Welcome to ISAserver.org

Setting Up OMA using second ip address

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Setting Up OMA using second ip address

Page: [1]

Message

<< Older Topic Newer Topic >>

Setting Up OMA using second ip address - 16.Oct.2007 11:08:03 AM

peruvious

Posts: 18
Joined: 18.Aug.2007
Status: offline

I am trying to sort out OMA. We are currently using FBA with OWA. So i read Dr Shinders notes and Binded another IP address to the external interface. Setup a Web Listener specifying the ip address i have just binded, and i am using the same certificate that was setup for OWA, but still having no luck. Below are some details of the Publishing rule and Listener.

Mail Publishing Rule:
General: Mobile Services.
Action: Allow.
From: Anywhere.
To: owa.domainname
Traffic: HTTPS.
Listener: Mobile Services.
Public Name: owa.domainname
Paths: /Microsoft Server-Active-Sync
/OMA/*

Listener
HC Exchange Mobile Services.
Networks: External
Preferences: Enable SSL 443
Certificate: owa.domainname

Post #: 1

Featured Links*

RE: Setting Up OMA using second ip address - 16.Oct.2007 12:46:52 PM

Rotorblade

Posts: 973
Joined: 27.Feb.2007
Status: offline

Hi,

Is your OWA publishing rule using the same FQDN URL header path as the OMA rule? If so, try moving the OMA rule above the OWA rule to see if it works. You�re going to need a different FQDN URL in the OMA rule (and a new certificate) so ISA can distinguish between the two rules. If not, it�s going to go to what rule is listed first in order.

Secondly, you can use only one certificate per listener. If the certificate is bound to the first listener and IP then it can�t be used on the second. Since you are using FBA, using a wildcard certificate is not going to be an option. You will need a second certificate.

HTH
RB

(in reply to peruvious)

Post #: 2

RE: Setting Up OMA using second ip address - 17.Oct.2007 5:43:29 AM

peruvious

Posts: 18
Joined: 18.Aug.2007
Status: offline

Thanks for the reply Rotorblade, i am a confused regarding the certificate. Where do i install the second certificate? The one for OWA is apparently on the Default Website in IIS (I am not the guy who set OWA up) Can 2 certificates be installed within the Default Website? Can you explain please where i need to install the second certificate.

(in reply to Rotorblade)

Post #: 3

RE: Setting Up OMA using second ip address - 17.Oct.2007 12:28:01 PM

Rotorblade

Posts: 973
Joined: 27.Feb.2007
Status: offline

Publishing FBA, ActiveSync and OMA to one web server is going to be a challenge using ISA 2004. From your reply it also sounds as if you need to configure ISA properly to publish using SSL. When web publishing in ISA 2004 using SSL, you can have only 1 certificate bound to 1 IP per web listener. The certificate on the IIS server must be exported and then imported to the ISA properly. Secondly, DNS support is crucial to allow for the common name on the certificates to match up with the FQDN and the published web server when accessed internally and externally and it�s best if you�re configured using a �split DNS� infrastructure.

With your issue, you did not say if you were using an FE Exchange server. If you are, then it�s possible to configure and publish OWA using FBA and also publish OMA and ActiveSync through ISA. There are several articles that I have listed below that might help resolve your problem. Not using FBA may be a better option in your case.

HTH

RB

http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

http://www.microsoft.com/technet/isa/2004/plan/firewall-exchange2003.mspx

http://www.microsoft.com/technet/isa/2004/plan/tscerts.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;837834
http://www.microsoft.com/technet/isa/2004/plan/digitalcertificates.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;837354
http://www.msexchange.org/articles/owa2003pub3.html
http://isaserver.org/tutorials/pubowa2003part4.html
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

(in reply to peruvious)

Post #: 4

RE: Setting Up OMA using second ip address - 5.Nov.2007 8:45:36 AM

peruvious

Posts: 18
Joined: 18.Aug.2007
Status: offline

In Reply to your previous post Rotorblade:
"Is your OWA publishing rule using the same FQDN URL header path as the OMA rule? If so, try moving the OMA rule above the OWA rule to see if it works. You're going to need a different FQDN URL in the OMA rule (and a new certificate) so ISA can distinguish between the two rules. If not, it's going to go to what rule is listed first in order.
Secondly, you can use only one certificate per listener. If the certificate is bound to the first listener and IP then it can't be used on the second. Since you are using FBA, using a wildcard certificate is not going to be an option. You will need a second certificate."

If i request another certificate, this setup i have done will work? At present we are using owa.contoso.com as our owa address which works fine. I have setup another web publishing rule to use oma.contoso.com BUT the Listener isa using the owa cert. But our certificate is not a wildcard cert and is on the Default web site in IIS, which means we cannot request another cert. So it`s my understanding that if we delete the owa cert and request x1 wildcard (*.contoso.com) cert and another cert for oma.contoso.com the setup will work? Would i need a third cert for owa.contoso.com?

(in reply to Rotorblade)

Post #: 5

RE: Setting Up OMA using second ip address - 13.Nov.2007 12:34:55 PM

peruvious

Posts: 18
Joined: 18.Aug.2007
Status: offline

Ok, i have applied a second IP Address to the external interface and requested another certificate. I have made a web publishing rule for OMA and created another Listener and i am using the OMA certificate on the second Listener and also using the second IP address, but when i try and browse to https://oma.contoso.com i receive the error below.

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Any suggestions anyone??

(in reply to peruvious)

Post #: 6