ISA 2006 and Exchange 2010 OWA SSL Publishing

May be an unusual mix of products, but my ISA 2006 installation has been rock-solid and I haven’t seens a real need to upgrade to the newer TMG.

The scenario is as follows:

  • GoDaddy SSL Certificate Purchase
  • Secure Exchange 2010 with cerficate for OWA
  • Publish OWA via ISA using HTTPS

GoDaddy has pretty good guides for downloading and installing the certifcate into IIS7 (assuming you’re running Exchange 2010 on Windows 2008).

When you try to publish the site using SSL via ISA 2006, ISA requires you to make it aware of the SSL certificate. This was not a requirement back in the day of ISA 2004. The world of IT seems to get more complicated with each revision.

If you import the SSL certificate onto the ISA 2006 server by just double-clicking on it, ISA still will not be able to see the certifcate when you click on the Certificate tab for the Listener.

The correct way to import the certificate is via MMC console.
Load up the MMC Console, and add the Certificate snapin. Make sure you use Computer Account, and choose This Computer.

The certificate needs to be imported into the Personal section.

Here is the important part. You need to import the certificate with the Private Key. How do you do this?

If you don’t, you’ll probably have an error like:

  • Private key handle error
  • Private key not installed
  • See below…

Easy, go to Exchange Management Console on the server where you just imported the certificate. Do this by opening IIS, click on your server name on the left. Click on Server Certificates in the middle.

Then click on Export in the right. This will allow you to export the GoDaddy Certificate you just purchased (or any other certificate for that matter), with a Private Key. You know when a private key is being exported because a password is needed. Save this certificate somewhere, and copy it to the ISA 2006 server.

Armed with a certficate with Private Key, we can now import it into the Certificate store. Resuming from where we left off, right-click on the Personal certificate store, All Tasks, Import. Display all files (*.*), and select the certificate you just copied over. You will need to enter the password you set earlier. Click next and ensure the certificate is stored under Personal.

Last step is to tell ISA 2006 to use that certificate. With any luck, you’re greeted with all green ticks. Select the certificate and OK all the way out.

For later down the track…

I found that when my GoDaddy certificate expired, I renewed and updated the certicate on the Exchange 2010 server only. I did not reimport the certificate in ISA 2006 or install it into the Certificate store. Seems to be running fine, and no certificate errors.

Seems ISA 2006 only wants to “see” the certificate initially, and subsequent renewals doesn’t seem to phase it.

Also note that if you are trying to use Outlook Anywhere, this method may not work. Outlook Anywhere requires some more fiddling with ISA 2006 to allow the certificate to be passed through successfully. More info soon…