Welcome to ISAserver.org

Single Exchange Server 2003 OWA with ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Single Exchange Server 2003 OWA with ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

Single Exchange Server 2003 OWA with ISA - 17.Sep.2007 6:35:06 PM

heytak

Posts: 23
Joined: 3.Jun.2007
Status: offline

I got 1 ISA 2004 box, 1 exchange box 2004, 1 Windows Server 2003 DC. they are all in testing environment.

what happens is that when I try to publish the OWA on ISA box for outside access, I have to enable the OWA in web listener and disable the option "enable form based authentication" in exchange server, system manager, virtual server, http. since I don't have FE & BE infrastructure. I was trying to find info about why I have to DISABLE the form baased authentication in this kind of setup. Does anybody know why?

so, if the internal user type https://mailserver/exchange, they will get prompt for authentication instead of form based authentication login page???

mm... so..if internal users must see form based login page, they must type https://mail.abc.com/exchange . but this means that the internal users go out to internet and get back to ISA server for mail access...mmm...a loop back like that??

mm.. on the DC, I also create the standard zone for external dns zone, The DC now has 2 primary zones, 1 is the internal active directory integrated zone nba.local, 1 is just standard primary zone called abc.com and a A record for the exchange box. then on ISA server, I create the stub zone for this standard primary zone abc.com. I see people modify host file. but is creating another primary zone better than a host file?

I m trying to see how people setup in this kind of environment.

I need some more details in this kind of testing environment. =) I m learning alot about exchange server and ISA server. thanks to msexchange.org. articles and forum here are so helpful

Thanks

Post #: 1

Featured Links*

RE: Single Exchange Server 2003 OWA with ISA - 18.Sep.2007 3:17:03 PM

Rotorblade

Posts: 1002
Joined: 27.Feb.2007
Status: offline

quote:

what happens is that when I try to publish the OWA on ISA box for outside access, I have to enable the OWA in web listener and disable the option "enable form based authentication" in exchange server, system manager, virtual server, http. since I don't have FE & BE infrastructure. I was trying to find info about why I have to DISABLE the form baased authentication in this kind of setup. Does anybody know why?

Welcome to the FBA dilemma!

Well it�s not going to work if you don�t. If you are publishing OWA through ISA using FBA, ISA�s FBA filter on the ISA is going to generate the form and pre-authenticate the user. After a successful authentication the client�s request will be forwarded to the BE OWA site. If FBA is enabled on the BE, requests will fail.

If you have not already read the below articles which detail and offer a solution for the FBA dilemma�s you typically encounter when publishing using FBA. Please read below:

http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html

Personally by using a �Split DNS� and publish OWA utilizing a FE server makes your work a whole lot easier!

HTH

RB

(in reply to heytak)

Post #: 2

RE: Single Exchange Server 2003 OWA with ISA - 18.Sep.2007 4:23:04 PM

heytak

Posts: 23
Joined: 3.Jun.2007
Status: offline

quote:

Personally by using a �Split DNS� and publish OWA utilizing a FE server makes your work a whole lot easier!

Thank you for your response. I really appreciate and It is very informative.

Regarding the split DNS, as you understand, my testing environment consists of 3 servers only in a single subnet. " Internet - ISA - switch - DC & Exchange".
DC's AD zone is called abc.local. ISA has a DNS cache server. All testing servers are on 10.10.10.0 with 255.255.255.240.
Right now, what I have done is that I create a standard primary zone on DC and stub zone on ISA. Is this extra primary zone name xyz.com called " split DNS"? Will this cause any name resolution problem for internal users?

quote:

Welcome to the FBA dilemma!
Well it�s not going to work if you don�t. If you are publishing OWA through ISA using FBA, ISA�s FBA filter on the ISA is going to generate the form and pre-authenticate the user. After a successful authentication the client�s request will be forwarded to the BE OWA site. If FBA is enabled on the BE, requests will fail.

Regarding this FBA issue, now I understand that once I have the OWA enabled on ISA box, the FBA on ESM has to be disabled. This is so confusing.

Microsoft makes things difficult.

However, there is a member from msexchange.org replied to me that I could use a "Basic Authentication" on ISA box. Therefore, by using basic authentication on ISA, the FBA can be functioned with ESM for both external and internal users. Could you please confirm this? BTW, I will test this out since it is easier than the tutorials you have mentioned because I am not able to get it worked at all.

Anyway, thank you for your post. I m now pretty understood the concept between ISA and Exchange.

Thank you.

(in reply to Rotorblade)

Post #: 3

RE: Single Exchange Server 2003 OWA with ISA - 18.Sep.2007 9:07:27 PM

Rotorblade

Posts: 1002
Joined: 27.Feb.2007
Status: offline

quote:

Right now, what I have done is that I create a standard primary zone on DC and stub zone on ISA. Is this extra primary zone name xyz.com called " split DNS"? Will this cause any name resolution problem for internal users?

The answer would depend on if both your Internal and External domain names are the same. If yes, then "Split DNS" will work. Either way with your situation, you need to support name resolution by either host file or DNS and setup your internal clients for direct access. As far as internal users experiencing issues with your external domain, just make sure that your DNS supports any lookups for external hosted resources.
This article should help:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

quote:

However, there is a member from msexchange.org replied to me that I could use a "Basic Authentication" on ISA box. Therefore, by using basic authentication on ISA, the FBA can be functioned with ESM for both external and internal users. Could you please confirm this?

As opposed to using FBA and not using an FE server? Or would they possibly be referring to this article?

http://www.isaserver.org/tutorials/2004pubowamobile.html

RB

(in reply to heytak)

Post #: 4

RE: Single Exchange Server 2003 OWA with ISA - 19.Sep.2007 2:04:33 AM

heytak

Posts: 23
Joined: 3.Jun.2007
Status: offline

quote:

If you have not already read the below articles which detail and offer a solution for the FBA dilemma�s you typically encounter when publishing using FBA. Please read below:
http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html

Hi Rotorblade:

Thank you again for your response. Really appreciate.

I oversighted that article before. But after I just tested it again and again, it worked the way it does. I am sorry that I oversighted before and informed you the wrong result.

mm...now, both external and internal users will see the FBA from ISA box. However, my testing ISA box is a Pentium iii 933 mhz with only 512mb and SATA150 80gb hard disk (this is a desktop box with an new SATA 150 controller card on it and the RAM is already max'ed out), will it slow it down? because now this box is doing the external PLUS internal authentication and internet traffic whereas the exchange was doing only authentications.

Should I upgrade this box or should it be sufficient?

Thank you again.

(in reply to Rotorblade)

Post #: 5