Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
2003 OWA behind 2004 ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
2003 OWA behind 2004 ISA - 2.Aug.2008 1:05:21 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
Greetings All,
I've been operating for several years now without a problem. However recently I've been experiencing a problem with accessing our OWA. I've turned on monitoring and I can see why:
_______________________________
Denied Connection SERVBORDER 8/2/2008 12:27:01 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: [Enterprise] Default rule
Source: External ( 20*.19*.17*.2:13931)
Destination: Local Host ( 20*.19*.17*.14:443)
Protocol: HTTPS User:
Additional Information
Number of bytes sent: 0 Number of bytes received: 0 Processing time: 0ms Original Client IP: 20*.19*.17*.2 Client agent:
_____________________________
Tested with a laptop plugged into our External segment. Laptop had the 20*.19*.17*.2 address.
I've checked and re-checked my OWA rule, IP address and DNS and all appear to be correct but user requests for our OWA seem to be getting ignored when ISA processes the policies/rules. I have even disabled my original rule and created another one. I'm convinced that the OWA server isn't the problem since I can get to it when on the Private LAN. Furthermore, the message above leads me to believe that the policy isn't being processed since the rule that was hit was [Enterprise] Default (which is the last on my list) - almost like the external request has some nuance which disqualifies it from my OWA publishing rule.
Does anyone have any ideas on what I can try?
Thanks much
Darin
< Message edited by lcsgeek -- 2.Aug.2008 1:16:24 PM >
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 2.Aug.2008 3:41:18 PM
|
|
|
Rotorblade
Posts: 1001
Joined: 27.Feb.2007
Status: offline
|
I know you mentioned that DNS was correct but does the incomming url request fqdn host header match the one listed in the OWA publishing rule?
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 2.Aug.2008 7:11:47 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
yes, it does. One other note: i have a split DNS. On our private leg we access the OWA using it's private IP and our private DNS resolves to that address. If I'm anywhere on the external leg I access the OWA using it's external IP and our external DNS resolves to that address - by the way this IP has a defined listener object and that listener is assigned to my OWA rule. Then I have added a hosts file entry on the ISA box so that the ISA resolves the OWA to the private IP and can contact the actual resource.
I hope that makes sense.
-d
p.s. I grew up in NW Ohio.
< Message edited by lcsgeek -- 2.Aug.2008 7:17:14 PM >
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 1:34:16 PM
|
|
|
Rotorblade
Posts: 1001
Joined: 27.Feb.2007
Status: offline
|
quote:
Then I have added a hosts file entry on the ISA box so that the ISA resolves the OWA to the private IP and can contact the actual resource.
Sounds like a DNS confilct issue. How is your ISA server configured for DNS? Does the FQDN for the OWA server resolve correctly from the ISA to its internal IP? Have you tried flushing the DNS cache?
Are you disk caching requests? You might try disabling caching.
Has anything been changed recently on the server to cause this issue. The only other thing that comes to mind is the RSS issue with Windows Server 2003 service pack 2.
quote:
p.s. I grew up in NW Ohio.
So are you a Bucks fan or a fan of the team up north?
Dave
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 1:41:32 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
I made serious changes to the network in June but this OWA thing has just cropped up. Yes the OWA name does resolve to the Internal IP and I have flushed DNS cache and caching on the ISA box is already disabled. The only thing I don't know about is the RSS issue that you speak of. I'll look into that.
I don't think I'll ever be a U of M fan but it's been very difficult to remain loyal to the Bucks especially after their last two seasons - not being able to finish with a National Championship.
Thanks for your assistance. This has been so weird in that it was working.
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 1:50:38 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
Here is a new bit of info: when trying to access our website (which is on our Perimeter leg) from the ISA box I'm getting a 403 forbidden message. I have no configured proxy settings on the browser. Everything is pinging just fine.
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 2:26:59 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
Confirmed: I can't access any websites on the "Perimeter" leg while browsing from the ISA box. I can go anywhere on the Internet except to my own webserver. I don't know if this is related as outside users can visit our website, they just can't get to the OWA.
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 6:20:56 PM
|
|
|
Rotorblade
Posts: 1001
Joined: 27.Feb.2007
Status: offline
|
quote:
Confirmed: I can't access any websites on the "Perimeter" leg while browsing from the ISA box.
Did it work before?
Usually this is the norm, you need to add to the System policy allowed sites.
ISA RSS issues is known to cause some weird behavior, but not sure in your case. What ISA Ver./SP level are you running?
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 6:37:42 PM
|
|
|
Rotorblade
Posts: 1001
Joined: 27.Feb.2007
Status: offline
|
In your Web publishing rule; are you forwarding the "original host header" and are the requests configured to come from the “original client” or the “ISA server”?
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 4.Aug.2008 8:56:07 PM
|
|
|
lcsgeek
Posts: 48
Joined: 2.Aug.2005
From: MI, USA
Status: offline
|
Hi Dave,
I've discovered the problem. My ISP requested that I setup a point-to-point IP on my external interface which isn't in the same IP subnet as my usual external address space. I can't understand why but all my web sites work except for the OWA with this new modification. I stumbled accross an ISA alert in troubleshooting and found that the external interface had a route that wasn't able to be contacted via the bound IP address. So I deleted the "point-to-point" address and set my default gateway back to what it was and voila, I can access all my websites and the OWA.
I sense this must be frustrating thinking about someone elses problems only to be blindsided by something you never would have guessed. I appologize for consuming your time on an inconspicuous problem. I do appreciate your efforts and your time.
Blessings
Darin
|
|
|
|
|
RE: 2003 OWA behind 2004 ISA - 5.Aug.2008 8:52:03 AM
|
|
|
Rotorblade
Posts: 1001
Joined: 27.Feb.2007
Status: offline
|
Cool, glad you found the problem. I was beginning to suspect that when asking the question on how the requests are configure to come from in the publishing rule.
Hopefully the Bucks will get it done this year!
Cheers,
Dave
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
