself, these steps have to be completed:
1. Create a certificate request via IIS web wizard
2. Process the request via your Certification Authority (CA)
3. Issue the pending certificate in CA
4. Assign the certificate to your website in IIS
5. Export the private key and store in a safe location

Make sure that when you connect to your secure website that no error messages are displayed. Most frequent mistakes are the common names that are not the same as the URL or the certificate chain that is broken somewhere.

Also, be careful with the private key. This key is residing on the computer that created the certificate request. Do NOT import the certificate again (via MMC for example) before having the private key exported. If you do, the private key will be gone and you can not use the certificate!

OK, you’ve tested your certificate and it works as you expected. Cool! Now delete everything and start over by creating a new certificate request that you can send to the third party for the creation of your certificate.
1. Create a certificate request via IIS web wizard
2. Send the certificate request (TXT file) to the CA
3. Import the certificate received in IIS web wizard
4. Export the private key and store in a safe location
5. Install the certificate and the private key on the ISA 2006 server
6. Use the certificate to secure the data

In my next post I’ll go over the process step-by-step for an easy manual.
I hope this can already put you well underway.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Enjoy!

No comments: