Getting rid of a rogue SSl certificate
Godfrey Nicholson
cannot expunge. It does not show up if I search for *.cer, nor if I look in
the Directory Security tabs in IIS, nor in MMC.Certificates, not in Internet
Explorer>Tools>Internet Options>Content>Certificates.
It does show up if I install a trusted certificate and then try and access
the company web via https://fqdn etc. The name does not match message, view
certificate shows this rogue certificate from Comodo issued to
www.safeshop.co.nz This certificate has nothing to do with me but it is
causing me grief.
Anything, up to and including reinstallation of IIS will be considered.
Godfrey
--
Godfrey Nicholson
Ofek Technologies Ltd
Auckland 1001
New Zealand
god...@ofektech.com
Charles Yang [MSFT]
Welcome to this SBS newsgroup.
According to your description, I understand that you want to delete a rogue
certificate in the SBS 2003. If I am off base, please let me know.
Based on my research, I would like you follow the steps to remove the
certificate:
1. Open IIS Manager mmc
2. Right click the Properties of companyweb.
3. In the Drectory Security tab, click Server Certificate and select
Remove Certificate.
If above does not work.. you may try the following to at least be able to
remove the certificate information from the companyweb site.
2. Make a backup of the IIS metabase , (Open the IIS node in the
server management, then right click on the Server name and select All Task/
Backup/Restore Configuration)
2. In the IIS node right click on the Server name then choose
properties check the box for Enable Direct Metabase Edit.
3. Open \%systemroot%\system32\inetsrv\metabase.xml in notepad.
4. Edit/find and search on SSLCertHash should find a reference in the
/lm/w3svc/1 location..Edit/copy the SSLCertHash line Find the SSLCertHash
under the companyweb site (should be /lm/w3svc/4) and replace the one that
is there with the one copied.
5. Save the files.
6. In the IIS node right click to choose the properties on the
servername and uncheck the box for Enable Direct Metabase Edit.
You should be able to now view the certificate on the companyweb
Hope the above information helps, if you have any issue, please let me
know. I am standing by to help you.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Godfrey Nicholson
Thanks for your response. Things are not resolved.
Let me spell this out.
(1) I have no problem going to IIS/Properties/Directory Security and
removing a certificate. But the certificate that is there is the one I put
there (manually), the rogue certificate from Comodo is not to be seen.
(2) I thought that your instructions for editing the IIS metabase were going
to allow me to see the rogue certificate lurking behind the scenes. Life is
not that simple! A search of the file (in your step 4) found no
"SSLCertHash", nor was I able to understand or follow your "/lm/v3svc/4"
(3) This "rogue certificate" appears when I attempt a remote access to my
company web. I know nothing at all about this certificate. It is issued to a
business www.safeshop.co.nz. (That's from memory.) I believe that "safeshop"
is a generic name but, as far as I know, I have had no contact with them and
don't understand why their certificate should be lurking in my server.
Thanks in anticipation for any light you can shed on this.
Godfrey
Charles Yang [MSFT]
Thanks for updates.
According to your reply, can I assume if you use the Directory security
tabs in IIS, when choose server certificate, you can not choose remove
certificate? If so, it might be caused by the rogue certificate. For we can
not reproduce the problem in our test machine, I suggest try to delete the
offline files in IE then check if the problem still existed, if the problem
still existed, you might reinstall the intranet component of the SBS to see
if the problem can be resolved. If you perform a backup for your companyweb
and sharepoint data, maybe you can recover them from the former good backup.
I would like to give you some KB articles for these:
829112 How to back up and restore http://companyweb data in Windows Small
http://support.microsoft.com/?id=829112
887305 How to reinstall Internet Information Services 6.0 in Windows Small
http://support.microsoft.com/?id=887305
829114 How to remove and how to install the Windows Small Business Server
2003
http://support.microsoft.com/?id=829114
I appreciate your understanding, for this issue might be caused by the
rogue certificate, I suggest you perform a full backup of your personal
data.
Godfrey Nicholson
A couple of comments:
(1) On the directory security tab I cannot see the rogue certificate in
order to remove it. I can install a genuine certificate there but it will not
work. The rogue certificate causes the https:\\fqdn\remote to say that the
certificate doesnot match the fqdn. Clicking on the "view certificate" option
shows the rogue certificate. I have not been able to do anything to track
down how/where this certificate is "installed".
(2) The "reinstall IIS" link is very scarry! What would be the minimum I
would need to reinstall (or rescue from backup) to ensure that I flushed out
where this certificate might be hiding? (I have searched the Registry, but to
no avail.)
I have a drive C; backup that goes back to last November but not a System
State. Is IIS placed in various locations (such as Exchange, SSQL, ...) when
it is installed? I cannot see it in any of the Program FIles.
Thanks for your comments.
Godfrey
Charles Yang [MSFT]
Thanks for your updates.
The IIS is a component of SBS 2003, there are no special directory for IIS.
Normally all the certificate created by windows or by some valid third part
tools will store as xxx.cer. So it might be a strange certificate by some
website. Also I am not clear that after you restore from your former
backup, the certificate still existed?
As your convenience, I found a tool in IIS called selfssl, you can find the
tools at the %systemroot%programfile/IIs resources, then run the tools to
see if you can reset the certificate.
I appreciate your understanding, if you have any other issue, please let me
know.
Best regards,
Godfrey Nicholson
I have never understood what you mean when you say this:
"Find the SSLCertHash under the companyweb site (should be /lm/w3svc/4) and
replace the one that is there with the one copied."
Find it where?
I have replaced IIS but it makes no difference. The strange certificate is
still there, blocking any attempt to do an https://mydomain/remote connection
to the server.
I have wondered whether it is something that has been stuck in IS. Would it
make a difference to uninstall and reinstall IS?
Godfrey
Charles Yang [MSFT]
Thanks for updates.
I am sorry for not make the things so clear.
Now let us described it more clear, you can search in the metabase.xml for
the SSLCertHash, you will find two of these in this files, one was located
in /lm/w3svc/1 and the other is located in /lm/w3svc/4, then you can
replace the one on /lm/w3svc/4 with the one you copied from the /lm/w3svc/1
then saved the files as a test.
I appreciate your understanding on this issue. I am here waiting for your
updates.
Godfrey Nicholson
Thanks for your response. You were very clear!
Unfortunately, when I searched \system32\intesrv\metabase.xml I only found
one instance of sslcerthash. This was in /lm/w3svc/1; there was no instance
in /lm/w3svc/4 so I could not copy and paste.
Godfrey
Godfrey Nicholson
Thank you for your persistence
I thought it might be helpful if I tried to clarify where I am at with
trying to get https://mydomain/remote access working on SBS2003 Premium.
(1) When I try to connect remotely using this approach, I get the Security
Alert that says "The name on the security certificate does not match the name
on the site."
(2) If I click on View Certificate I see a certificate:
(i) This certificate is authentic.
(ii) It is issued by an authentic authority and issued to a legitimate
web site
(iii) I have had nothing to do with either of these entities
(iv) there is no certificate anywhere on my server that corresponds to
what I see. I have searched *.cer to look for such a certificate
(v) None of the IIS DIrectory Security tabs show the certificate.
(vi) I can enter a certificate in the IIS Directory Security tabs but
this other certificate blocks https:// access.
(vii) I have referred to this other certificate as a "rogue"; I could
have used other words like "unknown", "orphan", "stray", "ghost", ...
(viii) This other certificate does not appear in the mmc certificates
snap in
(ix) It does not appear in IE
(x) There is therefore no way I can replace it with a certificate of my
choice.
(3) I have uninstalled and reinstalled IIS using the instructions of the
link you sent me. This process took about three hours but no problems/errors
occured.
(4) I have a question: If what I am seeing is a compiled/embedded image that
is cut off from its originating object, where would this most likely be
found? Is it associated with IE or with IIS or with WSS or something else?
(5) Unless you have a better idea, or some new information, it looks as
though I will need to reinstall SBS2003! (Please tell me there is a better
way to solve this!!)
Godfrey
Charles Yang [MSFT]
Thanks for updates.
Based on my research, the location /lm/w3svc/4 is about the companyweb, so
that means you have no certificate in companyweb. So please follow the
steps to perform a test, first backup the metabase.xml to other location.
Then please comparing the /Im/w3svc/4 with the SSLcerthash at the
/Im/w3svc/1, you may found the one that have similar structure as the
/Im/w3svc/1. Make sure that only the SSLcerthash is missing in this
/Im/w3svc/4, then you can copied the line of SSLcerthash from /Im/w3svc/1
to the location /Im/w3svc/4 as a test.
I appreciate your understand on this issue. I am here waiting for your
Godfrey Nicholson
I did what you said. The first /4 section was "sort of similar" to the /1
section so I added the SSLCertHash property together with the SSLStoreName. I
replaced the original metabase.xml, restarted IIS and the problem was still
there.
Did you read what I wrote in my second posting yesterday? (the one below
this on the list)
Godfrey
Charles Yang [MSFT]
Thanks for updates.
After discussion with our SP, we suggest you search the certificate in the
MMC, you can open MMC and add a certificate snap-in then search the
certificate that missed.
Also we suggest you rerun CEICW follow the steps below there you can add a
new certificate, we suggest you use your FQDN to assign a self certificate
to see if the problem can be resolved. Please refer to the KB below for
detailed information:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
I appreciate your understanding on this issue, if the problem still
existed; we suggest you paste the ICWlog.txt to us for further research.
You can find the log at the location: \Program files\Microsoft Windows
Small Business Server\Support.
Paul Campanale
I was perusing the forum and noticed your post. I have seen this issue
before on a SBS 2003. I need to know the following: Are you running ISA
2000? Have you configured multiple IP’s on the external interface? Have you
tried to run the “connect to the Internet” wizard on your SBS Tools? If so,
you should have been asked to recreate the cert., did you?
Remember that ISA caches the cert. for both internal and external users and
depending on how your external interface is configured will determine which
cert. is used when outside users attempt an SSL connection to your remote
workplace or OWA.
I have also read several threads off other forums that prove how ISA
corrupts the cert. when it attempts to hash the packet.
Answer the above and I’ll give you my suggestions.
Paul
Godfrey Nicholson
Thanks for your response; here are my answers:
(i) I am running ISA 2000 (SBS23003 premium with everything installed and
running)
(ii) Multiple IPs?? I am not sure what you are asking.I have a public static
IP which is automatically attached to the external side of my router (Do you
want to know more?)
(iii) Yes, the CEICW wizard is run whenever anything is changed, as is the
Remote Access Wizard I haven't recreated the certificates for, perhaps, a
week now. I also have a commercial certificate but I am not able to attach
that using the CEICW wizard or by attaching directly through the IIS
Directory Security tab. (The self-signed certificates used to work (like at
the beginning pf the year) but I can't figure anything significant that has
happened since then, appart from security updates!!
I would be so grateful for any suggestions you can make.
Godfrey
Paul Campanale
From what you have told me you only have a single IP bound to your external
nic, that's good, in my case I have 6 IP's and you must configure ISA
accordingly.
First, make sure you have not installed the cerificate as a personal cert on
the SBS browser, to check it go to internet prop. Content, certificates.
Remove it from the list if it's there.
Now open the ISA mmc on your SBS and go to "servers and arrays" and rt.
click on your server name, select prop. Click on the "Incoming Web Request"
tab. Select
"configiure listeners individually perIP...", if your external IP does not
show, click add and find the external IP of the SBS, put a check in "use
server certificate...", it should default to the cert. store and should list
all certificates you have created, use the most recent cert. created when you
ran the CIECW. You will also need to select "Integrated Authentication".
Click OK and OK, the service will need to restart. If you're familiar with
ISA, do not mess with the Web Publishing rules. The default action is to
redirect incomming requests to, "publishing.YourInternalDomainName.local".
