I have searched the forums for clues and have used Dr. Tom's articles on the same subject in vain. I have OWA 2003 on SSL working fine in our production single ISA 2004 config BUT
I'm building a back to back ISA 2006 configuration and have been unable to successfully publish the same OWA 2003 on SSL site. The front end is NOT a member of the domain. The back end is. The exchange server is on the internal network behind the back end.
On the front end: I'm using HTML form based authentication with basic authentication on the listener and basic authentication as the Authentication Delegation within the rule.
On the back end: I'm using basic authentication within the listener and basic authentication as the Authentication Delegation on the rule itself on the back end.
I receive the OWA form when I first access the site but receive a "this server requires authentication" error after I attempt to log in.
I assumed that the request and the user credentials would be forwarded to the back end but looking at the ISA logs, the request never even makes it to the back end.
SSL and name resolution isn't the issue. I can publish an SSL web site that sits on the same server as the exchange server using the same certificate and URL. I enabled basic authentication on the same site as a test and this worked as well.
I'm stumped. What am I missing? I've been battling this for several days now and am about to give up.
On the front end ISA Firewall, create SSL Server Publishing Rules to publish the Web listeners on the back end ISA Firewall. You don't want them to use Web Publishing Rules on the front-end since the FE is not a domain member. Of course, the back end must be a domain member for security and functionality, but mostly for security, reasons.
Thanks for the reply Tom. It's a commercial SSL from Verisign. I have the same SSL certificate installed on FE, BE and Exchange Server. Would I still need the SSL Server publishing rule? Not sure I understand because it's trusted across the board.
The key here is that you don't want the FE ISA Firewall to do reverse Web Proxy, you just want it to do stateful packet inspection. The SSL connection from the external client will terminate on the BE ISA Firewall.
The key here is that you don't want the FE ISA Firewall to do reverse Web Proxy, you just want it to do stateful packet inspection. The SSL connection from the external client will terminate on the BE ISA Firewall.
HTH, Tom
I know this is the solution to my problem as well, but how do you do that Tom? I know my FE ISA is doing reverse Web Proxy because the connection hits the BE ISA and gets rejected in the logs as a reverse web proxy connection status 12232 specified URL denied, etc. So HOW DO I MAKE THE FE ISA JUST DO STATEFUL PACKET INSPECTION? thank you.