Error: Authentication over SSL encrypted channel with the Configuration Storage Server could not be verified

ISSUE:

When installing the ISA Server in workgroup with CSS you may encounter the above mentioned error if you try to change the Authentication method between CSS and other ISA Servers in the same Array

Configuration:
Node1: ISA01
Roles: CSS + ISA Services

RESOLUTION:

1. Remove any Certificates which you tried to associate with ADAM_ISASTGCTRL service or under any of the local stores.
2. Close all ISA Server consoles and run the setup from the ISA Installation CD
3. Select Repair and proceed
4. Select "I am deploying in a workgroup or domains without trust relationship" and provide the .PFX file path by browsing. Also, provide the password for the .PFX file.
5. Proceed by clicking Next and verify the name of the CSS and provide the username / password
6. Under Authentication options, select "Authentication over SSL encrypted channel" and select the "Use an Existing trusted Root CA certificate". If you have a root certificate file then select the second option.
7. Click Next and Now, you can install the CSS without any problem

 

CONSIDERATIONS:

1. Back up your configuration before repairing the ISA Server. It will not delete any rules but to be on safer side, backup is helpful
2. Get a .PFX file for your certificate. The certificate name should be of you ISA machine which has CSS on it.

OCS and ISA Server 2006

I found a very nice article which talk about configuring ISA 2006 with OCS 2007. Have a look at http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html 

 

Cheers…Inder

Autodiscovery for the ISA Server clients

By using the Auto discovery option in ISA Server 2006 your clients machines (Wep proxy or Firewall Clients) can find the ISA Server with the wpad.dat file and configure it self with the settings. For doing so you need to do the following

 

1. Go to networks > Internal and right click to go to its properties

2. Under properties go to Auto Discovery tab

3. Click the check box which says "Publish automatic discovery information for this network"

4. select the port number. Leave it default if you are not using IIS on ISA Server as it might be in the case of SBS server

5. Click ok and apply the changes

 

Now on your DNS server do the following

 

1. Go to DNS console and right click on the DNS server. Select Alias (CNAME)

2. Enter WPAD in the space and click browse to find the FQDN for the ISA Server

3. Click ok and close

4. Now, go to the IE option and go to Connections > Lan settings

5. Click Automatically detect settings.

6. click ok and open the Firewall client installed on the machine (otherwise install it).

7. Select "Automatically detect ISA Server" and click Detect now

 

It will detect the ISA Server there

Installing the FCS Server in Single Server Architecture

FCS with Single Server Architecture

System Requirements for FCS as mentioned in http://www.microsoft.com/forefront/clientsecurity/en/us/system-requirements.aspx depends on the type of topology to be deployed.

1. Install IIS and ASP.NET (requires .Net Framework 2.0)
2. Install the SQL Server 2005 (Minimum requirement is Windows Server 2003 SP1)
3. Run the setup.exe from the installation CD
4. SQL Server setup will install the required pre-requisites automatically
5. Use the default instance name or if you are already running a default instance then name it something like "FCSInstance"
   1. On the Components to Install page, select the following check boxes:

• SQL Server Database Services
• Reporting Services
• Integration Services
• Workstation components

1. On the Service Account page, under Start services at the end of setup, select the SQL Server Agent check box
2. When installing SQL Server 2005, you should use Windows Authentication as the security mode
3. Click Install to Finish the setup

1. Install the SQL Server 2005 SP1 once you are done with the SQL Server installation
2. Install the MMC 3.0 (http://www.microsoft.com/downloads/details.aspx?familyid=4C84F80B-908D-4B5D-8AA8-27B962566D9F&displaylang=en )
3. Install the GPMC with SP1 (http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en )
4. Install the WSUS with SP1 (http://technet.microsoft.com/hi-in/wsus/bb466206(en-us).aspx )
5. Configure the WSUS server to synchronize with Microsoft Update. Check http://technet.microsoft.com/en-us/library/bb404230.aspx for help on configuring the WSUS server
6. Configure the Client machines using the group policy from your active directory DC
7. Synchronize the WSUS server with Microsoft Update center before you start installing the Forefront Client Security
8. Check if you can access the REPORTS and RESPORTSERVER virtual directory from the server. Type http://<FCSserver>/Reports and http://<FCSserver>/reportserver
9. Run the FCSServersetup.exe from the FCS installation disk.
10. Enter your/ company name and put organization
11. Accept License Agreement
12. Unselect all other roles accept "Distribution Role"
13. Click Next and mention the path to install. Usually it takes the same path as WSUS installed

Note: In a multi server topology you have to run this role on a server with WSUS installed on it

1. Go to the WSUS admin website http://<WSUS-server-name>/WSUSAdmin and go to updates. Verify that under products Forefront Client Security appears and also, check under updates that Definition Updates appears
2. Click "Synchronize Now" and wait for WSUS to synchronize all FCS related definition updates from Microsoft Update Website. Depending on the link you have for the internet, it will take time accordingly.
3. Go to your Domain Controller and Create the below 4 user account. These user accounts should have the following memberships
   1. DAS            (Domain User, Local Administrators group of the FCS Server)
   2. DTS            (Domain User, Local Administrators group of the FCS Server)
   3. Reporting        (Domain User)
   4. Action            (Domain User, Local Administrators group of the FCS Server)
4. Now, go to your FCS Server and run the setup again
5. Put your Name and Organization Name, then accept the License Agreement
6. On Collection Server Page, enter the current server name (Let it be default). Also, put the DAS account which we created above as YOURDOMAINDAS and mention the password from the DAS account
7. On Collection Database Page, enter the current server name with SQL instance name as LOCALHOSTNAMESQLINSTANCENAME and also put the Database size you want to define. Now, put the reporting account which we created above as YOURDOMAINREPORTING and mention the password from the DAS account
8. On Reporting Database Page, enter the current server name and also put the Database size you want to define. Now, put the DTS account which we created above as YOURDOMAINDTS and mention the password from the DAS account
9. On Reporting Server Page, enter the Current Server Name and URL for reporting as mentioned in step 11 or leave it default (only for single server topology)
10. One the Action page, mention YOURDOMAINaction (Action is the username we created above) and password
11. One the install Local page, mention the path where you would like to install client security files
12. Verify settings and click Next
13. Wait for all components to finish installation
14. Click Finish
15. Go to Start >Programs >Microsoft Forefront>Client Security>Microsoft Forefront Client Security Console
16. Before you begin the Configuration wizard assign the following permissions to the below users on mentioned databases in SQL Server 2005
    1. Reporting     (db_owner permission on SystemCenterReporting and one point Databases)
    2. Action        (db_owner permission on one point Database)
17. Once you are done with permissions come back to the wizard
18. Click Next
19. Now, remembering what all names we gave in the steps 22, 23, 24, 25 mention them one by one in the wizard. Give the reporting username and password as well
20. Click Next to verify the Name and users you provided
21. Click next
22. Wait everything to finish
23. Now, approve the Client Update for Microsoft Forefront Client Security (1.0.1703.0) for Installation in WSUS Server
24. Let it install on all the client machines and once it’s installed they will start appearing in the reporting with 24hours from the FCS agent install.

Resources:

http://tarek-online.blogspot.com/2007_10_01_archive.html
www.Microsoft.com/clientsecurity
http://blogs.technet.com/clientsecurity/archive/2007/10/05/changes-to-fcs-client-wsus-installation-package.aspx