If this does not remove the bogus cert. let me know. Also, attempt to
connect to remote workplace from another location to be sure the cert being
passed is the same. Another note, are you running a website (other than,
SharePoint, OWA or CompanyWeb)??
I am asking to determine how far from the default install of SBS you are.
Let me know.
Paul
Charles Yang [MSFT]
Thanks for valuable updates.
Godfrey, I suggest you also follow my reply to rerun the CEICW to see if
there is any error. And paste the ICWlog.txt back.
Thanks for cooperating.
Godfrey Nicholson
Here is the log entry from yesterday afternoon. Tell me what you make of it.;
14/04/2005 5:02 p.m.
C:\Program Files\Microsoft Windows Small Business
Server\Networking\ICW\wizemail.dll, version 5.2.2651.0
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6f558).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x268b48, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling CNetCommit::Commit (2526024).
calling CNetCommit::ValidatePropertyBag ().
Call to Querying for the property bag () returned ok.
Property bag is not dirty, skipping validation
calling CNetCommit::Common ().
Call to CNetCommit::Common () returned ok.
Call to CNetCommit::Commit () returned ok.
calling CCometCommit::CommitEx ().
calling CCometCommit::ValidatePropertyBag ().
Call to Initializing CometUtil () returned ok.
Call to Reading the firewall selection () returned ok.
Firewall selection: -1
Call to CCometCommit::ValidatePropertyBag () returned ok.
Call to Validating property bag () returned ok.
Call to Reading private NIC Guid () returned ok.
Call to Reading private NIC IP () returned ok.
Private NIC IP: 192.168.0.1
Call to GetComputerName () returned ok.
Computer name: tiger2
Call to Get the packet filtering object () returned ok.
Call to Enabling the HTTP 80 Out filter for trusted cert () returned ok.
Call to Setting default logon domain for OWA () returned ok.
Call to Setting Anonymous Access () returned ok.
calling SetGroupInternetAccess (BEINGABOUTLIMIT\SBS Internet Users, 0).
calling SetLDTEntry (*.BeingAboutLimited.local, 0).
Found an existing cert installed on the listener
calling SetReverseProxy (0x1, 0x0).
calling RemoveReverseProxyListenEntries (0x0).
Call to Setting reverse proxy listen entries () returned ok.
calling Add [Small Business Server Microsoft Update Sites] Destination Set
(0x0).
calling Add [Small Business Server All Users Site and Content Rule] (0x0).
calling DeleteProtocolInfo (0x0).
Call to CCometCommit::Commit () returned ok.
Calling CCertCommit::CommitEx
Calling CCertCommit::ValidatePropertyBag
Require SSL for OWA: 1
Require SSL for Remote Portal: 1
Require SSL for Monitoring: 0
Require SSL for OMA: 0
Require SSL for CompanyWeb: 0
Require 128 Bit Encryption: 1
Cert selection: 1
Web server name: tiger2.beingabout.co.nz
CCertCommit::ValidatePropertyBag returned OK
Updating Client Setup config.dat file returned OK
CCertCommit::EnableSSL returned OK
CCertCommit::RequireSSL returned OK
CCertCommit::NotifyRemoteUserPortal returned OK
Reading the Internet Server Name returned OK
Forcing an update on the provisioning ref count
Updating provisioning info returned OK
Sending RUP intro mail returned OK
CCertCommit::SaveUserSelections returned OK
CCertCommit::CommitEx returned OK
calling CEmailCommit::Commit (0x26d6c8).
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6f4d4).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x268b48, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6f544).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x268b48, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling GetDomainAndControllerNames ().
Call to GetDomainAndControllerNames () returned ok.
calling GetOrganizationName (\\tiger2.BeingAboutLimited.local,
DC=BeingAboutLimited,DC=local).
Call to GetOrganizationName () returned ok.
calling GetFirstAdministrativeGroup (\\tiger2.BeingAboutLimited.local,
DC=BeingAboutLimited,DC=local, BEINGABOUTLIMIT).
