Jesper M. Christensen

SharePoint and Security

Error publishing Internal SSL site through ForeFront UAG


If you have an internal site you publish through a Microsoft ForeFront UAG and protects this with a SSL certificate, you could run into an error if the internal site is protected by a SSL certificate:

UAG specified target common name of the certificate is invalid

In my test environment I started with:

  Internal Site: https://mysite.domain.local External URL: https://mysite.domain.com
SSL Certificate DNS/CN (Common name): intranet.domain.local intranet.domain.com

I publish this site with ForeFront UAG through a HTTPS Trunk, and the error occurs.

image UAG setup example

The reason for this error is that the UAG checkes the internal SSL certificate for the external “Common Name”. The internal users usually access the site and their browser checks for the internal “Common Name” match, which is intranet.domain.loca. But the ForeFront UAG needs to check whether the certificate includes the external name aswell. So even though you configure SharePoint AAM (alternate address mapping) and configure your UAG correct, this doesn’t solve this problem.

I found some forums on the internet that suggested that I just switched the internal site to be unencrypted using the standard port 80, but this did not match my security policy.

My solution was to create a new internal SSL certificate and include the external “Common Name”, and switch to this new certificate in IIS on the internal web server (Intenet Information Server). After the adjistments I got a working external site.

The new table now looks like this:

  Internal Site: https://mysite.domain.local External URL: https://mysite.domain.com
SSL Certificate DNS/CN (Common name): intranet.domain.local
intranet.domain.com
intranet.domain.com
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: