Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OWA on Single NIC: Error 403
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
OWA on Single NIC: Error 403 - 31.Jul.2008 10:25:51 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Hi All,
I feel so close....! Here are the facts:
- I've created the OWA web publishing rule (as per Mr Schinder's brilliant guide)
- I've created the 'listener' and successfully imported the SSL certificate from our Exchange server. The listener listens using 'Internal' on it's internal IP address.
- I've disabled 'forms based authentication' on the Exchange Server
- I've given the ISA server an internal IP address which our ISP has mapped a public IP and DNS name to ('mail.domain.org'). This IP was previously assigned to our Exchange server for direct OWA
- I've modified the Hosts file on the ISA server to map 'mail.domain.org' to our Exchange server's internal IP. Typing 'https://mail.domain.org' in the browser of our ISA server successfully opens OWA
Now, when I type 'https://mail.domain.org' into an external browser, I get the following error:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL).
I enabled logging on the ISA server and it appears to be showing the default rule (deny all) blocking access when I try and connect. The OWA rule obviously comes before this so I don't see why this is the case.
I'm guessing using the single NIC setup isn't helping me. Can this one be solved? I'll be very grateful for any replies....
Thanks
Nick
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 31.Jul.2008 6:29:01 PM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
You also need to include the /exchange element for Exchange 203 or /owa for Exchange 2007 after the domain name in the address bar. ISA limits the paths by default so you have to be specific. e.g. 'https://mail.domain.com/exchange' or 'https://email.domain.com/owa' depending on your exchange version.
The best way to get around this requirement is to create a redirect rule which automatically amends the URL to include the correct path. There is an article on the site for how to configure this if you search for OWA redirection.
Cheers
JJ
< Message edited by Jason Jones -- 31.Jul.2008 6:30:52 PM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 1.Aug.2008 4:22:27 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Thanks for the reply Jason.
Adding 'exchange' to the URL gives me a 408 timed out error.
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 1.Aug.2008 6:49:23 AM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Sounds like ISA cannot connect to the Exchange server or something else is wrong with your publishing rule.
Can you provide more detail on the rule? Did you use the wizard to create the rule?
Thanks
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 2.Aug.2008 10:29:56 AM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
Is this publishing method supported in ISA single-NIC (hork) mode?
I've always avoided this mode, so can't speak from experience, but something's got my neck hairs tingling. ;)
Glenn
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 2.Aug.2008 7:39:13 PM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: gbarnas
Is this publishing method supported in ISA single-NIC (hork) mode?
I've always avoided this mode, so can't speak from experience, but something's got my neck hairs tingling. ;)
Glenn
Yeah, you can web publish in single NIC mode...just not server publish...
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 4.Aug.2008 4:06:27 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Hi Guys,
Yep, I used the wizard. Here are some more details about the rule:
- Applies to only HTTPS traffic
- Applies to 'All Users'
- Applies to traffic FROM 'Anywhere'
- Applies to traffic TO 'mail.domain.org'
- Listening from a new listener I created (OWA Listener)
Listener:
- Listening on 'Internal' (server's internal IP address)
- Enabled SSL only (port 443) and imported certificate
- Authentication used is 'Forms Based' only
Thanks again
Nick
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 4.Aug.2008 4:18:10 AM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
408 is an unusual error and appears to point to web server overloading as discussed here:
http://www.checkupdown.com/status/E408.html
I assume OWA is working fine internally if you bypass ISA? Is the Exchange FBA feature still enabled?
Are you running ISA 2006 SP1? If so, can you try using the "Test Rule" button on the web publishing rule and report back the results...
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 4.Aug.2008 7:42:48 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Yep, OWA is working fine.
I might be being extremely stupid here, but I can't find a 'test rule' button (I'm running SP3)! I've even Googled it and not managed to find it! It's not just ISA 2006 which provides this feature is it?
Also ,does it matter that SSL is enabled on the actual OWA server?
Thanks
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 4.Aug.2008 9:18:55 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Just a bit more information:
I've tried accessing OWA whilst running the monitor on ISA and it generated this error:
Failed Connection Attempt ISASERVER 04/08/2008 13:46:16
Log type: Web Proxy (Reverse)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: OWA
Source: External ( XX.XX.XX.XX:0)
Destination: ( YY.YY.YY.YY:8443)
Request: GET https://mail.domain.org/exchange
Filter information: Req ID: 0608096d
Protocol: https
User: anonymous
Before it generated this error though, 5 successful connections were reported, the strangest one being this one:
Initiated Connection ISASERVER 04/08/2008 13:45:57
Log type: Firewall service
Status: The operation completed successfully.
Rule: Allow DNS from ISA Server to selected servers
Source: Local Host ( XX.XX.XX.XX:1026)
Destination: Internal ( YY.YY.YY.YY:53)
Protocol: DNS
The YY IP address is our internal DNS server. Why does it need to go there when it is using the local host file to resolve the name of our OWA server?
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 4.Aug.2008 6:59:35 PM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Is mail.domain.org definitely in your hosts file? Are there any typos? has the file been saved as hosts.txt?
What do you get if you type "ping mail.domain.org" from a command prompt on ISA?
I noticed you bridging destination is 8443 - is this correct? What address do internal users type to get to OWA?
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 5.Aug.2008 3:58:10 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Yep, if I ping 'mail.domain.org' from the ISA server, it is looking at the correct IP.
Also, I'm not sure about that port 8443. In the 'bridging' tab on ISA, I have specified 443 as the port. I haven't specified a certificate here though (I have on the listener); should I have done?
Cheers
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 5.Aug.2008 7:36:14 AM
|
|
|
Jason Jones
Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: nick3young
Yep, if I ping 'mail.domain.org' from the ISA server, it is looking at the correct IP.
Also, I'm not sure about that port 8443. In the 'bridging' tab on ISA, I have specified 443 as the port. I haven't specified a certificate here though (I have on the listener); should I have done?
Cheers
No, that is fine.
The logs showing 8443 is a bit weird though...
The "test rule" is an ISA2006 SP1 feature, sorry didn't spot the ISA 2004 reference. Can you browse to OWA from IE on the actual ISA Server itself - you may need to add an access rule to allow this (or maybe not depending on your setup).
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OWA on Single NIC: Error 403 - 7.Aug.2008 4:15:53 AM
|
|
|
nick3young
Posts: 22
Joined: 5.Dec.2005
Status: offline
|
Yep, I can access OWA fine from the ISA server. Very strange isn't it?
I'm now starting to think about switching to the 'Edge Firewall' template with a 2nd network card; I wonder if that will make a difference....
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
