Oddball OWA woes (Full Version)

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing



Message


jmercer54 -> Oddball OWA woes (17.Feb.2006 4:31:27 PM)

Hi, folks - I'm starting a new thread on my issue simply because it's easier to state where I am than go through history. :)

I have a problem.  When I publish OWA directly through my Sonicwall Firewall, it works fine. (Although FBA must be enabled in this simple config.)  When I attempt to publish it through the ISA server - even after carefully following Tom's tutorials - I see the traffic flow on the ISA server; I don't seen any denials in the log... but I get this:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Any thoughts?

Thanks!




tshinder -> RE: Oddball OWA woes (22.Feb.2006 11:51:54 AM)

Hi J,

Most common reason for this is that the name on the public name tab is incorrect or your public DNS is horked.

HTH,
Tom




jmercer54 -> RE: Oddball OWA woes (22.Feb.2006 2:15:09 PM)

Thanks, Tom - I'm going to re-do the entire thing from scratch, certificates and all.  I was probably a little agressive in trying to do the internal/external OWA configuration from the tutorials here, so I'm going to go through the external-only version this time.

FWIW, I doubt it's the external DNS that's the problem; publishing OWA through the Sonicwall firewall and bypassing the ISA server works fine.  It's got to be something I'm doing wrong, probably the tab.  I'll post my results a bit later. :)




jmercer54 -> RE: Oddball OWA woes (22.Feb.2006 5:15:20 PM)

Ok, something is clearly screwy with my ISA configuration.  I've logged the traffic, and I think I've spotted the activity that's resulting in a web page denial, but I'm darned if I understand why.

I redid the entire OWA configuration from scratch - from the certificate generation, to setting the various permissions, etc. on the web server.  I deleted all old certificates, re-imported the new one to ISA; deleted all the old listeners and rules and created one from scratch, as per the tutorial.

When I go to the local library, I get the certificate notification message ("Not from a source you have indicated is trusted") just fine - then when I say "Yes" to proceed, I get the denied url message screen. 

Here's what I see on the ISA logger:

***************
65.73.5.132    CHARON -  TCP -    Yes  -    40028 0 0 0 0x0   0x0 0x0 Firewall 2/22/2006 11:02:03 AM 192.169.0.1 443 HTTPS Initiated Connection  65.73.5.132  External Local Host - -

65.73.5.132    CHARON -  TCP -    Yes  -    40028 7010 610 1920 0x80074e20   0x0 0x0 Firewall 2/22/2006 11:02:10 AM 192.169.0.1 443 HTTPS Closed Connection  65.73.5.132  External Local Host - -

0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) No Reverse Proxy CHARON  owa.mercerhome.org TCP   - -  - Compression: client=Yes, server=No, cache=Yes, compress rate=0% decompress rate=0% - - - 0 1 2264 363  12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 0x0 Web Proxy Filter 2/22/2006 11:02:13 AM 192.169.0.1 443 https Denied Connection Default rule 65.73.5.132 anonymous External  GET http://owa.mercerhome.org/

65.73.5.132    CHARON -  TCP -    Yes  -    40031 0 0 0 0x0   0x0 0x0 Firewall 2/22/2006 11:02:14 AM 192.169.0.1 443 HTTPS Initiated Connection  65.73.5.132  External Local Host - -

65.73.5.132    CHARON -  TCP -    Yes  -    40031 0 925 2839 0x80074e20   0x0 0x0 Firewall 2/22/2006 11:02:14 AM 192.169.0.1 443 HTTPS Closed Connection  65.73.5.132  External Local Host - -

***************

If someone could look at this and help me diagnose what's happening, I'd deeply appreciate it.  This works at the Library when published directly via the Sonicwall firewall, so I don't believe it's an external DNS issue.  My best guess is that the ISA server is refusing to send the locally-stored OWA login page, but I have no idea why that would be.

Unless I need to have IIS with www services installed on the ISA server to make this work??

Thanks in advance for everyone's patience and assistance - especially you, Tom. I know I've been pestering everyone a lot about different things, but a lot of this is new to me...




jmercer54 -> RE: Oddball OWA woes (24.Feb.2006 2:14:00 PM)

Does anyone have any idea about what's going on with this? I'm 100% positive that the certificate and external public name match, as well as the external DNS reference... and I'm totally lost on how to proceed further.  I've done some more testing, and all the HTTPS activity from accessing OWA shows up in localhost and external networks; no activity is passed to internal, so whatever is happening is happening on the ISA server itself.

I can't figure out why the default deny rule keeps getting invoked; it makes no sense to me at all, and I've confirmed via research that IIS doesn't need to be on the ISA server to send the authentication page.  From what I can see, the ISA server is accepting the initial https request, but balking at serving up the OWA page itself.

Thanks again...




Jason Jones -> RE: Oddball OWA woes (26.Feb.2006 12:20:33 AM)

Have you tried recreating the rule?

Also, try creating a new rule with the same public name and a simple testing path like /test/*...try to access this path and see if you get it working, then work up to the necessary paths

Small steps [;)]

JJ




jmercer54 -> RE: Oddball OWA woes (26.Feb.2006 4:48:18 PM)

Hi, Jason -

Thanks for the advice - I'm going to try creating a new rule with a test path as described and see what happens. Other than that, I've deleted the rules, listeners and certificates and gone through the process from scratch at least three times so far...  the problem is definitely on the ISA side of things, though, since publishing OWA through the hardware firewall works fine.  I'll post any results I have - thanks for the suggestion!




jmercer54 -> RE: Oddball OWA woes (27.Feb.2006 1:50:45 PM)

*sigh*

Nothing - the ISA server simply refuses to permit HTTPS traffic.  I can't figure out why - it's not a certificate issue, or an external naming vs. listener or rule issue.  The ISA server just won't serve up the authentication page.  I think I'm going to give up and just publish OWA via the hardware firewall, since that seems to work... and I've spent way too much time on this already.

Thanks for all the help, folks...




tshinder -> RE: Oddball OWA woes (28.Feb.2006 3:46:00 PM)

Hi J,

Run the ISA firewall BPA on your ISA firewall. It does a pretty good job at diagnosing certificate related problems.

HTH,
Tom




jmercer54 -> RE: Oddball OWA woes (28.Feb.2006 5:40:30 PM)

Thanks, Tom -

I downloaded it, installed it, and ran it.  The results were interesting, and perhaps you can tell me if they're significant or not.  The only warning shown was the following:

"At least one certificate in the local computer store has no private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key."

I checked the store; there are two certificates in the Personal store folder.  One is the general "mercerhome.org" certificate from my CA - this certificate also exists in trusted root certificate authority as well.  It, of course, does NOT have a private key. 

The other certificate in the private store is owa.mercerhome.org, which was exported as per your tutorial. I confirmed that the exported certificate (owa.mercerhome.org) has a private key... but it also has a "friendly name" of "Default Web Site", and a certification path of "Mercerhome>Default Web Site".

I'm wondering of the "friendly name" should be owa.mercerhome.org instead of "Default Web Site"... and should the general mercerhome.org certificate exist in both the personal and trusted containers at the same time?

Any further thoughts? Thanks again for all your help!




tshinder -> RE: Oddball OWA woes (1.Mar.2006 4:39:30 PM)

Hi J,

Remove the CA certificate from the machine's personal certificate store.

Is the public name tab set for owa.mercerhome.org?

What do you have on the To tab?

Thanks!
Tom




jmercer54 -> RE: Oddball OWA woes (1.Mar.2006 5:44:52 PM)

Hi, Tom - will do.  And yes - the public name is definitely set for owa.mercerhome.org. BTW, your tutorial is excellent - it was very clear and concise, which made it very easy to not only review my steps, but remove everything and "redo" it all.

I'll get rid of the CA, re-publish and let you know what happens. :)




jmercer54 -> RE: Oddball OWA woes (1.Mar.2006 6:11:13 PM)

Same problem as before, Tom... the rule falls through to the default denial. :(

I just realized that I didn't fully answer your questions - in the "To" tab, I have owa.mercerhome.org.

(FYI, I have owa.mercerhome.org defined as a cname for the Exchange server in my DNS.  Is that correct, or could that be part of the problem? Should I do something  like assign a second IP to adapter and create an A-type record? I know that I'm I'm grasping at straws here, but I've run out of ideas...)




tshinder -> RE: Oddball OWA woes (1.Mar.2006 9:06:26 PM)

Hi J,

On the ISA firewall, create a HOSTS file entry for owa.mercerhome.org and map it to the actual IP address of the OWA site on the internal network, or create a Host (A) record with the same information and configure the internal interface of the ISA firewall to use that DNS server and remove all references to external DNS servers on the ISA firewall's interfaces.

HTH,
Tom




jmercer54 -> RE: Oddball OWA woes (2.Mar.2006 12:08:49 AM)

That's all done... with still no success.  (I did both the Hosts and DNS to "make sure".)  I even added a second NIC to the server, gave it a new IP address, changed the web listener on the Exchange server to only listen on that IP... then changed the DNS and Hosts file to point to the second, independent adapter.

No change - the conversation begins, then the ISA server kills it.  What's even stranger is that the log is claiming https is the protocol that the deny rule is getting, but the get statement shown on the log indicates that it's trying to get http://owa.mercerhome.org and not https://owa.mercerhome.org.  The preceding log entries are clearly https, though.

Tom, I'm 100% convinced that no traffic is exiting the ISA server into the LAN segment; it's stopping the traffic cold, falling through to the default denial rule.  How annoying...




tshinder -> RE: Oddball OWA woes (2.Mar.2006 4:26:54 PM)

WHOA!

What do you mean that you added a second NIC? I assumed that this was a full deployed ISA firewall!

OUCH!
Tom




jmercer54 -> RE: Oddball OWA woes (2.Mar.2006 5:02:18 PM)

Ack - my apologies for not being clear, Tom. Your assumption was 100% correct -  I added a second nic to the Exchange server - not the ISA server.

The ISA firewall is a fully-deployed dual-nic configuration as you assumed, and has been working for months with no problems. There are no references to outside DNS servers on the either of the ISA nic configurations; the internal ISA adapter strictly references the two internal DNS servers, and the ISA external adapter has no DNS entries configured on it at all.

The ISA firewall is running a copy of DNS in a configuration that tells it to use the ISP's DNS to resolve external addresses.  Internal DNS servers forward unresolvable requests to the ISA server's DNS for resolution.

I put a second nic in the Exchange server so I could assign a completely separate IP and DNS records for owa, just to see if that helped (or at least changed the symptoms!).  Once the second nic on the Exchange server was configured, I altered the A records in DNS for owa.mercerhome.org to reflect the new address, and I also updated the hosts file entry on the ISA server to reflect the new IP.  I also forced the Exchange IIS configuration to listen only to that new IP.  Once I confirmed that all DNS entries had replicated, I internally tested owa.mercerhome.org using nslookup and ping from the ISA server and a workstation.  Both resolved to the correct (new) IP address internally.

Unfortunately, nothing changed at all when I attempt to access owa from the outside.  the network analyzer on the ISA server confirms that all the traffic for https is coming in on the external adapter, but nothing is making it to the internal one... from this I have to conclude that the stopping point is within ISA itself.  Interestingly, the certificate publishing rule is working 100% correctly, but that's http and not https, of course.

Again, sorry about the confusion...  if you want, I could send you an export of the certificate and/or the ISA configuration, if you think that might help.  Maybe the issue is one of those simple right-in-front-of-me types that I'm just not seeing... but I don't have any idea what it could be.




jmercer54 -> RE: Oddball OWA woes (3.Mar.2006 3:58:05 PM)

At this point, it seems I've reached a total dead-end... so I'm reluctantly going to publish owa directly through my Sonicwall TZ170, unless I or someone else has a brillant insight... it's probably something that I'm doing wrong, but I can't imagine what it is at this point.  Thanks for all the effort, Tom, everyone. :)




tshinder -> RE: Oddball OWA woes (5.Mar.2006 4:30:09 PM)

quote:

ORIGINAL: jmercer54

Ack - my apologies for not being clear, Tom. Your assumption was 100% correct -  I added a second nic to the Exchange server - not the ISA server.

The ISA firewall is a fully-deployed dual-nic configuration as you assumed, and has been working for months with no problems. There are no references to outside DNS servers on the either of the ISA nic configurations; the internal ISA adapter strictly references the two internal DNS servers, and the ISA external adapter has no DNS entries configured on it at all.

The ISA firewall is running a copy of DNS in a configuration that tells it to use the ISP's DNS to resolve external addresses.  Internal DNS servers forward unresolvable requests to the ISA server's DNS for resolution.

I put a second nic in the Exchange server so I could assign a completely separate IP and DNS records for owa, just to see if that helped (or at least changed the symptoms!).  Once the second nic on the Exchange server was configured, I altered the A records in DNS for owa.mercerhome.org to reflect the new address, and I also updated the hosts file entry on the ISA server to reflect the new IP.  I also forced the Exchange IIS configuration to listen only to that new IP.  Once I confirmed that all DNS entries had replicated, I internally tested owa.mercerhome.org using nslookup and ping from the ISA server and a workstation.  Both resolved to the correct (new) IP address internally.

Unfortunately, nothing changed at all when I attempt to access owa from the outside.  the network analyzer on the ISA server confirms that all the traffic for https is coming in on the external adapter, but nothing is making it to the internal one... from this I have to conclude that the stopping point is within ISA itself.  Interestingly, the certificate publishing rule is working 100% correctly, but that's http and not https, of course.

Again, sorry about the confusion...  if you want, I could send you an export of the certificate and/or the ISA configuration, if you think that might help.  Maybe the issue is one of those simple right-in-front-of-me types that I'm just not seeing... but I don't have any idea what it could be.


Hi J,
This is turning out much more complicated than is should be. I've published hundreds, maybe thousands of OWA sites and do it in about five mintues without problems. There has to be a simple misconfiguration issue here that can solve the problem.

Tom




tshinder -> RE: Oddball OWA woes (5.Mar.2006 4:30:49 PM)

quote:

ORIGINAL: jmercer54

At this point, it seems I've reached a total dead-end... so I'm reluctantly going to publish owa directly through my Sonicwall TZ170, unless I or someone else has a brillant insight... it's probably something that I'm doing wrong, but I can't imagine what it is at this point.  Thanks for all the effort, Tom, everyone. :)


Hi J,
If you send me your ISAinfo file, I'll take a look at it.

Tom




Page: [1] 2   next >   >>