I had occasion recently to publish our OCS Addressbook service through ISA server 2006. This works, and now allows our users to fire up Communicator anywhere, and always be able to download a fresh copy of the OCS Offline Address book. The write-up provided by Microsoft helps with the setup of this. It walks you through the rule creation and setting up ISA and testing it. The issue we encountered was with regards to publishing this securely. We wanted to have this site protected by SSL. The catch comes that the OCS client has to download this addressbook wether it is inside our outside the firewall. So, this means it has a list and tries multiple URLs. All / any of those has to work via SSL. This creates problems for both ISA and the OCS web server, with regards to Subject Alternate Name (SAN) certificates. What I found is that OCS only worked if the cert on ISA and the cert on the IIS web service were identical, and more acurately, the first name in the list of SAN names had to be the externally facing name published by ISA.
The part about this that makes it especially hard to handle is that OCS and the wonderful Certificate Wizard complains when you try to comply with the restriction that ISA puts on you about SAN certificates. OCS will work with the second or third SAN entry, ISA will not, but the OCS wizard will bark at you when you attempt to create it.
Hope this helps those of you that encounter similar problems.
