• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Back to Back ISA 2006 and OWA 2003 Issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Back to Back ISA 2006 and OWA 2003 Issue Page: [1]
Login
Message << Older Topic   Newer Topic >>
Back to Back ISA 2006 and OWA 2003 Issue - 6.Aug.2007 6:39:36 PM   
WebiFied

 

Posts: 12
Joined: 6.Aug.2007
Status: offline
Hey all,
 
I have searched the forums for clues and have used Dr. Tom's articles on the same subject in vain.  I have OWA 2003 on SSL working fine in our production single ISA 2004 config BUT
 
I'm building a back to back ISA 2006 configuration and have been unable to successfully publish the same OWA 2003 on SSL site.  The front end is NOT a member of the domain.  The back end is.  The exchange server is on the internal network behind the back end. 
 
On the front end:  I'm using HTML form based authentication with basic authentication on the listener and basic authentication as the Authentication Delegation within the rule. 
 
On the back end:  I'm using basic authentication within the listener and basic authentication as the Authentication Delegation on the rule itself on the back end. 
 
I receive the OWA form when I first access the site but receive a "this server requires authentication" error after I attempt to log in.
 
I assumed that the request and the user credentials would be forwarded to the back end but looking at the ISA logs, the request never even makes it to the back end.
 
SSL and name resolution isn't the issue.  I can publish an SSL web site that sits on the same server as the exchange server using the same certificate and URL.  I enabled basic authentication on the same site as a test and this worked as well.
 
I'm stumped.  What am I missing?  I've been battling this for several days now and am about to give up.
 
Thanks in advance.
Post #: 1
RE: Back to Back ISA 2006 and OWA 2003 Issue - 6.Aug.2007 8:07:23 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
On the front end ISA Firewall, create SSL Server Publishing Rules to publish the Web listeners on the back end ISA Firewall. You don't want them to use Web Publishing Rules on the front-end since the FE is not a domain member. Of course, the back end must be a domain member for security and functionality, but mostly for security, reasons.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to WebiFied)
Post #: 2
RE: Back to Back ISA 2006 and OWA 2003 Issue - 6.Aug.2007 8:24:44 PM   
WebiFied

 

Posts: 12
Joined: 6.Aug.2007
Status: offline
Thanks for the reply Tom.  It's a commercial SSL from Verisign.  I have the same SSL certificate installed on FE, BE and Exchange Server.  Would I still need the SSL Server publishing rule?  Not sure I understand because it's trusted across the board.

(in reply to tshinder)
Post #: 3
RE: Back to Back ISA 2006 and OWA 2003 Issue - 7.Aug.2007 12:20:30 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The key here is that you don't want the FE ISA Firewall to do reverse Web Proxy, you just want it to do stateful packet inspection. The SSL connection from the external client will terminate on the BE ISA Firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to WebiFied)
Post #: 4
RE: Back to Back ISA 2006 and OWA 2003 Issue - 7.Aug.2007 3:58:12 PM   
WebiFied

 

Posts: 12
Joined: 6.Aug.2007
Status: offline
Thanks Tom.  You are DA MAN!!!  That worked like a champ.  It would have never occurred to me to do that.

Thanks again.

(in reply to tshinder)
Post #: 5
RE: Back to Back ISA 2006 and OWA 2003 Issue - 8.Aug.2007 10:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Web,

You bet! That's how I do it on my networks.

Good to hear you got things working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to WebiFied)
Post #: 6
RE: Back to Back ISA 2006 and OWA 2003 Issue - 20.Sep.2011 7:53:23 PM   
schmidlap

 

Posts: 13
Joined: 8.Jul.2010
Status: offline
The key here is that you don't want the FE ISA Firewall to do reverse Web Proxy, you just want it to do stateful packet inspection. The SSL connection from the external client will terminate on the BE ISA Firewall.

HTH,
Tom

I know this is the solution to my problem as well, but how do you do that Tom? I know my FE ISA is doing reverse Web Proxy because the connection hits the BE ISA and gets rejected in the logs as a reverse web proxy connection status 12232 specified URL denied, etc. So HOW DO I MAKE THE FE ISA JUST DO STATEFUL PACKET INSPECTION? thank you.

(in reply to tshinder)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Back to Back ISA 2006 and OWA 2003 Issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts