Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unihomed ISA OWA Authentication problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unihomed ISA OWA Authentication problems - 13.Jun.2007 6:50:30 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Hi all ,
I wonder if anybody could help me out with a problem thats driving me completely nuts trying to get OWA and activesync successfully published.
My set up is as follows -
Backend Exchange 2003 Server
Frontend Exchange 2003 Server
Both on lan , domain members.
Nokia FW1 running Checkpoint.
Unihomed ISA2004 server sitting in DMZ of NokiaFW.
Our parent company have insisted on this config ( being a paranoid bank ) and also that i use RADIUS authentication between the ISA server and the Front end server. I have followed Paul Baldwins instructions for setting up the RADIUS authentication between the ISA server and the FE Exchange server. I have followedToms instructions for publishing outlook web access via a unihomed isa server. But somewhere along the line i have something wrong as it isnt working.
From the internet i can successfully get the login dialog up ( ive tried both Forms based and just RADIUS authentication options on the listener ) . But upon entering a correct logon i get page cannot be displayed
Error : 403 Forbidden. The server densied the specified URL.
Upon entering an incorrect username I get the expected incorrect logon message , so it appears authentication is working in some form.
Looking at my checkpoint i see the incoming requests to the ISA are allowed , and i see a RADIUS connection initiated from the ISA server to the FE Exchange server ok. So that looks fine.
Ive spent days trying to get to the bottom of this , and to add salt to the wound one of our directors is overseas this this week , his laptop has just failed and he needs access to his emails ! Nothing like a bit of pressure then.........
Im a bit green with ISA and RADIUS so im struggling to know where to look to fault find this , ive been over my settings several times , and even started from scratch once....but ive obvuisly still missed something.
Any ideas ?
Thanks
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 13.Jun.2007 7:41:52 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Wierd......after slipping quietly into straw clutching mode from my Internet client i tried accessing
https://email.domain.com/exchange
instead of
https://email.domain.com which i have been using throughout my testing
and........IT WORKS !
question is , why do i have to have the /exchange on the end to get it to work ? I was under the impression i whouldnt need that bit.....
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 13.Jun.2007 8:01:30 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Ok , an update.....
when i enter the https://emai.domain.com/exchange I get the security certificate popup and a yellow exclamation mark next to - The name on the security certificate is invalid or does not match the name of the site.
I assum this is a bad thing ? And maybe why its not working without the /exchange ????
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 13.Jun.2007 8:46:35 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Ok its broken again now !
I figured that after re-reading Toms article my certificates were wrong.
My certificate had a name of the internal FE exchange server ( exchangefe.domain.com) and my clients were visiting ( email.domain.com )
So i ripped all the certificates out , created a new one with the same name that the clients are entering ( email.domain.com) and hey preston the certificate warning doesnt come up anymore.
BUT , i know get Error500 the target principal name is incorrect.....doh.
1 step forward....2 back.....
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 13.Jun.2007 9:18:17 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
more progress if anybody is interested.......
After finding an MS article on certificates this stood out to me -
"
In an HTTPS to HTTPS Web publishing scenario (requires a server certificate on both the ISA Server computer and on the published Web server), the name of the certificate on the IIS Web site of the published server must match the name by which ISA Server identifies the Web server. (This is the name specified on the To tab of the Web publishing rule properties.) ISA Server will not accept a wildcard certificate. Note that ISA Server does not support the use of wildcard certificates to authenticate the published Web server to the ISA Server computer in an HTTPS to HTTPS scenario."
The name in the To tab of my rule was that of the FQDN of the server itself , rather than the email.domain.com that my certificates and external users were pointing to. So i changed the To field to be email.domain.com , added host entries to resolve to the ip of the FE exchange server , and im back to a working external OWA. However it still only works with the /exchange in the URL. But the certificate problem looks to be cured.
Back to needing to know how to get rid of the /exchange requirement on the URL as without it I get a 403 error after authenticating.
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 13.Jun.2007 1:09:38 PM
|
|
|
intersimi
Posts: 33
Joined: 12.May2007
Status: offline
|
Hi Andy,
set up a URL deny rule for email.domain.com. After setting up the deny rule, enter the properties of that rule and then add a redirect to https://email.domain.com/exchange.
when you enter email.domain.com into the browser, ISA denies the access and redirect to the correct URL!
_____________________________
regards,
Intersimi
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 5:09:10 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Sounds perfect , but im struggling to get it set up.
Ive set up a new access rules as follows -
Action - Deny
To - https://email.dfmotors.com
Redirect HTTP requests to - https://email.domain.com/exchange
Protocols - HTTP HTTPS
From - Internal
Users - All Users
However trying it set up like this gives me an error - "To use the redirect option you must provide a web server name"
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 5:23:48 AM
|
|
|
intersimi
Posts: 33
Joined: 12.May2007
Status: offline
|
I should have been more clear. The rule has to be a "web site publishing rule", not a basic access rule.
Also in your web listener, make sure you enable port 80 and 443, but redirect traffic from 80 to 443
_____________________________
regards,
Intersimi
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 6:20:50 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Thanks for quick reply.......
Ive added a new web publishing rule but im unsure on exactly how to set this up ( ISA is really new to me , and it has a few foibles unlike any other firewall ive managed )
So its set up as this at the moment -
Action : DENY
From : ANYWHERE
To : All greyed out , no settings in here
Traffic : HTTPS and HTTP
Listener : My OWA listener with both Http and Https ticked
Public Name : Requests for the following websites - email.dfmotors.com (no https in this field , just the name )
Paths : External Path - /email.domain.com Internal path - /exchange
Bridging : Redirect requests to SSL port 443 ticked only on this page
Users : all users
I still get the OWA login form up when leaving the /exchange off , but when i login i get the 403 forbidden.
Have i royally messed this rule up ?
Thanks Andy
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 7:21:52 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
Just thought....will this mess my activesync up ?
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 7:54:09 AM
|
|
|
intersimi
Posts: 33
Joined: 12.May2007
Status: offline
|
This will not mess up activesync. I have this configured too.
_____________________________
regards,
Intersimi
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 8:42:21 AM
|
|
|
AndyT_UK
Posts: 10
Joined: 13.Jun.2007
Status: offline
|
nice one.......so imust have buggered my rule up as it broke my activesync....can you see what ive ballsed up ?
|
|
|
|
|
RE: Unihomed ISA OWA Authentication problems - 14.Jun.2007 8:59:04 AM
|
|
|
intersimi
Posts: 33
Joined: 12.May2007
Status: offline
|
Have you tried disabling the rule and seeing if you still get an error?
_____________________________
regards,
Intersimi
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
