Hi, all. We are running the following: ISA 2006 SP1 on Windows 2003 Exchange 2007 (Client Access) on Windows 2008 split DNS SAN cert with the following subject alternative names CAservername CAservername.company.com (internal DNS/FQDN) owa.company.us (external DNS entry for OWA)** this is the primary SAN
FBA is disabled on the CA server.
I have published OWA as per the technet article.
From an external machine, I go to https://owa.company.us/exchange, and I get the login page. When I put in domain\username and pass, it thinks for a bit, then brings me back to the login page.
Internal to the network, I can also access OWA properly as it works on the ISA server. Using "https://owa.company.us/exchange" takes me out to the public interface on the ISA server, so I get the ISA-secured FBA login page.
Looking in the logs on the ISA server, this is the only hit on the OWA publishing rule that I see:
Denied Connection Log type: Web Proxy (Reverse) Status: 12232 The server denied the specified Uniform Resource Locator (URL) Rule: Outlook Web Access Request: GET http://owa.company.us/exchange Protocol: https User: anonymous
If you look at the referenced rule, you can see that /exchange/* is explicitly allowed. Any ideas?
I think I have narrowed down the problem a bit. Since OWA is working from the ISA server (connecting to the FQDN of the CA server via a hosts entry, which matches a line in the SAN cert), and you can get to the OWA login page from externally, it seems that this might be a bridging issue....
Hey dude, I am having the EXACT same problem with ISA 2006/Exchange 2003. Trying to publish OWA sitting behind a back to back ISA 2006 firewall DMZ. Did you ever get past this? I want to use the ISA form instead of the OWA so I disabled FBA on the Exchange server and use HTML form authentication on the back end ISA. I enter my credentials on that page and it just goes right back to that logon page.