Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why are my listeners being ignored??

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Why are my listeners being ignored?? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why are my listeners being ignored?? - 4.Oct.2005 7:29:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline 		I've set up a couple of listeners for OWA & another website.. but when I hit the public names given in the rules, the log shows using either the rule for std web access or denied against the default rule, depending on the port I chose (the listener set up for the second web site is using a different port).

How does it get to these rules when my listeners are the first rules in the list, and the Web access rule is way down the end? It's like it doesn't even care they're there... "[Frown]"
Post #: 1
RE: Why are my listeners being ignored?? - 5.Oct.2005 6:53:00 AM   
tshinder

 

Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online 		Hi AC,

Can you give exact details of the Rules and how the users access the sites?

Thanks!
Tom

(in reply to a13antichrist)
Post #: 2
RE: Why are my listeners being ignored?? - 6.Oct.2005 8:01:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline 		<well I've fixed a bit of this since I started writing but I'll post the rest anyway..>

Hi Tom,

I'm trying to access two web servers in their own subnet off the ISA server, from the internal network. Network rule is to route between internal & web networks.
Here are the published rule details:

1)
Publish web server rule:
Allow HTTP from Listener "intweb" to server "web" for all users
Listener:
Networks: Internal
HTTP port 83
HTTPS disabled
Auth methods: none
Always auth: no

"web" is entered into DC DNS as address of ISA server; entered into ISA hosts file as actual subnet address.

2)
Published mail server rule:
Allow HTTP from Listener "OWA" to server "webmail.<domain.com>" for All authenticated users
Listener:
Networks: Internal
HTTP: 80
HTTPS: disabled
Auth methods: Integrated
Always Authenticate: Yes

3)
Published mail server rule:
Allow HTTPS from Listener "OWA SSL" to server "webmail.<domain.com>" for All authenticated users
Listener:
Networks: Internal
HTTP: disabled
HTTPS: 443
Auth methods: Integrated
Always Authenticate: Yes

"webmail.<domain.com>" is entered in AD DNS as ISA server; entered into ISA host file as IP of Exchange server.

Users access the websites using their browsers configured as Web Proxy clients. The web servers aren't published externally - the listener only listens on the internal interface.

If I tell the browser to ignore proxy server for the "public" names, it works for the web server, but not for OWA. Though surely the ISA should be smart enough to realise that the request to the Web Proxy service to that name as specified in the listener should be redirected down to that listener? Otherwise we might as well use some dumb packet-gilter firewll since we're bypassing it anyway!

No wonder Integrated Authentication is broken with published servers - after all it's the Web Proxy service that can authenticate users, and we're leaving that bit out of the path entirely.



I want to publish OWA on a subnet, with ISA between the Exchange and the domain - providing protection to the domain from whatever might attack the mail server. I want IE to open up, users hit the path to the OWA site (or the listener specified in ISA), they get authenticated silently by ISA, ISA passes these credentials to the OWA site and the users get their e-mail without having to go through more logins. Is that supposed to be do-able? Or have I misunderstood what ISA about?

If I create this access rule allowing HTTPS from the client to the OWA sever, I get repeated login prompts, which is bad enough, but then these prompts don't even accept any credentials!. The only way I'm able to get at the OWA site at the moment is by creating an Access rule to allow HTTPS through to the server, and typing the sever name directly. But then I lose whatever advantage I get from the listeners (though I'm beginning to wonder exactly what those advantages are..). As soon as I take out this rule I'm again denied by the Default rule - which means the listeners are being completely ignored. The same occurs whether I have Forms-based, Basic, or Integrated authentication set, or whether I tick the "always authenticate" box or not.

[ October 06, 2005, 09:16 PM: Message edited by: a13antichrist ]

(in reply to a13antichrist)
Post #: 3
RE: Why are my listeners being ignored?? - 6.Oct.2005 10:03:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline 		OK so I thought the might be something up so I've set up an entirely new domain with an ISA, a DC, a client (Win2k3 server) and an Exchange server.

I've configured the OWA listener just on HTTP for now; authentication is set to Integrated and Always Require. Details:

Allow HTTP from Listener "OWA" to server "webmail.<newdomain.com>" for Domain Users
Listener:
Networks: Internal
HTTP: 80
HTTPS: disabled
Auth methods: Integrated
Always Authenticate: Yes

Now, when I access this public name, I get a login prompt (better than before, but still..) If I enter a domain user, half the page loads; I then get another prompt, in which i can enter the same details, and the page continues loading. After the third prompt I finally get fully into the page. If I click cancel on any one of these prompts I get part or all of the screen displaying an HTTP 401 error or simply Error: Access is denied (which is OWA's standard authentication error message). Which means that ISA is just completely failing to hand over any credentials to OWA. I have got Basic Delegation selected on the Published rule, and Basic enabled on the OWA in IIS, but those two settings seem to make no difference whether they're no or off.

So to summarise the two situations: in one case, I get to the page but get repeated login prompts. If I use FBA here I get "Unknown request. The request could not be resolved by the server". Opening protocol access rules between the server & client has no effect.

2nd case: I get denied by default rule in ISA regardless of Authentication settings. Page displays "The ISA server denied the specified Uniform Resource Locator (URL)". If I open up access rules here it works wihtout any prompts. (But redirect is broken, and centre frame just shows "Loading...").

(in reply to a13antichrist)
Post #: 4
RE: Why are my listeners being ignored?? - 10.Oct.2005 9:57:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline 		Tell me what you make of this:

code:
Time                 Dest.IP          Dest.Port  Protocol   Action             Rule          CLientIP          Client Username

11/10/2005 15:04:02  xxx.xxx.yyy.yyy  80         http       Denied connection  Default rule  xxx.xxx.zzz.zzz  <domainname>\<username>
What the h*ll? It's obviously been authenticated... but then ignores the listener that's the first rule in the list completely & gets denied by the default rule, the last of all... [Frown] [Frown] [Mad] [Frown] [Frown]

[ October 10, 2005, 10:09 PM: Message edited by: a13antichrist ]

(in reply to a13antichrist)
Post #: 5
RE: Why are my listeners being ignored?? - 13.Oct.2005 8:34:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline 		Anyone? This is really a pain..

(in reply to a13antichrist)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Why are my listeners being ignored?? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts