Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Multiple weblisteners?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Multiple weblisteners? - 21.May2008 10:32:12 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
Situation:
ISA 2006 server (single adapter config, domain member)
I have one weblistener configured for OWA through port 443 and configured with a commercial certificicate (webmail.mydom.nl). OWA is running good from internal and external throug https://webmail.mydom.nl
Now i want to publish a second secure website trhough ISA for the RDP WebConnection Service. I installed this service on a seperate w2k3 member server in the same domain. The site is functioning fine from internal at this moment
Besides commercial certificates i also have my own CA and i created a new certificate for the RDP WebConnection Service (TSWeb) which i have exported to PFX and imported this one on my ISA server
I created a second WebListener for the TSWeb service (tsweb.mydom.nl) and now i want to create a new rule for it but this doesnt work. An error appears that the rule cannot be created because it overlaps the same port and similar IP adres of the OWA Listener.
How can i publish my new secure site now? Can this be done with two WebListeners or must i use one and yes how do i setup this because i have two URLS to use
https://owa.mydom.nl (commerical certificate registered on webmail.mydom.nl)
https://tsweb.mydom.nl (private certificate created through own CA for tsweb.mydom.nl)
Thanks!
|
|
|
|
|
RE: Multiple weblisteners? - 22.May2008 4:10:38 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
quote:
ORIGINAL: Jason Jones
Are you trying to use the same public IP address for both listeners? If so, you will need to use two different IPs.
My situation is as follows:
[internet] -> [router/firewall] -> [ISA 2006 (single nic)]
I have one public IP address, on my router/firewall I have port forwarding for 443 to my ISA server in the LAN (i don't have a DMZ). As mentioned my ISA server has a single interface.
So to answer your question yes i use the same IP address for both listeners.
Would it be wise to add an extra NIC on my ISA?
Thnx!
|
|
|
|
|
RE: Multiple weblisteners? - 23.May2008 1:48:13 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
As Jason Jones said, add an extra External IP adress to the NIC. You can have multiple IP's on one NIC.
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 24.May2008 9:43:29 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
quote:
ORIGINAL: HePa
As Jason Jones said, add an extra External IP adress to the NIC. You can have multiple IP's on one NIC.
Yeah I know it is possible to have multiple IP's, i already tried that but without succes.
I can configure the Web Listener and the publish rule but when i browse to https://tsweb.mydom.nl I get an certificate error in IE: "Mismatch Address" when i check which certificate it is looking for i see it is looking for the certificate webmail.mydom.nl instead of tsweb.mydom.nl.
(As said earlier in my post i also have an address webmail.mydom.nl with a commerial certificate)
Further errors:
Browser:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
When I check my ISA logging i see that the request is commimg in but it doesn't reach the correct rule, instead it is giving an Denied Connection on the default rule for destination port 443.
What am i missing here?
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
|
RE: Multiple weblisteners? - 25.May2008 12:38:13 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Ok.
I think you'll need two diffrent web-listners and each one of those configured with one of the certificates to the corresponding server which you are publishing. Can you try to establish one more weblistner on an other IP and attach the certificate that correspond to the server you are about to publish?
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 27.May2008 3:54:33 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Hehe ok=)
I don't know how I could miss that, sorry meight...definitly my bad!
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 27.May2008 4:14:28 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Do you have any denie rule above the rule which you've created for the other site...I don't think you have but always good to double check things like that because of you get a "Denied Connection"?
From which network are you testing to access the site? Internal or External?
< Message edited by HePa -- 27.May2008 4:18:52 AM >
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 27.May2008 4:30:49 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
No deny rules are above and i'm testing it from internal and external, same results..
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
|
RE: Multiple weblisteners? - 27.May2008 5:05:39 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
And you are sure that this has nothing to do with nameresolution (DNS), which you have verified with nslookup from the internal and external network?
There are records registerd in the internal DNS and the external DNS?
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 27.May2008 5:17:32 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
Yeah realy sure about that, i did an nslookup from internal and external and also see that the request are comming in on the ISA server. DNS from ISA to the Lan also works fine, else i couldn't use my webmail. So no DNS issue on this one...
At the moment i cannot reach my environment because i'm somewhere else. When i can i will look for more info and i will check my certificate again.
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
|
RE: Multiple weblisteners? - 28.May2008 8:18:28 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
quote:
DNS from ISA to the Lan also works fine, else i couldn't use my webmail. So no DNS issue on this one...
Well that's for sure of course...but it just hit me that it could have been a DNS issue, heard about a porblem like this before which ended up in name resolution problem. I'm runnig out of suggestions now....that's not good hehe.
I'll get back when I have further idéas of what you can check out and possible issues which could cause the problem.
_____________________________
HePa
|
|
|
|
|
RE: Multiple weblisteners? - 28.May2008 8:36:06 AM
|
|
|
paulo.oliveira
Posts: 820
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
you said you already set an second ip addres on your NIC. Right, but when you created the rule (both) did you select the IP address to use or just checked the box to use Extenal network?
Regards.
|
|
|
|
|
RE: Multiple weblisteners? - 28.May2008 12:10:40 PM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
Hi Paolo,
Do you mean the selected network in the listener, if so then the answer on your question is yes. I have selcted the IP address instead of choosing "External Network" Within a unihomed ISA config (single NIC) the selection of External Network will not work because all ip adresses are bind with the internal network.
If you did not mean the listener then please explain to me what you mean by choosing the IP address in the rule instead of external network?
Regards
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
|
RE: Multiple weblisteners? - 5.Jun.2008 8:40:42 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
Anyone else some ideas?
Thnx!
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
|
RE: Multiple weblisteners? - 5.Jun.2008 9:00:38 AM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Hi,
If you only have a single public IP address that is port forwarded on 443 to ISA, then this is never going to work. You will need two public IP addresses which each forward to unique IP addresses assinged on the ISA external interface. You will need two IP addresses on the ISA external interface as one address cannot host two port 443 listeners.
You can then assign each IP address to the appropriate listener which will prevent your SSL name mismatch.
Traffic flow would therefore be like this:
Public IP1 for webmail => External IP1 on ISA => webmail listener
Public IP2 for tsweb => External IP2 on ISA => tsweb listener
Public IP1 DNS = webmail.mydom.nl
Public IP2 DNS = tsweb.mydom.nl
The only other option is to publish tsweb using a path as opposed to a new domain name e.g. http://webmail.mydom.nl/tsweb. You can then configure the tsweb publishing rule to use the same listener but look for a different path. This rule can then publish the tsweb internal server as opposed to the Exchange server.
Hope this helps...
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Multiple weblisteners? - 6.Jun.2008 3:58:39 AM
|
|
|
kingmb
Posts: 13
Joined: 21.May2008
Status: offline
|
Hi Jason,
I tried to complete the action and created a new rule which is forwarding requests comming in for https://webmail.mydom.nl/tsweb to the internal site of tsweb (ex. http://servername/tsweb). I used the same listener as my webmail as you described.
When I browse to the public name https://webmail.mydom.nl/tsweb I get the same login screen as webmail, this is logic because this is the ISA login (form based auth) which comes with ISA. When trying to logon with AD credentials it does not work, also logic I think because I don't use integrated authentication on IIS where the TSweb is running. Is there a way not to get this login screen, properly not because the login is set through the listener?
Thnx!
< Message edited by kingmb -- 6.Jun.2008 4:17:04 AM >
_____________________________
MBit Services
www.mbit-services.nl
MCITP 2008
MCSE NT4, 2000, 2003
CCA 4.0
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
