• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of Publishing OWA 2003 article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Discussion of Publishing OWA 2003 article Page: [1] 2 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of Publishing OWA 2003 article - 8.Jul.2003 2:21:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the publishing OWA 2003 articles. Part 1 is at http://www.msexchange.org/tutorials/pubowa2003part1.html.

HTH,
Tom

[ July 08, 2003, 03:46 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of Publishing OWA 2003 article - 11.Jul.2003 12:11:00 AM   
rkorzuch

 

Posts: 15
Joined: 6.May2003
From: San Diego, CA
Status: offline
I have done Parts 1 and 2 and I am anxiously awaiting part three. I also need some help trying to configure RPC over HTTP on Exchange 2003 with ISA Server 2000. I am currently using RPC publishing in Feature Pack 1 to publish the exchange server but sometimes firewalls have port 135 blocked so the RPC plushing doesn't work. Hopefully RPC over HTTP will solve this issue.

(in reply to tshinder)
Post #: 2
RE: Discussion of Publishing OWA 2003 article - 11.Jul.2003 4:20:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

I wasted a day this week trying to figure it out. I suspect the problem is that you need to hard code the RPC ports. I did get it to work with a Web Publishing rule with a /rpc* for the path along with the /exchange*, /public* and /exchweb* paths. The problem was that it was extraordinarily slow. It may have been a problem with my scenario, because I co-located the Exchange Server with a DC, and the docs say that you need to use a FE/BE config for it to work. I'll try that next week and report my finding for Exchange RPC over HTTP when I get a definitive finding.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of Publishing OWA 2003 article - 14.Jul.2003 8:25:00 PM   
BryantFong

 

Posts: 23
Joined: 2.Feb.2002
Status: offline
Hi Tom,

I was wondering why you need to enable the Basic authenticate on the ISA box? Is this only for Ecxhange 2003? On Exchange 2000 I don't recall that being necessary. By turning that on, all request for that IP are prompted for authentication.

Best Regards,

Bryant Fong

(in reply to tshinder)
Post #: 4
RE: Discussion of Publishing OWA 2003 article - 14.Jul.2003 8:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bryant,

If you carry out all the procedures as described in parts 1 through 5, you will *not* be asked to authenticate twice. And, you'll allow the ISA Server firewall to forward the authentication request to the OWA site, so unauthenticated users never get near the OWA Web server. Very secure, and very cool! [Big Grin]

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of Publishing OWA 2003 article - 14.Jul.2003 8:45:00 PM   
BryantFong

 

Posts: 23
Joined: 2.Feb.2002
Status: offline
Hi Tom,

I don't recall where OWA asks for authentication twice?

Through it maybe secure, won't ISA prompt for authentication even if you just host another web site on the same IP?

Bryant Fong

(in reply to tshinder)
Post #: 6
RE: Discussion of Publishing OWA 2003 article - 14.Jul.2003 10:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bryant,

You need to enable basic auth to provide delegation of basic authentication credentials and to provide the widest availability to clients that do not support integrated authentication (such as Netscape and some versions IE related to bugs).

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of Publishing OWA 2003 article - 16.Jul.2003 6:07:00 AM   
jazzman42379

 

Posts: 7
Joined: 16.Jul.2003
Status: offline
Hey Tom,

I've gone through all 5 of the articles as described and it works great! Although I ran into a snag when trying to customize a bit of it. I have another Exchange 2003 server running, and I have it set so that users just need to type in their username, not domain\username. I was under the impression that the basic authentication along with the default domain let them do this. So I tried to do the same on the installation following the article.

Come to find out an odd occurance...the security settings on the exchange directories had changed! Under Directory Security->Authentication and Access Control, on /exchange and /public, the default domain had changed to just "/". Under the /exchweb, the domain was the same as I set it per the article, but anonymous access was turned back on! So I went through and set them all back to how they should be, and now I get a "440 Login Timeout" error when I try to access the page. Never even get to the login.

I did turn on the nice login screen in the System Manager for Exchange, as I have it on the other server.

Also, when you set the directory permissions for the /exchweb folder, it asks if you want those to also apply to /bin and /bin/auth. Do those get the same permissions?

Thanks in advance, and good job with the articles!
John Clayton

(in reply to tshinder)
Post #: 8
RE: Discussion of Publishing OWA 2003 article - 16.Jul.2003 7:14:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

Thanks for the compliments on the articles. I'll have to go back and see if I mentioned that Exchange likes to go back and change the authentication settings you set on the folders when you restart the server or the services. This was a problem with Exchange 2000 as well, and I know I mentioned it in ISA Server and Beyond regarding Exchange 2000. I go back and look at the articles and make sure I make a note of this "permissions reset" problem. Thanks!

I recall having the same problem with the so-called "forms based" authentication. I'm not sure I resolved that issue. I'll hopefully be doing a comprehensive ISA Server 2000/Exchange Deployment Kit with the same large scope that the VPN Deployment Kit has and I'll have some access to the Exchange team to answer questions like this. I suspect its related to the cookie the forms auth uses or caching. It'll take some troubleshooting, but I'm sure I'll be able to cipher it out. For the time being, I'm not using the forms based auth, just the traditional stuff.

I allow the basic permissions to be used on all folders in the inheritance list and required SSL on all of them too. The philosophy being that both internal and external users that access OWA should be using SSL. In a future article I'll discuss scenarios using client certificate authentication and two-factor authentication using tools like the very cool Authenex AOne product (www.authenex.com).

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion of Publishing OWA 2003 article - 17.Jul.2003 12:21:00 AM   
michal2000

 

Posts: 1
Joined: 21.Feb.2003
From: San Diego, CA
Status: offline
Hello Tom:

We met briefly at TechEd. 2003, ( My company ran the Internet CafT Kiosks, and I asked you about the IPSEC VPNs for NORTEL. Thanks again for the 'threads' by the way.)

I followed your 5 chapter dissertation on installation of ISA on Windows 2003 for Exchange OWA 2003. In part 5, there is a check box in the web publishing rule that states ˘allow delegation of basic authentication credentials÷ that does not appear on my server.


Can you explain to me how to be able to enforce that, or should I consider reinstalling from scratch. The original ISA was installed on a Win 2000 enterprise server and upgraded with 2003. I also installed the HotFix for 2003 and FP1 (SP1 was already on the machine.)

Thank you,


Michael Allen

(in reply to tshinder)
Post #: 10
RE: Discussion of Publishing OWA 2003 article - 17.Jul.2003 1:01:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Michael,

Yes, I remember you well! I hope you're wearing those threads in fine fashion [Wink]

The delegation option appears after installing Feature Pack 1. You may need to restart the console, or the server. I don't recall needing to restart the server, but I do always close the ISA Management console before installing the feature pack.

One thing worth checking is whether basic authentication is enabled on the Incoming Web Requests listener.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion of Publishing OWA 2003 article - 17.Jul.2003 10:43:00 PM   
PonchoHobono

 

Posts: 41
Joined: 22.Jan.2002
Status: offline
I went through all five steps and i gotta say it worked liked a charm. I was surprised as I usually have to go back and tweak things a little. I do have one thing to add. How can you set it up so that the user just types in mail.domain.com in the address bar and get redirected to https://mail.domain.com/exchange ?

Poncho

(in reply to tshinder)
Post #: 12
RE: Discussion of Publishing OWA 2003 article - 17.Jul.2003 11:30:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Poncho,

Thanks! Good to hear that you got it working. I'm hoping that we'll be able to put an entire ISA/Exchange Secure remote email access Kit together in the next month or so.

Jason Jones has some good recs for you regarding making things simpler for your users:

Jason Jones
Senior Member
Member # 8026

Member Rated:
posted June 11, 2003 06:46 PM
--------------------------------------------------------------------------------
Two ways simple ways...

Non-ASP:

Place a default.htm file in the web root with the following text in it (without dashes):

--------

<**html>

<**head>
<meta http-equiv="Refresh" content="0; url=Exchange/;">
</head>

</html>

-------------

P.S. Remove the **'s from above text as I couldn't post without adding these...

-OR-

ASP:

Place a default.asp file in the web root with the following text in it (without dashes):

-----------

<% Response.Redirect "/Exchange/" %>

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 12:21:00 AM   
murph123

 

Posts: 8
Joined: 10.Jan.2003
Status: offline
Hi Tom, thanks for this great article. I have followed parts 1-5 and checked everthing twice. I am able to login securly but everytime I do all it says is Loading... in the inbox. I am not able to view messages in my inbox. All the graphics and frames show up fine.

One thing to note, that when i use http://10.10.1.5/exchange (my internal server ip) everthing works ok. I DO NOT get the loading... text. I can see all the messages in the inbox.

Any ideas on what I could be my problem?

Thank you for all your help!, Sotty for double post!

Murph

(in reply to tshinder)
Post #: 14
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 12:34:00 AM   
SanMan

 

Posts: 50
Joined: 23.Feb.2001
From: ZA
Status: offline
Hi Tom,

Made any progress on RPC over HTTP ?
I dont have a RPC share on my E2K3 site is this normal ?
Thkz
SanMan

(in reply to tshinder)
Post #: 15
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 12:38:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by murph123:
Hi Tom, thanks for this great article. I have followed parts 1-5 and checked everthing twice. I am able to login securly but everytime I do all it says is Loading... in the inbox. I am not able to view messages in my inbox. All the graphics and frames show up fine.

