> A fourth case, which I just encountered, is if you buy a cheap domain cert
> from GoDaddy or somesuch and your web server is behind a firewall or NAT
> router. The address of the web server is known to the world as
> www.domain.com but the webserver is known locally on your network as
> something like shemp.mycompany.local. The FQDN on the certificate and
> the FQDN of the web server must match or the browser will throw an error.
> In ISA, there's a setting indicating where web requests should be redirected
> and what the return headers should look like. In order to get this to work,
> one has to forward requests to the external domain (www.domain.com) but
> that causes an endless loop in the ISA. The trick is to add an entry tothe
> host file on the ISA machine that points www.domain.com to the local
> IP address bypassing DNS and preventing the looping error. (The service
> must be restarted before this works).

It would be easier, I believe, to simply use the subjectAltName argument in
the certificate signing request to specify all of the DNS CNAMEs and IP
addresses that the certificate might be associated with.


*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *