Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
"GET" METHOD using "HTTP" Instead of "HTTPS"
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
"GET" METHOD using "HTTP" Instead o... - 10.Jan.2008 5:37:16 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
ISA 2006
Exchange 2003 Front-End/Back End
I went through all the steps (in Tom's Tutorials) to publish OWA.
When I try to login to OWA (https://owa.mydomain.com) from a client's computer on the LAN the log file on the ISA server says "Denied Connection" for "HTTPS" even though I have HTTPS "Allowed".
I noticed that the HTTP Method says "GET" and the url says http://owa.mydomain.com.
Shouldn't the "GET" Method say "HTTPS" instead of "HTTP"? I know I specified SSL in every configuration.
Any Ideas?
Thanks,
Charlie
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 14.Jan.2008 9:52:56 AM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Charlie,
You'll see allows and denies, because there's always a deny before then authentication request is sent.
Is this just a question about funny things in the logs, or is it not working for you?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 14.Jan.2008 12:34:15 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Hi Tom!
I'm really a big fan of yours. I am implementing ISA 2006 with a Front End Exchange 2003 in an authenticated DMZ with a Back End Exchange 2003 on the LAN. I have read your books and followed your tutorial (http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html) to the letter (I have uninstalled/reinstalled ISA serveral times and re-did each step in the tutorial to make sure I followed all the steps properly).
It's not working at all. I get the ISA forms authentication screen. But when I type my username and password, the screen says at the top that I do not have permission to login.
You can see a copy of the log file here: http://spreadsheets.google.com/pub?key=pVVg22cjtg2gEFpv7CN8KOQ&output=html
I'm not sure if there's any other tool (other than the logs) to help me understand what exactly is failing. Is the Front End Server trying to communicate with the Back End Server and failing? Is the ISA Server failing to decrypt, authenticate, and then re-encrypt the certificate? Is the ISA Server receiving an HTTPS request and then trying to communicate with the Front End Server using HTTP?
I'm persistent, technical, and will read anything twice--but this one's got me banging my head big time!
Thanks, in advance, for any help you might be able to provide!
Charlie
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 15.Jan.2008 7:19:35 AM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Charlie,
Thanks for the kind words about my work :)
I ran into a problem like this yesterday, that is to say, a head banger. Took me two hours to figure out that I made a typo in an IP address on the external interface of one of the ISA firewalls, where it should have been .73 instead of .173. Ack!
Check the Event Viewer on the FE Exchange Server. Also, remember the ISA Firewall has to be a domain member so that it can do the pre-authentication and that you should be delegating as basic authentication.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 15.Jan.2008 10:04:24 AM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Thanks Tom,
I think my problem might be something very basic that is eluding me:
FE ISA (Auth)
IP: 192.0.3.2/24 IP: 192.0.3.1/24
DNS: 192.0.2.8 DNS: (n/a)
GW: 192.0.3.1
ISA (WAN)
IP: 10.20.0.2/16
DNS: (n/a)
GW: 10.20.0.1
BE ISA (LAN)
IP: 192.0.2.12/24 IP: 192.0.2.3
DNS: 192.0.2.8 DNS: 192.0.2.8
GW: 192.0.2.3 GW: n/a
I'm wondering whether the FE server can communicate with the BE through the ISA. I don't have any problems pinging the FE from the BE. I can't ping the BE from the FE (using IP address to take DNS out of the equation). I can ping the ISA from the FE though. I have played with System policies and firewall rules, but I just can't seem to ever be able to ping the BE from the FE. There are no errors and no denies in the ISA log.
I'm just at a loss as to what else to look at.
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 8:54:36 AM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Charlie,
Before you we go too much forward, I need to make sure that the IP addressing is right. Are you really using 192.0.x.x?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 9:45:30 AM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Sorry, I was being paranoid about giving out all this info on a public forum and I wasn't thinking when I changed addresses. Let's say I am using 192.168.x.x.
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 6:02:09 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Tom,
I figured this out!!! But if you can just explain why it would be a big help:
Currently at this location we have a sonicwall as our front edge firewall. Naturally, all of our clients currently use that as their gateway. I am configuring this ISA Server to go in behind the Sonicwall and I will have all of the clients use it as their gateway when it is ready (I know, I know-- the ISA should go in front and behind and we should pitch the Sonicwall--but one step at a time).
I have the FE Exchange server hooked up directly into the Authenticated DMZ adapter on the ISA Server. I have the LAN adapter on ISA plugged directly into my LAN.
Here's what happened: If I change the Gateway on my own computer (on the LAN) from the sonicwall to the ISA Server, I can ping the FE Server in the Authenticated DMZ. If I ping my own computer (with ISA as the gateway) from the FE Server, I get replies. But if I change the gateway on my computer to the sonicwall, I cannot ping my computer from the FE Server on the Auth DMZ.
So if I change the gateway on my DC, DNS server, and BE Exchange server, to be the ISA Server, then the OWA site works!
Why would the gateway setting of my computer effect whether I get successful pings from the Authenticated DMZ network? The gateway is for external communications, no? Also, is there something I can do so that I can continue to setup and test ISA with computers on my LAN that DO NOT have ISA as their Gateway? My goal is to setup and test it so that late one night I can put it in place and have everything pre-tested.
Thank you!
Charlie
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 10:16:12 AM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Charlie,
The ping works when the ISA Firewall is set at the gateway, since the ICMP ping request must be able to be routed to the destination, and the ICMP reply must be routed back to the machine that issued the request. Since the sonicwall device doesn't know the route to the destination, the ping fails.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 11:07:50 AM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Thanks Tom.
So if I make an entry in the Sonicwall to route any requests from the DMZ subnet back to the ISA Server, I should be able to setup and test ISA against my production environment?
|
|
|
|
|
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 1:01:46 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
It Works!!!!
Thank you Tom!
I am running to the store at lunch to purchase your new book!
Thank you!!!
Charlie
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