One thing to note, that when i use http://10.10.1.5/exchange (my internal server ip) everthing works ok. I DO NOT get the loading... text. I can see all the messages in the inbox.

Any ideas on what I could be my problem?

Thank you for all your help!, Sotty for double post!

Murph

Hi Murph,

Make sure you're testing from an EXTERNAL network host.

Also, the Destination Set in the Web Publishing Rules must use FQDNs, never, EVER IP addresses.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 12:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by SanMan:
Hi Tom,

Made any progress on RPC over HTTP ?
I dont have a RPC share on my E2K3 site is this normal ?
Thkz
SanMan

Hi SanMan,

I was going to work on that yesterday, but something came up and ate that time. I'll try to figure it out this weekend.

You need to install the RPC over HTTP protocol from the Add/Remove Programs applet in the Control Panel.

HTH,
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 6:08:00 AM   
jazzman42379

 

Posts: 7
Joined: 16.Jul.2003
Status: offline
quote:
Originally posted by tshinder:

Two ways simple ways...

Non-ASP:

Place a default.htm file in the web root with the following text in it (without dashes):

--------

<**html>

<**head>
<meta http-equiv="Refresh" content="0; url=Exchange/;">
</head>

</html>

-------------

P.S. Remove the **'s from above text as I couldn't post without adding these...

-OR-

ASP:

Place a default.asp file in the web root with the following text in it (without dashes):

-----------

<% Response.Redirect "/Exchange/" %>

HTH,
Tom

Tom,

Thanks for the response earlier. I did have a question regarding this response of yours.

I've seen in many places how to do the redirection with a web page, such as the ASP sample. I've found it also works by making another web site under IIS, and simply setting the home directory to something else. For instance I can run only 1 certificate, as I only have 1 IP. So anything I run secure is at secure.mydomain. I want easy access, so that webmail.mydomain forwards to secure.mydomain/exchange. This works well so far (except IE takes forever to claim that the certificate is self-signed).

I was wondering 2 things about the page redirection. Is there any benefit of using an ASP page to redirect as opposed to setting IIS to redirect? And is there any way to have ISA send the redirection? As I understand it, one of the benefits of using ISA publishing is that, like in the article, ISA authenticates and can reject bad traffic before it even gets to the E2k3 box. If so, could ISA redirect them without having to get to the E2k machine to keep that secure?

Thanks again,
John Clayton

(in reply to tshinder)
Post #: 18
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 6:55:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

Perhaps there are other methods. But I'm sort of a hard a**. If the users can't remember to type /exchange/ at the end, I figure they're just playing games with me. They're able to get out of bed in the morning, take bread out of a bag and actually put it in a toaster, push the lever down, and take it out when its done. Then they take a knife out of the drawer, push it through a slab of butter, and then move that slab on the knife over hot bread.

Are you telling me that if someone can make toast and butter it, that they can't type /exchange/ in the path? [Smile]

That always provides context and allows me to get back to some real work.

HTH,
Tom

[ July 18, 2003, 06:56 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 19
RE: Discussion of Publishing OWA 2003 article - 18.Jul.2003 6:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jazzman42379:
quote:
Originally posted by tshinder:

Two ways simple ways...

Non-ASP:

Place a default.htm file in the web root with the following text in it (without dashes):

--------

<**html>

<**head>
<meta http-equiv="Refresh" content="0; url=Exchange/;">
</head>

</html>

-------------

P.S. Remove the **'s from above text as I couldn't post without adding these...

-OR-

ASP:

Place a default.asp file in the web root with the following text in it (without dashes):

-----------

<% Response.Redirect "/Exchange/" %>

HTH,
Tom

Tom,

Thanks for the response earlier. I did have a question regarding this response of yours.

I've seen in many places how to do the redirection with a web page, such as the ASP sample. I've found it also works by making another web site under IIS, and simply setting the home directory to something else. For instance I can run only 1 certificate, as I only have 1 IP. So anything I run secure is at secure.mydomain. I want easy access, so that webmail.mydomain forwards to secure.mydomain/exchange. This works well so far (except IE takes forever to claim that the certificate is self-signed).

I was wondering 2 things about the page redirection. Is there any benefit of using an ASP page to redirect as opposed to setting IIS to redirect? And is there any way to have ISA send the redirection? As I understand it, one of the benefits of using ISA publishing is that, like in the article, ISA authenticates and can reject bad traffic before it even gets to the E2k3 box. If so, could ISA redirect them without having to get to the E2k machine to keep that secure?

Thanks again,
John Clayton

Hi John,

Jim Harrison is a kinder soul than I, and he has some cool redirect pages over at www.isatools.org

HTH,
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Discussion of Publishing OWA 2003 article Page: [1] 2 3 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts