Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publishing OWA FBA and OMA using ISA 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Publishing OWA FBA and OMA using ISA 2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publishing OWA FBA and OMA using ISA 2004 - 23.Aug.2006 2:53:36 AM   
gbeckett

 

Posts: 2
Joined: 23.Aug.2006
From: Australia
Status: offline 		I am aware of the problems of publishing both FBA and Basic authentication with a single IP address and Web Listener so we have purchased a second IP address to bind to the external interface of the firewall.  What I am looking for is an article or step by step advise on how to go about binding the address and publishing OMA and ActiveSync on a second Web Listener.  This is a production environment and OWA FBA is already published and working and I do not want to screw that up hence the request for advise.  I read an excellent article, ISA Server 2004: Supporting Both Basic and Forms-Based Authentication with a Single External IP Address and Web Listener (v1.1) by Thomas Shinder but the warning that went along with the article was enough for the powers that be to decline on going forward with that method.

Thanks in advance
Post #: 1
RE: Publishing OWA FBA and OMA using ISA 2004 - 28.Aug.2006 4:05:04 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi G,

Create a second Web listener and bind the second certificate to that listener, make sure the listener is using basic authentication and is delegating basic credentails. Of course, the ISA firewall will be a domain member so that you can auth the user.

Make sure that both listeners are listening on a specific IP addresses, and that a different FQDN is assigned to each IP address.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbeckett)
Post #: 2
RE: Publishing OWA FBA and OMA using ISA 2004 - 30.Aug.2006 3:54:48 AM   
gbeckett

 

Posts: 2
Joined: 23.Aug.2006
From: Australia
Status: offline 		Hi Tom

Thanks for your response, apologies for the delay in my response.  I have a good idea how this should be done but I guess my biggest worry is adding the additional address to the external NIC.  Will this have a ramification to the rules that are already configured within ISA?  I cannot afford for this to go wrong!

Regards

(in reply to tshinder)
Post #: 3
RE: Publishing OWA FBA and OMA using ISA 2004 - 31.Aug.2006 1:53:36 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi G,

I don't know what other rules you have, so I can't say for sure

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbeckett)
Post #: 4
RE: Publishing OWA FBA and OMA using ISA 2004 - 6.Dec.2007 7:38:55 PM   
subtitling

 

Posts: 16
Joined: 19.Sep.2005
Status: offline 		Hi Mr Shinder,

Are there any step by step guides, or other, using two IPs on one NIC?

I have an ISA 2004 publishing OWA FBA for our Exchange 2003 which is on the trusted interface (local LAN).  I need to publish OMA.  I have spare IPs I can use, but I don't understand how to create and bind in the way you suggest below.

We have a certificate from Startcom called webmail.ourdomain.com.  Do I need to get another certificate for the OMA listener, e.g. webmail2.ourdomain.com?

Our ISA server is the sole firewall, so it has only one external NIC.


Many thanks

Karl

quote:

ORIGINAL: tshinder

Hi G,

Create a second Web listener and bind the second certificate to that listener, make sure the listener is using basic authentication and is delegating basic credentails. Of course, the ISA firewall will be a domain member so that you can auth the user.

Make sure that both listeners are listening on a specific IP addresses, and that a different FQDN is assigned to each IP address.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Publishing OWA FBA and OMA using ISA 2004 - 7.Dec.2007 10:53:56 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		NO INTERFACE IS TRUSTED! That is a core security feature of the ISA Firewall.

You can add a second IP address to the external interface of the ISA Firewall, so that you can bind the second certificate to that. It's in the Advanced TCP/IP configuration.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to subtitling)
Post #: 6
RE: Publishing OWA FBA and OMA using ISA 2004 - 7.Dec.2007 11:41:35 AM   
subtitling

 

Posts: 16
Joined: 19.Sep.2005
Status: offline
quote:

ORIGINAL: tshinder

NO INTERFACE IS TRUSTED! That is a core security feature of the ISA Firewall.
Thank you for your swift reply.  'Trusted' is a figure of speech to describe the interface where the local users are, viz, the Exchange is a part of the Internal network.  'Trusted' is a phrase Watchguard used, much like Microsoft use 'Internal'.
quote:

You can add a second IP address to the external interface of the ISA Firewall, so that you can bind the second certificate to that. It's in the Advanced TCP/IP configuration.  HTH, Tom
If for the mean time I switched all access, OWA and OMA to Basic, would this decrease the security of the connections?  Like I said, ISA 2004 is 'Front Ending' the Exchange 2003 and is our sole 'External' defence device.

Many thanks

Karl

< Message edited by subtitling -- 7.Dec.2007 11:42:41 AM >

(in reply to tshinder)
Post #: 7
RE: Publishing OWA FBA and OMA using ISA 2004 - 9.Dec.2007 11:36:33 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Karl,

As long as you're using SSL to SSL bridging, there are no negative security issues with using Basic authentication.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to subtitling)
Post #: 8
RE: Publishing OWA FBA and OMA using ISA 2004 - 11.Dec.2007 4:23:28 PM   
subtitling

 

Posts: 16
Joined: 19.Sep.2005
Status: offline 		Hmm...

I feel myself getting out of my depth... looks like I'm going to have to step back to step forward!

I don't have a local CA, which is another probem as I am weak on that topic, i.e. never configured a CA server before and we don't have Windows 2003 Server Enterprise Edition, only Standard!  We've used free Certs from Startcom up to now.

The example called "ISA Server 2004 Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener" uses Private addresses on the external Interface, I presume Public addresses would also be OK?

The Domian name in our email address (which is also the External FQDN of our OWA server) is different to the AD Domain name and I'm not sure if that is going to be an issue or not.

Using OWA with Basic seems to have broken the ability to go straight to the OWA server.  We now have to type the /exchange path in the URL to get it to work.  I've actually put a refresh HTML page in the root of the Inetpub which gets round this issue for the moment.

...and I thought this was going to be straight forward.  This is the first time our ISA2004/Exchange 2003 setup has caused me greef!


What I don't understand is that I have a sister site that is using OWA and OMA on the same rule with FBA - no problem - hows' that work I don't know!

< Message edited by subtitling -- 11.Dec.2007 4:25:06 PM >

(in reply to tshinder)
Post #: 9
RE: Publishing OWA FBA and OMA using ISA 2004 - 13.Dec.2007 9:20:06 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		OWA FBA and OMA, ActiveSync work with the same listener and IP address when using ISA 2006, because it falls back to basic. ISA 2004 doesn't do this.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to subtitling)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Publishing OWA FBA and OMA using ISA 2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts