Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Updating certificates in ISA 2006

16 views
Skip to first unread message

SG_Dan

unread,
Oct 22, 2009, 2:04:01 PM10/22/09
to
Hello all,

We are running into a strange issue on our ISA 2006
enterprise servers. FYI there are two set up in an array, and seemingly
working fine for publishing OWA, ActiveSync and Outlook anywhere. We also
have the same configuration in our main site (2 ISA 2006 in an array).

We have started the process of updating the certs for CSS
authentication (in a workgroup configuration) using the ISACertTool for this
pair of servers, and after doing so, noticed these events in the App log:

Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21238
Date: 10/21/2009
Time: 2:11:42 PM
User: N/A
Computer: XXXISA01
Description:
ISA Server cannot connect to the Configuration Storage server
XXXISA01.domain.com for one of the following reasons:
- The Configuration Storage server is not available.
- There are general networking or authentication issues.
- The firewall policy for the array is incorrectly configured.
For information on resolving these issues, see
http://go.microsoft.com/fwlink/?LinkId=37487.

This event shows up on both array members, but further investigation shows
this event warning on the “02” server from the time it was built.

Given this was an issue dealing with configuration storage Server (CSS), we
worried that changes and updates were not getting out to each array member.
We opened the ISA manager and checked the monitoring console, and on the
configuration tab it shows both servers NOT connecting to the CSS. The CSS
is located on the 01 server so it would seem that the 02 server has had this
problem for a long time, and the 01 server started when we updated it’s Cert.

Given I know the 02 server was functional before, and this event seems a
false positive, I tested it by changing the configuration by adding a
computer under the firewall/toolbox/network objects/computers section. I
applied the change and it was successful. I then checked the configuration
on the 02 server and it too showed the newly added computer.

We are not very familiar with ISA and all the configuration options, but
there seems to be a step we need to perform to update the certificates on ISA
that we seem to have skipped and clearly one we missed when setting the 02
server up, but probably never knew it was a problem in that all the services
still worked.

Given there is so little online for ISA and setting it for Exchange 2007 (in
comparison to all that’s available for Exchange) is there any really solid
outline on the process for updating certificates on ISA, and all the places
that are needed to check?

Thomas K.H. Bittner

unread,
Nov 23, 2009, 5:50:59 AM11/23/09
to
You need certificates for the communication of the ISA array members
inclusive CSS and you need certificates for Exchange services. In any case,
you need also the root trusted ca for this certs in the right certificate
store. Additionally you need the Microsoft Firewall Service have also a
client certificate to reverse communicate with the Exchange services. Check
the certs for the local computer and the firewall service you installed, if
they are trusted. If not, you have to heal this.

Regards, Tom


"SG_Dan" <SG...@discussions.microsoft.com> schrieb im Newsbeitrag
news:8372FD80-3630-4E8B...@microsoft.com...

0 new messages