• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

OWA don’t work over https in Exchange Server on DC and ISA2006 as domain member in 3-leg perimeter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> OWA don’t work over https in Exchange Server on DC and ISA2006 as domain member in 3-leg perimeter Page: [1]
Login
Message << Older Topic   Newer Topic >>
OWA don’t work over https in Exchange Server on DC and ... - 1.Dec.2006 2:49:58 AM   
ErikBo

 

Posts: 19
Joined: 25.Oct.2006
From: Søborg, Denmark, Europe
Status: offline
Hi,
Does anybody have any kind of advice to share, that could point me in the right direction of what I have got wrong or how to troubleshoot my problem?
OWA works all fine using http - meaning that I probably have a SSL-issue
But http obviously is NOT best practice and do NOT match our security policies.
 
Configuration

  1. ISA2006 (domain member in a 3-leg perimeter setup) and MS Virtual Server on a dedicated server with 2 NICs (1 housing 2 ip’s: DMZ & Internal)

  2. Win2k3 DC with Exchange Server in the Internal zone (10.0.0.5)

  3. a published (MOSS2007) WebServer in the DMZ (10.0.1.3 virtual machine on the ISA-machine - works OK)

I believe to have followed the instructions in http://www.isaserver.org/tutorials/Using-2006-ISA-Firewall-RC-Publish-OWA-Sites-Part1.html to the letter (except for SSL auth between ISA and Exchange, where the listener refused to recognize any of the installed certificates).

OWA works in Internal Zone calling Exchange-server directly
https://ExchangeServer/exchange:
    Warning: Name on certificate (owa.xxx.dk) …
    OWA opens

OWA don’t WORK calling via ISA-server from any Zone
https://owa.xxx.dk/exchange:

Error: Server not found: Page not available …
3 ISA log entries like:
    From client: internal or external
    Destination xxx.xxx.xxx.90:443
    Denied connection
    Default rule

ISA 2006 - setup

  1. NIC1 (2 addresses):
    Internal 10.0.0.2
    DMZ 10.0.1.2

NIC2 (1 address):

Internet xxx.xxx.xxx.90
the OWA publishing rule – which I can't get to work:

As in the above mentioned article

I don’t use SSL between ISA and Exchange
Listener: OWA

Internet xxx.xxx.xxx.90:443 (SSL 128bit owa.xxx.dk)
Points to owa.xxx.dk (ExchangeServer.xxx.local, 10.0.0.5) in Internal Zone

HOST record ("just in case”): 10.0.0.5 owa.xxx.dk
Ping owa.ebs.dk: 10.0.0.5 time<1ms
a WWW publishing rule that works OK:

Listener: www

Internetxxx.xxx.xxx.90:80
Points to 10.0.1.3 in DMZ
a SMTP publishing rules that works OK:

From: External and All Protected Networks
Points to 10.0.0.5 in Internal Zone

IIS - setup

Exchange, Exchweb, Publish:

SSL 128 bit owa.xxx.dk
...
Hopes anybody can help out
Best regards
Erik Bo

_____________________________

Best regards
Erik Bo Sørensen
Post #: 1
RE: OWA don’t work over https in Exchange Server on DC ... - 7.Dec.2006 7:36:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Erik,

A single NIC can't have IP addresses from two network IDs bound to it.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ErikBo)
Post #: 2
RE: OWA don’t work over https in Exchange Server on DC ... - 8.Dec.2006 3:41:22 AM   
ErikBo

 

Posts: 19
Joined: 25.Oct.2006
From: Søborg, Denmark, Europe
Status: offline
Hi Tom,
Thanx,

I just have to bother with yet another question:
How do I identify all services using a specific ip and port?

Inspired by your answer I tried one more time following your great article about OWA and RCP/HTTP. Troubleshooting this installation in the application event log on the ISA Server, I think I've stumbled over  the cause of all evil:
Event Type:            Warning
Event Source:         Microsoft ISA Server Web Proxy
Event Category:     None
Event ID:                14148
Date:                       08-12-2006
Time:                       11:46:55
User:                       N/A
Computer:               SRV03
Description:
The Web Proxy filter failed to bind its socket to <external ip> port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: 1d 27 07 80…
Manually checking the services, listeners … on the ISA Server haven’t revealed any other service using <external ip> port 443. (I’m considering just to use port 444 – would that be a problem?).


I'll go out and buy one more NIC ... I've been hesitating doing that as I’m planning to move my ISA Server to a dedicated (appliance?) server.

(The 2-ip configuration works all right for publishing my (Microsoft Office SharePoint Server) placed in DMZ on the web and for publishing my Exchange Server placed in Internal zone - apart from some error events and ISA routing warnings, though)

(Maybe my configuration works because my machines in the DMZ are virtual machines that uses the virtual network connections to communicate with the ISA Server that runs on the Virtual Server host).

< Message edited by ErikBo -- 8.Dec.2006 7:11:22 AM >


_____________________________

Best regards
Erik Bo Sørensen

(in reply to tshinder)
Post #: 3
RE: OWA don’t work over https in Exchange Server on DC ... - 8.Dec.2006 8:51:14 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Eric,

Try netstat -nab

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ErikBo)
Post #: 4
Thanx! That solved my OWA-trouble - 8.Dec.2006 12:20:59 PM   
ErikBo

 

Posts: 19
Joined: 25.Oct.2006
From: Søborg, Denmark, Europe
Status: offline
Thanks a lot Tom!
My OWA now works again - thanks to your assistance!
(I've now got an issue with RPC/HTTP, but I don't really need that at the moment, so I'll get my prioryties straíght and leave that for the time being - maybe I'll look into it, when I get the missing NIC)
Netstat -nab on the ISA Server showed only one service listening on port 443:
Proto  Local Address Foreign Address  State      PID
TCP    0.0.0.0:443   0.0.0.0:0        LISTENING  2236
W3SVC [svchost.exe]
In IIS Manager on the ISA Server the default web site was using port 443 – on the Internal IP of my double-IP (yes! I know!) NIC.
  • Getting rid of the default web site's use of port 443
  • iisreset
  • restart firewall
  • checking application event log: No 14148 events
  • checking netstat -nab:
    Proto  Local Address     Foreign Address  State              PID
    TCP    <ip>:443            0.0.0.0:0              LISTENING  5360
    [wspsrv.exe]

Testing RPC/HTTP:
Failed connection.

Testing OWA: OK!
ISA log:
1st
denied connection GET http://owa.<domain>.dk/exchange
2nd
Allowed connection GET https://owa.<domain>.dk/CookieAuth.dll?GetLogon?curl?Z2Fexchange&...

< Message edited by ErikBo -- 10.Dec.2006 3:42:04 PM >


_____________________________

Best regards
Erik Bo Sørensen

(in reply to tshinder)
Post #: 5
RE: Thanx! That solved my OWA-trouble - 10.Dec.2006 3:03:10 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Erik,

ACK!!! You need to remove ALL IIS services from the ISA Firewall. Once you do that, everything will work as expected.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ErikBo)
Post #: 6
RE: Thanx! That solved my OWA-trouble - 10.Dec.2006 3:39:52 PM   
ErikBo

 

Posts: 19
Joined: 25.Oct.2006
From: Søborg, Denmark, Europe
Status: offline
Hi

I'll follow your advice as soon as possible (need a dedicated machine for the ISA server) ...

Thanx again.

_____________________________

Best regards
Erik Bo Sørensen

(in reply to tshinder)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> OWA don’t work over https in Exchange Server on DC and ISA2006 as domain member in 3-leg perimeter Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts