• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 3

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 3 Page: [1]
Message << Older Topic   Newer Topic >>
Discussion about Creating Multiple Security Perimeters ... - 13.Dec.2005 8:10:01 PM   


Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for disussing the article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 3: Certificate Naming Conventions and DNS Infrastructure Design at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part3.html



Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about Creating Multiple Security Perimet... - 22.Jan.2006 8:40:21 AM   


Posts: 5
Joined: 6.Sep.2005
Status: offline
Hi Tom,

Nice article, as usual.  However, I have to ask you about one of the basic assumptions of your article.  You have gone to great lengths to explain the process of creating two web listeners (and two certificates) so that you can create two rules - one for OWA with forms based authentication and one for the other Outlook publishing rules (ActiveSync, OMA etc).

This is from the article:

In addition, you cannot use the same listener for the OWA Web Publishing Rule and the OMA/ActiveSync/RPC-HTTP Web Publishing Rule because the OMA/ActiveSync/RPC-HTTP client software does not know how to deal with the form presented to them and will fail the connection without informing you why it failed.

I have to disagree with this statement.  I have setup OWA Web Publishing several times using ISA 2004 and forms based authentication (enabled on ISA, not on Exchange) and in my experience OMA and ActiveSync continue to work perfectly (with just the one web listener).  I can't comment on RPC-HTTP as I've never used it.

In my test lab at home I have an ISA 2004 front end with just one web listener with a HTTPS certificate and ISA forms based authentication enabled.  OWA works perfectly, and my Windows Mobile 2003 SE phone syncs with ActiveSync perfectly as well.  OMA also works.

I've also setup a client with a similar system (although their Exchange system is a front-end/back-end setup) and it also works for them with just the one web listener.

I don't believe I had to do anything special to make this work.  I even remember thinking to myself "I wonder if enabling forms based authentication on ISA is going to prevent ActiveSync from working" and I was surprised to find that it didn't.

I am happy to provide details of configuration if you are interested.  Also keep in mind that I have never tried to get RPC-HTTP working so it may well be the case that this particular protocol does not work with forms based authentication enabled, but ActiveSync and OMA certainly do (for me anyway!).


(in reply to tshinder)
Post #: 2
RE: Discussion about Creating Multiple Security Perimet... - 26.Jan.2006 12:36:24 AM   


Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline

Great series of articles about Multiple Security Perimeters with a Multihomed ISA Firewall. Is there a generic thread for all articles in the series or just this one for part 3?  Either way, I have a few questions and probably a couple more as I re-read it again.

I currently have a simple ISA 2004 configuration but will be rolling out a multi-homed version for a new forest with 4 or 5 distinct domains and a topology identical to the one you described (so these articles will help me do this).  My first questions are in regard to the two web listeners. I was wondering if I need to create two listeners if all my Outlook clients are 2003 and use RPC/HTTP only?  If so, can I skip creating a Secure Exchange RPC Server Publishing Rule?  I assume that this rule grants inbound access directly to the back-end Exchange Server.  Without it, do Outlook 2003 clients use the path to/through the front-end Exchange Server and then to the back-end Exchange Server?

My other question is pretty basic. I assume the front-end Exchange Server in the Authenticated Access DMZ is a domain member since it requires the typical set of intradomain communication protocols. Likewise, I assume the SMTP Relay in the Anonymous Access DMZ is not a domain member. I never set one up this way before and so I'm wondering what membership do servers in this security zone belong to? Is it just a workgroup?

Thanks and best regards,

(in reply to tshinder)
Post #: 3
RE: Discussion about Creating Multiple Security Perimet... - 28.Feb.2006 6:13:25 PM   
Phil Milburn


Posts: 16
Joined: 12.Jun.2001
From: uk
Status: offline
Hi Tom,
Great article, I'm having trouble with getting the certificates that I created on an internal CA  to be useable by the  SSL listeners, the only one I have available is the machine cert created for the ISA box any I created by using the method described in Part 3 of this series are visible in the Cert MMC but not if I go to select a certificate to use with SSL for my listeners. Am I doing something wrong?

(in reply to tshinder)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 3 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts