Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Strange problem with SSL Bridging
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Strange problem with SSL Bridging - 20.Aug.2008 10:19:34 AM
|
|
|
vuvur
Posts: 11
Joined: 3.Feb.2006
From: Germany
Status: offline
|
Hi everybody,
due to having 2 publishing rules for OWA (Exchange2003sp2), I need to configure additional port for listener, so I listen for main Webmail on 443 and for another one (say owatest) on 4343 (ssl).
Then the traffic is forwarded to internal port 443 (on the internal FE server) - on the Bridging tab of the rule.
Making it easier for clients to logon, they need to enter only owatest/excange, without entering the port, and the change is applied by some networking equipment.
The configuration works to some extent, clients receive the logon screen, can enter their credentials (RSA SecID) and are forwarded to the internal site.
But then they receive an error message "SSL Port forbidden".
When I check the URL field, I see
https://owatest:4343/exchweb/bin/auth/owalogon.asp?url=https://owatest:4343/exchange&reason=0
If I manually delete the port number in the string, I receive FBA logon screen, as it should be...
There is no place, where the port number appears definitely, only in Listener settings.
What it could be? How could I solve the problem?
BTW, the Webmail site / rule, which is configured the same way / publishes the same server, but listens on 443, is working fine.
< Message edited by vuvur -- 20.Aug.2008 10:25:43 AM >
|
|
|
|
|
RE: Strange problem with SSL Bridging - 21.Aug.2008 10:02:22 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
quote:
Hi everybody,
due to having 2 publishing rules for OWA (Exchange2003sp2), I need to configure additional port for listener, so I listen for main Webmail on 443 and for another one (say owatest) on 4343 (ssl).
Well to start off, running ISA 2004 you don't need to add an additional port; you need to add an additional Web listener with a different IP that is bound to a different SSL certificate. If it would work the way you’re trying to go about it, you would need to extend the tunnel port range for port 4343 in ISA first.
quote:
BTW, the Webmail site / rule, which is configured the same way / publishes the same server, but listens on 443, is working fine.
Not real clear but are both the pub rules going to the same server? If they are going to the same server, you have a bit more work to do getting exchange to cooperate with what you are trying to do. Sounds like you’re using different authentication methods as well further adding to the complexity.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Strange problem with SSL Bridging - 21.Aug.2008 12:12:45 PM
|
|
|
vuvur
Posts: 11
Joined: 3.Feb.2006
From: Germany
Status: offline
|
quote:
running ISA 2004 you don't need to add an additional port; you need to add an additional Web listener with a different IP that is bound to a different SSL certificate
Well, sure I need to use a listener on different socket, so IP or port number must be different. Using different IP looks for me more complex, since I'm use using a routing table. Currently I cannot imagine, what changes should I apply to the routing table making some replies to external users go to one external net, and some - to another.
So I decided to use different port number. SSL certificate doesn't bring anything in the sence of rule's creation.
quote:
you would need to extend the tunnel port range for port 4343 in ISA first.
I think it could be usefull, when I would use tunneling, but I'm using bridging. Nevertheless, I had tried it yesterday. No good...
quote:
Not real clear but are both the pub rules going to the same server? If they are going to the same server, you have a bit more work to do getting exchange to cooperate with what you are trying to do.
Yes, they are going to the same server. It was mentioned, that IIS of Exchange FE server is listening on 443 for HTTPS connections, so I enabled bridging on ISA rule to forward external traffic from 4343 to 443.
quote:
Sounds like you’re using different authentication methods as well further adding to the complexity.
It is already (since the last year) a history. Thanks to
http://www.isaserver.org/tutorials/2004pubowamobile.html
article.
But I managed to make it working not for FBA and Basic, but for RSASecID and Basic. It was somewhat different and more difficult. I think this problem is not solved even with ISA 2006... ;)
BTW I've made this crazy config working! Port 4343 should be opened to internal network, also it should be added to IIS SSL settings, bridging should be set to 4343 (4343->4343). And in "To:" tab you should should configure NOT to use original header.
Minor problem that I currently have is that I receive an additional logon screen from IIS... there should be 2 (SecID and FBA), but I have 3 (secID, Basic, FBA).
So I have currently Webmail, OWATest and Windows Mobile living together and pointing to the same exchange server. All live.
If smbd have any idea or advice on making it more beautifull I would be very thankfull.
|
|
|
|
|
RE: Strange problem with SSL Bridging - 21.Aug.2008 4:45:12 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
quote:
Well, sure I need to use a listener on different socket, so IP or port number must be different. Using different IP looks for me more complex, since I'm use using a routing table. Currently I cannot imagine, what changes should I apply to the routing table making some replies to external users go to one external net, and some - to another.
So I decided to use different port number. SSL certificate doesn't bring anything in the sence of rule's creation.
Routing table? Sounds rather complex, try DNS makes life easier.
Good luck.
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Strange problem with SSL Bridging - 22.Aug.2008 4:41:29 AM
|
|
|
vuvur
Posts: 11
Joined: 3.Feb.2006
From: Germany
Status: offline
|
DNS wouldn't be enough, I think ;).
Internal servers are in 10.xxxx.xxxx.xxxx network.
One leg of ISA server is in 149.xxx.xxx.xxx network
Second one in 159.xxxx.xxxx.xxxx network
Internet IP address is in 155.xxxx.xxxx.xxxx network.
And a pair of level 4 load balancers inbetween 155.x and 159.x ...
If I add an additional 159.x address, I will make routing impossible, I think.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
