• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to publish OWA - following the instructions to the letter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Unable to publish OWA - following the instructions to the letter Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to publish OWA - following the instructions to t... - 31.Oct.2006 7:47:04 PM   
ErikBo

 

Posts: 19
Joined: 25.Oct.2006
From: Søborg, Denmark, Europe
Status: offline
First of all: Thank you for sharing your immense knowledge and experience on ISA – I have found a lot of sound advices and knowledge. For my current problem I have searched isaserver.org and Technet's ISA-forum for troubleshooting advice – but seems to be out of luck.
I used to run SBS2003 with ISA2004 and Exchange2003 on a server with 2 NICs – and WWW, OWA and VPN worked just fine.
In my new configuration:
  1. ISA (in a 3-leg perimeter setup) and MS Virtual Server on a dedicated server with 2 NICs
  2. Win2k3 DC with Exchange Server in the Internal zone (10.0.0.5)
  3. a published WebServer in the DMZ (10.0.1.3 virtual machine on the ISA-machine - works OK)
Though I've followed the instructions in http://www.isaserver.org/tutorials/Using-2006-ISA-Firewall-RC-Publish-OWA-Sites-Part1.html to the letter - I can't get it to work.
I "of course” have tried out any work-a-round I could think about – also some rather weird ones.
I really would appreciate any kind of advice, that could point me in the right direction of what I have got wrong or how to troubleshoot my problem
Symptoms
Internal Zone IE open https://ExchangeServer/exchange
  • Warning: Name on certificate (owa.xxx.dk) …
  • Logon to ExchangeServer
  • Outlook Web Access works OK
  • ISA log entry: Nothing
    Internal Zone IE open http://ExchangeServer/exchange
    1. HTTP Error 403.4 "SSL is required"
    2. ISA log entry: Nothing
    Internal Zone IE open https://owa.xxx.dk/exchange
    1. Takes a while
    2. Server not found: Page not available …
    3. 3 ISA log entries like:


      1. From client: 1.0.0.40
      2. Destination xxx.xxx.xxx.90:443
      3. Denied connection
      4. Default rule
    Internal Zone IE open http://owa.xxx.dk/exchange
    1. HTTP Error 403 "Forbidden”
    2. ISA log entry:


      1. From client: 10.0.0.40
      2. Anonymous
      3. Destination xxx.xxx.xxx.90:80
      4. GET http://owa.xxx.dk/exchange
      5. Denied connection
      6. Default rule
    External Zone IE open http://owa.xxx.dk/exchange
    1. HTTP Error 403 "Forbidden”
    2. ISA log entry:


      1. From client: xxx.xxx.xxx.171
      2. Destination xxx.xxx.xxx.90:80
      3. Denied connection
      4. Default rule
    External Zone IE open https://owa.xxx.dk/exchange
    1. Takes a while
    2. Server not found: Page not available …
    3. 3 ISA log entries like:
      1. From client: xxx.xxx.xxx.171
      2. Destination xxx.xxx.xxx.90:443
      3. Denied connection
      4. Default rule
    ISA 2006 - setup
    1. NIC1 (2 addresses):


      1. Internal 10.0.0.2
      2. DMZ 10.0.1.2

    2. NIC2 (1 address):


      1. Internet xxx.xxx.xxx.90

    3. the OWA publishing rule – which I can't get to work


      1. As in the above mentioned article


        1. SSL between ISA and Exchange
        2. Listener: OWA


          1. Internetxxx.xxx.xxx.90:443 (SSL 128bit owa.xxx.dk)
          2. Points to owa.xxx.dk (ExchangeServer.xxx.local, 10.0.0.5) in Internal Zone

    4. HOST record ("just in case”): 10.0.0.5 owa.xxx.dk
    5. Ping owa.ebs.dk: 10.0.0.5 time<1ms
    6. WWW publishing rule – works OK


      1. Listener: www


        1. Internetxxx.xxx.xxx.90:80
        2. Points to 10.0.1.3 in DMZ

    7. SMTP publishing rules – works OK


      1. From: External and All Protected Networks
      2. Points to 10.0.0.5 in Internal Zone

    IIS
    1. Exchange, Exchweb, Publish


      1. SSL 128 bit owa.xxx.dk
      2. ...
    --- Hypothesis
    OWA works all fine using http - meaning that I probably have a SSL-issue
    But http obviously is NOT best practice and do NOT match our security policies.
    --- Troubleshooting efforts and results
    I have documented some troubleshooting effords:
    Disable http compression
    No cigar
    Publishing Rule: OWA Using http
    OWA works all fine using http
    Using common listener: OWA (80)
    I figured out, that I didn't need dedicated listeners for port 80 and port 443 on the same ip. So I created a new listener OWA (80) by copying the existing WWW-listener.
    Setting up so that both the OWA- and the WWW-publishing rule uses Listener: OWA (80).
    Listener: OWA (80) config
    • http on port 80
    • https on port 443
    • Certificate owa.xxx.dk
    Publishing Rule: OWA config
    • http on port 80
    • https on port 443


      • Certificate owa.xxx.dk
    Check Internal and External access to
    Setting IIS up to use SSL
    1. Exchange, Exchweb, Publish:
      1. SSL 128 bit owa.xxx.dk
      2. Anonymous Access: Disabled
    Check External access to
    Check Internal access to
    Publishing Rule: OWA Using http AND https
    On the Bridging tab:
    ·         Redirect requests to HTTP port: 80
    ·         Redirect requests to SSL port: 443
    ·         Do not check "Use a certificate to authenticate to the SSL Web server”

    Check External access to

    Check Internal access to

    Publishing Rule: SSL between ISA and ExchangeServer
    On the Bridging tab:
  • Redirect requests to HTTP port: 80
  • Redirect requests to SSL port: 443
  • Use a certificate to authenticate to the SSL Web server


    • Select Certificate: <No valid certificates was found on this server>

      This message puzzles me a bit as Certificates (Local Computer)\Personal\Certificates contains 3 certificates – all OK !?
      ---
      according to Tom's answer in another thread today I can discard for this as being part of the SSL-publishing problem ...
      ---

      I sure hope someone are able to help me out - I feel totally stuck with this.

      < Message edited by ErikBo -- 9.Nov.2006 3:28:03 PM >


      _____________________________

      Best regards
      Erik Bo Sørensen
    • Post #: 1
      RE: Unable to publish OWA - following the instructions ... - 31.Oct.2006 8:18:50 PM   
      rjodwyer

       

      Posts: 13
      Joined: 16.Feb.2005
      From: Melbourne, Australia
      Status: offline
      Hi Erik,

      I found that to get OWA to work, i had to disable Forms based authentication on the exchange server, then ISA2006 would authenticate and allow OWA to external users.

      I'm running SBS2003 and a separate ISA2006, sounds like we are both having similar problems.

      HTH,
      Regards,
      Ryan

      (in reply to ErikBo)
      Post #: 2
      RE: Unable to publish OWA - following the instructions ... - 3.Nov.2006 8:27:24 PM   
      ErikBo

       

      Posts: 19
      Joined: 25.Oct.2006
      From: Søborg, Denmark, Europe
      Status: offline
      Hi Ryan
      Thank you for taking time to answer in my need.

      It has been my understanding that Forms authentication MUST be used on the ISA Server which is publishing the OWA-forms:
      "On the Authentication Settings page you have a number of options. However, you’ll always want to select the HTML Form Authentication option from the Select how clients will provide credentials to ISA Server drop down list when publishing OWA sites."

      As for the communication from ISA to the Exchange Server I haven't had the opportunity to configure Forms authentification - so I've configured the recommended Basic authentication. Which I have confirmed on the securuty tab for ExchWeb in IIS Manager.

      Where should I disable Forms authentication on the Exchange Server?

      Thanks again
      Erik Bo

      _____________________________

      Best regards
      Erik Bo Sørensen

      (in reply to rjodwyer)
      Post #: 3

      Page:   [1] << Older Topic    Newer Topic >>
      All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Unable to publish OWA - following the instructions to the letter Page: [1]
      Jump to:

      New Messages No New Messages
      Hot Topic w/ New Messages Hot Topic w/o New Messages
      Locked w/ New Messages Locked w/o New Messages
       Post New Thread
       Reply to Message
       Post New Poll
       Submit Vote
       Delete My Own Post
       Delete My Own Thread
       Rate Posts