Should install the certificate on my External Clients?

G

Guest

Hi
I have a Stand-Alone root CA.
I've already created a certificate on OWA server and imported it into ISA
2000 server ... Internally the SSL does work but externally it doesn't.

My questions are:
1 - Should I install a root CA on my external computers so they can use SSL
with ISA?
2 - I reviewed the purpose of my certificate installed on ISA and OWA server
and it says: "Ensures the identity of a remote computer". That's ok to use
with SSL?
3 - Does Stand-Alone root CA work well for this purpose of security?

Thanks
 
S

Steven L Umbach

If it works internally but not externally then you probably have a problem
with dns name resolution, or blocking of port 443 TCP used for ssl. Have a
client from outside of the network try to connect using the public IP
address that maps to that server instead of dns name to see if that helps.
Then make sure your firewall device is allowing port 443 tcp through to your
server. You could double check that from a self scan site such as
http://scan.sygatetech.com/pretcpscan.html and do a TCP scan that will scan
for ports up to 1024. It should show port 443 tcp open in order for users to
connect via https. The external clients will need a copy of the CA root
certificate in their local computer certificate store. You can export it
from the CA to a .cer file that you can send to them and then they double
click the .cer file to start the wizard to install it. Use the mmc snapin
for computer certificates and find your CA certificate in the trusted root
folder where you can right click and select all tasks/export to save it to a
..cer file. Stand also CA's work fine, they lack the flexibility that an
enterprise CA has but the concept of PKI for security is exactly the same
and if your certificate is working for internal access it would be fine for
external access. --- Steve
 
S

Steven L Umbach

You would have to configure your firewall to allow inbound port 443 TCP.
Some devices already will have ssl listed as a service that you can add to
the list for allowed inbound traffic from the "untrusted" adapter. ---
Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Importing Certificate 4
Importing a certificate to ISA server 1
Where should I install a certificate? 1
Subordinate CA 3
SSL security 1
Stand-alone root CA 3
Enterprise CA 1
Move 2000 Certificate server to 2003 on new hardware 3

Top