I have spent a lot of time trying to publish E2K7 Client access and outlook anywhere with ISA 2006.... to finaly conclude that ISA 2006 does not handle certificates with subject alternative names on a server to publish.
All the documentation for Exchange suggests that one should create a certificate with a bunch of subject alternative names (for Netbios name, auto-discover service etc).
I found that if you do this, then there is NO way you can succesfully publish your CAS server using ISA 2006 (includes KB925403). Instead I had to revert back to using a cert with NO subject alternative names to make the publishing work.
The symptoms while attempting to publish E2K7 using certificate with subject alternative names on CAS server where as follows;
OWA client would get "500 Internal Server Error – The target principal name is incorrect" error. after logging in to form on ISA server
Log file on publishing rule shows "Failed connection attempt", with HTTP Status code 0x80090322.
And the following alert is shown in ISA 2006;
"Description: ISA Server could not establish an SSL connection with the published server mail.domain.com on port 443 because the name on the SSL server certificate used by the published server does not match the internal name of the Web server CAS01, as specified in the publishing rule. Verify that the internal name specified in the publishing rule is correct. If the problem persists contact the Web server administrator"
And the following event message is logged on the array member:
Event Type: Error
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 23403
Date: 1/27/2007
Time: 10:34:10 PM
User: N/A
Computer: ISA01
Description:
ISA Server could not establish an SSL connection with the published server
mail.domain.com on port 443 because the name on the SSL server certificate
used by the published server does not match the internal name of the Web
server CAS01, as specified in the publishing rule. Verify that the internal
name specified in the publishing rule is correct. If the problem persists
contact the Web server administrator
Now one would think that this is an obvious thing, however I have checked and double-checked the certificate on my CAS server... It has a private key, it is issued to (CN=) mail.domain.com, and has a number of Subject Alternative Names: CAS01, CAS01.internal.com, autodiscover.domain.com, exchange.domain.com.
(Essentially followed instructions from http://technet.microsoft.com/en-us/library/aa995942.aspx and took note of http://technet.microsoft.com/en-us/library/aa995982.aspx)
Also triple-checked the publishing rule, and the "TO" tab contains mail.domain.com (NOT CAS01 !!)
Once I replaced the cert on CAS with one without subject alternative names (just mail.domain.com as CN) the publishing rules worked !!!!.
Hopefully ISA team will fix this soon, as many others will run into this same issue.
Andre.