Should install the certificate on my External Clients?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi
I have a Stand-Alone root CA.
I've already created a certificate on OWA server and imported it into ISA
2000 server ... Internally the SSL does work but externally it doesn't.

My questions are:
1 - Should I install a root CA on my external computers so they can use SSL
with ISA?
2 - I reviewed the purpose of my certificate installed on ISA and OWA server
and it says: "Ensures the identity of a remote computer". That's ok to use
with SSL?
3 - Does Stand-Alone root CA work well for this purpose of security?

Thanks
 
If it works internally but not externally then you probably have a problem
with dns name resolution, or blocking of port 443 TCP used for ssl. Have a
client from outside of the network try to connect using the public IP
address that maps to that server instead of dns name to see if that helps.
Then make sure your firewall device is allowing port 443 tcp through to your
server. You could double check that from a self scan site such as
http://scan.sygatetech.com/pretcpscan.html and do a TCP scan that will scan
for ports up to 1024. It should show port 443 tcp open in order for users to
connect via https. The external clients will need a copy of the CA root
certificate in their local computer certificate store. You can export it
from the CA to a .cer file that you can send to them and then they double
click the .cer file to start the wizard to install it. Use the mmc snapin
for computer certificates and find your CA certificate in the trusted root
folder where you can right click and select all tasks/export to save it to a
..cer file. Stand also CA's work fine, they lack the flexibility that an
enterprise CA has but the concept of PKI for security is exactly the same
and if your certificate is working for internal access it would be fine for
external access. --- Steve
 
You would have to configure your firewall to allow inbound port 443 TCP.
Some devices already will have ssl listed as a service that you can add to
the list for allowed inbound traffic from the "untrusted" adapter. ---
Steve
 
Back
Top