picture of tbs certificates
picture of tbs certificates
Our products range

Install a Microsoft ISA certificate


In order to install a certificate on an ISA server, you have to istall that certificate on the IIS server that was used to create the certificate request.

Follow the instructions of one of those pages:
Install a Microsoft IIS5 or IIS6 certificate or Install a Microsoft IIS7 certificate
to retrieve and import your certificate. Then go back on htis page.

Now, you must see your certificate in IIS: check by using the "see the certificate' button.

If you followed other instructions, make sure the intermediate certificate has been installed.

If your ISA is not installed on the same machine, create a .pfx file to transfer your certificate(s)' private key. To do so, follow these instructions:
Save your IIS5 or IIS6 or IIS7 certificate and its private key
then go back to this page.

Installation on the ISA server

1- Launch the MMC

If IIS and ISA are on the same machine, go directly to section 3.

Direct link to launch the certificate manager:
Click on Start, execute, enter certmgr.mmc and click OK.

Or use the following instructions:
  • Click  Start then select  Run and enter mmc
  • Click the file menu  and select  Add/Remove Snap in
  • Click  Add, select  Certificates within  Standalone Snap-in then click   Add
  • Select  Computer Account and click  Next
  • Select  Local Computer and click  Finish
  • Close the window and click OK on the upper window

2- Import the .pfx file

The .pfx file hods the certificate and its private key that you prepared previouslu.

  • Point at Personnals then at Certificates
  • Right-click and select All tasks then Import
  • An helper appears. Select the file holding the certificate to be imported.
  • Validate the default choices
  • Make sure your certificate appeared in the list and that the intermediate and root certificates are in their respective folders. If not, place them in the right folders. Do not hesitate to replace existing certificates.

3.1- Set up ISA Server 2000

  • Open ISA Manager
  • Right-click the server that is going to handle the incoming connection, then Proprieties
  • Click the Incoming Web Requests tab
  • Click the Internet Protocol (IP) address entry for the site that you are going to host.
  • Click Edit
  • Click to select the "Use a server certificate to authenticate to web users" check box.
  • Click Select
  • Select your previously imported certificate.
  • Click OK
  • Click to select the "Enable SSL listeners" check box.
  • Expand the Publishing folder, and then click Web Publishing Rules
  • Double-click the Web publishing rule that will route the SSL traffic.
  • On the Bridging tab, locate Redirect SSL requests as , and then select HTTP requests (terminate the secure channel at the proxy).
  • Click OK
  • Restart your ISA server.

3.2- Set up ISA Server 2004

  • Open ISA Server Manager
  • Click the Firewall Policy node
  • Right click the Firewall Policy node, point to New and click the rule you need (Mail Server Publishing Rule for example). The Server Publishing Rule Wizard appears.
  • Enter a name for the rule in the Mail Server Publishing Rule name text box. Click next.
  • On the Select Access Type page, select Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync and click Next.
  • On the Bridging Mode page, select the connection that will be secured. It usually is Secure connection to clients and mail server. Click Next.
  • In the "To" tab, the name must match the name of the certificate CN. If not, an error 500 will be displayed during the connection.
  • On the Specify the Web Mail Server page, enter the name or the IP address for the Internal server in the Web mail server text box.
  • On the "Public Name Details" page, select "This domain name (type below)" in the "Accept requests for" list. Enter the name external users will use to access the Web site in the "Public name" text box. <br />If you select "All domain names", all the request for the public name or IP address will be forwarded to the ISA server.
  • On the "Select Web Listener" page, select the web listener that will forward the request to the web server then click Next. If you did not define any web listener click New and follow the instructions here under.
    • On the "Welcome to the New Web Listener Wizard" page, enter a name for the listener in the "Web listener name" text box. For example "External network SSL Listener" and click Next.
    • On the "IP Addresses" page, put a checkmark in the "External" check box. Click the Address button. In the "External Network Listener IP selection" dialog box, select Specified IP addresses on the ISA Server computer in the select network. Click on the external IP address configured on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. The IP address now appears in the "Selected IP Addresses" list. Click Next.
    • On the "Port Specification page", remove the checkmark from the Enable HTTP check box. Place a checkmark in the "Enable SSL" checkbox. Leave the SSL port number at 443 and indicate your certificate name in the "Certificate" text box. Click Next.
    • Click Finish on the "Completing the New Web Listener" page.
  • Click Next on the "Port Specification" page.
  • On the "User Sets" page, accept the default entry, "All Users" to let authentified users access the server. Click Next. To restraint the network to some users click Delete All Users then click add to open the dialog box. Then add the users allowed to access the server.
  • Click Finish on the "Completing the New Mail Server Publishing Rule" Wizard page.
  • Click Apply and then click OK in the "SL Listener Properties" dialog box. It might take a few minutes for the modifications to be applied.
Yet you may have to restart the machine for your modification to be taken into account.

See Also:

External links : Technet Microsoft