The front-end server stores the master copy of the address book in a secure Web site hosted
in Internet Information Server (IIS). The OCS clients retrieve copies by automatically
connecting to this site using SSL.
For internal clients, the connections to the front-end server use the internal FQDN of
the pool, such as https://ocspool.company.internal. And logically, it follows that the certifi cate
that is bound to this site has the subject name ocspool.company.internal. In this way, clients
make secure connections to retrieve the address book.
However, external users trying to download the address book will have trouble unless
you are publishing the address book with ISA (or any other reverse-proxy server). As I
mentioned earlier, the front-end server stores the master copy of the address book, and the
front-end server, unlike the Edge Server, does not sit in the perimeter network. It should not
be accessible to external users, and therefore, external users will not be able to retrieve the
address book without going through ISA.
To avoid using ISA, you may be tempted to just open a port on your fi rewall to allow
access into the front-end server. That is a bad idea for two reasons. First, it unnecessarily
exposes your front-end server to the outside world and this poses a security risk. But
also, and more important, this method won??™t work. The reason comes back to SSL and
certifi cates: Because the directory where the address book is stored must use SSL, it must
have a certifi cate bound to it.
Pages:
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220