Call to GetFirstAdministrativeGroup () returned ok.
calling GetFirstRoutingGroup (\\tiger2.BeingAboutLimited.local,
DC=BeingAboutLimited,DC=local, BEINGABOUTLIMIT, first administrative group).
Call to GetFirstRoutingGroup () returned ok.
Call to SetCookieAuthentication () returned ok.
Call to Enabling Wireless admin for OMA () returned ok.
Call to Getting NETBIOS domain name () returned ok.
NETBIOS domain name: BEINGABOUTLIMIT
Call to Enabling NTLM on /public () returned ok.
calling CommitPOP3 (0x268b48).
Call to CommitPOP3 () returned ok.
calling _SetRegInt4Value (HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\SmallBusinessServer\Connectivity\ICW,
Last_MailOption_Exchange, -1).
Ignoring return value from call to _SetRegInt4Value().
Call to CEMailCommit::Commit () returned ok.
calling CNetCommit::SaveConfig ().
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6f52c).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x268b48, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling CScriptUtil::RenameFile (config40.vbs).
Call to CScriptUtil::RenameFile () returned ok.
calling CScriptUtil::OpenFileToRead (temp.icw).
Call to CScriptUtil::OpenFileToRead () returned ok.
The out param of CScriptUtil::OpenFileToRead() is 0x77bebd00.
calling CScriptUtil::CreateFile (config40.vbs).
Call to CScriptUtil::CreateFile () returned ok.
The out param of CScriptUtil::CreateFile() is 0x77bebd40.
calling CopyUntilSection (0x77bebd00, 0x77bebd40).
Call to CScriptUtil::CopyUntilSection () returned ok.
calling WriteEmailSection (0x77bebd40).
Call to WriteEmailSection () returned ok.
calling CScriptUtil::CopyUntilSection (0x77bebd00, 0x77bebd40).
Call to CScriptUtil::CopyUntilSection () returned ok.
calling WriteSetPropertySection (0x77bebd40).
Call to WriteSetPropertySection () returned ok.
calling CScriptUtil::CopyUntilSection (0x77bebd00, 0x77bebd40).
Call to CEMailCommit::SaveConfig () returned ok.
Calling CCertCommit::SaveConfig
Calling CCertCommit::ValidatePropertyBag
Require SSL for OWA: 1
Require SSL for Remote Portal: 1
Require SSL for Monitoring: 0
Require SSL for OMA: 0
Require SSL for CompanyWeb: 0
Require 128 Bit Encryption: 1
Cert selection: 1
Web server name: tiger2.beingabout.co.nz
CCertCommit::ValidatePropertyBag returned OK
CCertCommit::SaveConfig returned OK
calling CCometCommit::SaveConfig ().
calling CCometCommit::ValidatePropertyBag ().
Call to Initializing CometUtil () returned ok.
Call to Reading the firewall selection () returned ok.
Firewall selection: -1
Call to CCometCommit::ValidatePropertyBag () returned ok.
Call to CCommetCommit::SaveConfig () returned ok.
calling CNetCommit::SaveConfig ().
calling CNetCommit::ValidatePropertyBag ().
Call to Querying for the property bag () returned ok.
Property bag is not dirty, skipping validation
calling oScriptUtil.RenameFile ().
Call to oScriptUtil.RenameFile () returned ok.
calling oScriptUtil.OpenFileToRead ().
Call to oScriptUtil.OpenFileToRead () returned ok.
calling oScriptUtil.CreateFile ().
Call to oScriptUtil.CreateFile () returned ok.
calling oScriptUtil.CopyUntilSection ().
Call to oScriptUtil.CopyUntilSection () returned ok.
calling WriteNetworkSection ().
Call to WriteNetworkSection () returned ok.
calling oScriptUtil.CopyUntilSection ().
Call to oScriptUtil.CopyUntilSection () returned ok.
calling WriteSetPropertySection ().
Call to WriteSetPropertySection () returned ok.
Call to CNetCommit::SaveConfig () returned ok.
calling GetBOConnector ().
Call to GetBOConnector () returned ok.
calling spADs->PutEx (ADS_PROPERTY_CLEAR, msExchSmtpOutboundSecurityPassword).
Call to spADs->PutEx () returned ok.
calling spADs->SetInfo ().
Call to spADs->SetInfo () returned ok.
Godfrey
Godfrey Nicholson
I worked through your suggestion yesterday afternoon. This included setting
up a new Self-Signed Certificate. ISA said it would restart the ISA server
and I assumed it did.
The bogus certificate is still there, like an orphan crying for its mother.
Charles Yang [MSFT]
Thanks for updates.
Currently we are making the research about this issue. I will come back to
you as soon as possible.
I appreciate your understanding.
Godfrey Nicholson
Well??? How is the research going? Any answers? Do I have any alternative to
reinstalling everything?
Regards
Godfrey
Charles Yang [MSFT]
Sorry for so later response.
Please follow the steps below to check the certificate on ISA. Now open the
ISA mmc on your SBS and go to "servers and arrays" and rt. click on your
server name, select prop. Click on the "Incoming Web Request" tab. Choose
your server and click Edit, Could you see the certificate you create in the
CEICW, please select the certificate you just assigned in CEICW to see if
the problem still exist?
Please also paste the icwdetailed.htm to the public newsgroup, you can find
the file at the location %sbsprogramdir%\Networking\ICW.
I appreciate your understanding on this issue, if you have any further
issue, please let me know. I am here waiting for your updates.
Godfrey Nicholson
> Please follow the steps below to check the certificate on ISA. Now open the
> ISA mmc on your SBS and go to "servers and arrays" and rt. click on your
> server name, select prop. Click on the "Incoming Web Request" tab. Choose
> your server and click Edit, Could you see the certificate you create in the
> CEICW, please select the certificate you just assigned in CEICW to see if
> the problem still exist?
As I mentioned at the very beginning, I cannot enter a commercial
certificate in CEICW. It tells me "no certificate has been requested for the
default web site in IIS...". This is not true. I can create a self signed
certificate and, yes, this shows up in the ISA Ïncoming Web Request".
>
> Please also paste the icwdetailed.htm to the public newsgroup, you can find
> the file at the location %sbsprogramdir%\Networking\ICW.
Here is the most recent file. Let me know if I can send you anything else,
such as an earlier version. GOdfrey
SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET
CONNECTION WIZARD
This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.
NETWORKING CONFIGURATION SUMMARY
After the wizard completes, the following network connection
settings will be configured:
Connection type: Do not change
FIREWALL CONFIGURATION SUMMARY
After the wizard completes, the following firewall settings
will be configured:
Internet Security and Acceleration (ISA) Server will be
configured as follows:
Disable existing filters that may create a filter
conflict.
Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and
Support.
Create the following additional filters:
E-mail
Virtual Private Networking (VPN)
Terminal Services
FTP
For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and
Support.
Create the following custom filters:
SBS Remote Web Workplace CustomFilter, 4125, TCP
Add the internal domain name for Windows Small
Business Server to the local domain table (LDT) of ISA
Server to allow ISA Server to route internal network
requests on the local network.
Enable IP routing.
Disable automatic discovery as this interferes with
IIS as both ISA Server and IIS attempt to bind to port 80.
Configure the Web listeners to receive incoming http
requests using Small Business Reverse Proxy Listen Entry.
Disable the H.323 Application Filter for video and
audio conferencing for security.
Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Add the loopback adapter IP address of 127.0.0.1 to
support the http://localhost for IIS.
Create an incoming Web request listener and bind to
IP address of server’s local network adapter to allow ISA
Server to handle Web requests from the Internet.
Set the incoming Web request listeners to allow a
maximum of 300 connections from the outside. This improves
system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Ensure that the publishing rules created by the
wizard are listed first in the order.
Create publishing rules to route appropriate
incoming Web requests to the server’s local network
adapter.
Create a Web publishing rule for Outlook Web Access
that publishes the following IIS Web site directories:
/exchange, /exchweb, and /public. This publishing rule
routes appropriate incoming Web requests to the server’s
local network adapter. Additionally, Outlook Web Access will
be configured for Forms Based Authentication (also called
Cookie Authentication). The Public folder is also configured
to accept Windows Integrated Authentication.
Create a Web publishing rule for the Remote Web
Workplace that publishes the /remote IIS Web site
directory.
Create a Web publishing rule for the Server
performance and usage reports that publishes the /monitoring
IIS Web site directory.
Create a Web publishing rule for Outlook Mobile
Access that publishes the following IIS Web site
directories: /OMA and /Microsoft-Server-ActiveSync.
Create a Web publishing rule for Outlook via the
Internet that publishes the /rpc IIS Web site directory.
NOTE: Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
connections.
Internet Information Services (IIS) will be configured as
follows:
Configure http.sys driver to only bind to the local
network adapter to prevent IIS from conflicting with ISA
Server on the ISP network adapter.
Disable socket pooling.
Set DNS to listen to only to the local network
adapter.
To only listen on the local network adapter. This
allows ISA Server to monitor incoming Web requests from the
Internet.
SECURE WEB SITE CONFIGURATION SUMMARY
After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
Do not change current Web server certificate Create a
Web server certificate named ISAcert.cer in the \sbscert
folder and also install this certificate into ISA Server.
This certificate is required so that you can access secure
Web sites on the computer running Windows Small Business
Server if ISA Server is installed. ISAcert.cer is configured
for ISA Server for external Web clients. Create an
additional Web server certificate named Sbscert.cer and
install this certificate in IIS, which is used by internal
clients and by redirected Web requests from ISA Server.
The incoming Web listener is configured to use the
ISAcert.cer certificate.
E-MAIL CONFIGURATION SUMMARY
After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
e-mail.
Keep the existing Internet e-mail configuration.
After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
updated.
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so
on.
Charles Yang [MSFT]
Thanks for updates.
After checking the information, we need you to upload all the .vbs files to
the public newsgroup. The .vbs files will be found at the same location
with ICWdetailed.htm. I am waiting here for your updates.
Thanks for understanding on this issue.
Godfrey Nicholson
There are a bunch of these files. I cannot attach them to this post. Could I
send them to you directly?
Godfrey
Charles Yang [MSFT]
You can compact all the vbs files to a zip file then upload to the public
newsgroup. I appreciate your understanding. Thanks.
I am here waiting for your updates.
Best regards,
Godfrey Nicholson
I see no provisdion for uploading files to the newsgroup so I am just
attempting to cut and past the zip file. It doesn't look good.
If you don't get this, please tell me where to go to upload this file.
Godfrey
ICW.zip
Charles Yang [MSFT]
After checking the public newsgroup, it seems no way to upload directly. So
I suggest you find a internet shared space to upload the file and paste the
link to the post. So that I can download the file from the link.
Thanks for understanding on this issue, I am sorry for any inconvenient for
you.
Godfrey Nicholson
I will crete a temp hotmail account and put an email there. I will send you
the login and password details. I will cancel the account 24 hours later.
What time zone are you in? What hours are you working on sbs2003 newsgroup?
If I can have this info I will put the files on hotmail during this time
window.
THis sounds all very mysterious!
Regards
Godfrey
Charles Yang [MSFT]
Thanks for updates.
The timezone in my area is GMT 8+ Beijing Hong Kong time. I will be office
at 9AM to 6 PM. Hope this information helpful, waiting for your reply.
Godfrey Nicholson
You would not believe how much trouble this has been!!! Anyway, ...
Go to ofekt...@hotmail.com, password charles
You should see a trial piece of email and then one with the subject line:
"Hi Charles" which has an attachment of a zip file of some 40 scripts.
Let me know if you download that and I will then close the hotmail account -
unless you need me to download something else.
Many thanks
Godfrey
--
Godfrey Nicholson
Ofek Technologies Ltd
Auckland 1001
New Zealand
godfrey at ofektech dot com