Welcome to ISAserver.org

The ISA Server denies the specified URL

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> The ISA Server denies the specified URL

Page: [1]

Message

<< Older Topic Newer Topic >>

The ISA Server denies the specified URL - 15.Jun.2005 12:25:00 PM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Hi, I've been trying to setup a CA Server to use OWA web site with SSL.
I think I've done all the steps to accomplish this (inclusive, I bought Tom Shinder's book Configuring ISA Server 2004) but when I finally want to reach my owa site it says :

Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Technical Information (for support personnel)
ò Error Code: 502 Proxy Error. The ISA Server denies the specified Uniform
Resource Locator (URL). (12202)

ò IP Address: 200.x.x.x
ò Date: 5/31/2005 8:10:49 PM
ò Server: isaserver.domain.com
ò Source: proxy

For the whole explanation on the steps I followed, this is the link:
http://forums.msexchange.org/ultimatebb.cgi?ubb=get_topic;f=17;t=001694#000024

Can anyone out there help me with this please?

Tom Shinder? I'd appreciate you helping me here.

Best Regards,

Marcelo.

Post #: 1

Featured Links*

RE: The ISA Server denies the specified URL - 15.Jun.2005 9:55:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Marcelo,

Did you configure System Policy to allow CRL checking?

Thanks!
Tom

(in reply to techuser)

Post #: 2

RE: The ISA Server denies the specified URL - 16.Jun.2005 8:20:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

No I didn't. How am I suppoused to do that?

Thanks Tom,

Marcelo.

(in reply to techuser)

Post #: 3

RE: The ISA Server denies the specified URL - 16.Jun.2005 10:08:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Hi Tom, I've enabled CLR checking.

This is the way I did it:

1) I went to System Policy Editor
2) Authentication Services
3) Enabled CRL Download
4) At "TO" Tab I added CA Server (10.0.x.x)

Still this isn't working. Same as the beggining.

I just don't know what else to do.

Hope you can help me to figure this out,

Marcelo.

[ June 16, 2005, 02:04 PM: Message edited by: techuser ]

(in reply to techuser)

Post #: 4

RE: The ISA Server denies the specified URL - 16.Jun.2005 11:09:00 AM

RuiFiske

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline

Hi Marcelo,

This error message is often to do with ISA not being able to resolve the IP address of the target server from the FQDN. Can you view the OWA site from ISA Server itself?

If problems are Certificate Related, the commonest error is "The certificate is revoked". This is usually due to CRL checking failures. When you start seeing that, then you know you're on the right track.
[Wink]

It is advisable, when setting up OWA, to ensure that it all works without certificates first, before throwing them into the mix. Try that first. If you want more help on this, you are going to need to post a bit more information about your configuration.

Good luck!

(in reply to techuser)

Post #: 5

RE: The ISA Server denies the specified URL - 16.Jun.2005 11:56:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Hi WhyohWhy, OWA works great when no working with certificates.

I've worked a bit more on Shinder's book and realized my problem was on certificate issue (at least I think there's the problem).

This is what I did...

1) Installed Certificate Services Server at my Exchange Server (this is where I've chosen to have my CA Server).

2) I've created a Root Enterprise CA under Server Certificate in Directory Security at IIS administration console.

3) I've left it pending, created the advanced certificate with http://localhost/certsrv. This generates a certsrv.txt file.

4) I've continued with the pending certificate creation at IIS WEB default folder where I've pasted certsrv.txt file content.
After this, the ROOT Enterprise Certificate at CA Server was nicely created.

5) Then I've exported a pbf certificate in order to use it later at ISA importation.

6) Exactly as Tom Shinder's Configuring ISA Server 2004 book says at page 674 (chapter 8) I've imported web certificates into ISA Firewall's Machine Certificate Store.

7) Following the guidelines at the book I've requested a user certificate for ISA Firewall to present to SSL Web Sites.

8) I've alloed all HTTP traffic from ISA Server to all networks (for CRL Download).

9) I've installed the certificate.

10) Then I exported this certificate.

11) And when I want to Create the SSL Web Publishing Rule at the Listener specification section when wanting to define which certificate to use for SSL port 443 it says: "There is no certificates set up on this server".

Why this could be happening??

HELP PLEASE!

Thanks, Marcelo.

[ June 16, 2005, 11:57 AM: Message edited by: techuser ]

(in reply to techuser)

Post #: 6

RE: The ISA Server denies the specified URL - 17.Jun.2005 8:11:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Marcelo,

OK, enough with the guessing games [Smile]

What are the *exact* settings in your Web Publishing Rule?

What are the common names on the certificate bound to the Web listener and to the Web site?

Thanks!
Tom

(in reply to techuser)

Post #: 7

RE: The ISA Server denies the specified URL - 17.Jun.2005 10:52:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Ok Tom, these are the settings for Web Publishing rule:

SSL Bridging

Action
------
. Allow
. Log requests matching this rule

From
----
.Anywhere

To
--
.Server: mail.mydomain.com
.(not checked) Forward the original host header instead of the actual one
.(checked) Requests appear to como from the ISA Server computer

Traffic
-------
.HTTP

Listener
--------
Here's where I cannot select a 443 port listener because when I want to assign a certificate with the Select button it says "There is no certificated configurated on this server" (or something like that, I'm translating from a ISA Spanish version).

Public Name
-----------
.Request for the following websites: mail.mydomain.com

Paths
-----
.External Path: same as internal
.Internal Path: /*

Bridging
--------
Web Server (selected)
Redirect to requests to HTTP port: 80 (not selected)
Redirect to requests to HTTP port: 443 (selected)
Use a certificate to authenticate to the SSL Web Server (selected): isafirewall

Users
-----
All Users

Schedule
--------
default settings

Link Translation
----------------
default settings

Additional Note:
1) mail.mydomain.com is an A name which my ISP is using and redirecting towards my ISA Server using the IP.
2) If I don't use certificates OWA works great.
3) FQDN where CA and Exchange Server are installed is madsrv002.mydomain.com
It is not mail.mydomain.com as it is an A record on my ISP.
4) Certificate Server is an Enterprise Root CA.

So, the problem is I cannot set the certificate at the listener.

This is why exactly? Hope this is enough info for you to help me,

Thanks, Marcelo.

[ June 17, 2005, 11:07 AM: Message edited by: techuser ]

(in reply to techuser)

Post #: 8

RE: The ISA Server denies the specified URL - 17.Jun.2005 12:40:00 PM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Tom, since I thought this was some bug or error, I've reinstalled all certificates.

Now Listener is "working" and at Listener Tab it says:

Networks: External
Port (HTTP): Disabled
Port (HTTPS): 443
Certificate: mail.mydomain.com
Authentication methods: Integrated
Always authenticate: No

Now, it doesn't have a certificate at Bridging Tab. It just says Redirect requests to SSL port: 443.

This is all and still not working. I'm getting a 502 error.

Looking forward to hear your answer,

Marcelo.

[ June 17, 2005, 01:08 PM: Message edited by: techuser ]

(in reply to techuser)

Post #: 9

RE: The ISA Server denies the specified URL - 17.Jun.2005 1:30:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Marcelo,

Try this:

1. Enable host header forwarding on the To tab.

2. Create a HOSTS file entry on the ISA firewall that maps the actual IP address of the mail server on the internal network to mail.mydomain.com

HTH,
Tom

(in reply to techuser)

Post #: 10

RE: The ISA Server denies the specified URL - 17.Jun.2005 1:46:00 PM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Hi Tom, I did it. Nothing changed. I've also changed "Requests appear to come from ISA Server computer" to "Requests appear to come from the original client" as you say at http://www.isaserver.org/articles/2004owapub.html

Could it be a certificate issue? Still trying and trying...

Marcelo.

(in reply to techuser)

Post #: 11

RE: The ISA Server denies the specified URL - 22.Jun.2005 9:28:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Hi Tom or someone who can help me with this

I've done everything I was told to have a secure owa site published and still don't get to make it work.

Is it possible someone there can help me figure this out?

Thanks in advance,

Marcelo.

(in reply to techuser)

Post #: 12

RE: The ISA Server denies the specified URL - 22.Jun.2005 9:57:00 AM

techuser

Posts: 70
Joined: 11.Jan.2005
Status: offline

Oh, forgot to say that OWA is working from within ISA Server. Not when I'm trying to reach OWA website from within or outside the network.
That's why I think this is an ISA Web Publishing problem.
What do you think?

Marcelo.

(in reply to techuser)

Post #: 13