I'm setting up OWA using Exchange 2003 and ISA 2006. We have a single Exchange server in our domain, but is not a DC. The ISA server is set up in the DMZ and is not a domain member. We can get to our OWA page externally, but when we try to log in it says the page cannot be displayed.
I set up the LDAP pre-authentication according to Tom Shinder's documentation. The certificate is installed on the Exchange and ISA servers, but I didn't do it the way Tom instructed since I'm only working with these two servers. His instructions were for distributing amongst several servers. I created a user group in my AD for users I want to have OWA access, and set up that group in the ISA server.
I'm not very familiar with ISA, but I figured out one problem was that I needed to create a rule in ISA to allow the server to send LDAP communication to the Exchange server. What am I missing? Do I need to do anything on the individual user profiles? Open any other ports?
I deleted everything I set up for OWA and then followed Thomas Shinder's instructions for "LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access" parts 1 - 4. I was able to log in ONCE off-site. I called our finance offcer who was away at a meeting and told her how to log in. She entered her domain\username and password and the screen sat there and did nothing. I went off-site and tried again. The page sits there and does nothing. I don't see that anything is blocked by our PIX firewall.
This morning I tried logging in with the redirected URL, and adding /exchange to the URL.
In the ISA log I saw these two denied entries: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
I've tested LDAP with ldap.exe to my DC's. It connects. (I added DC's to the LDAP server list on the ISA server.)
Does anybody have a suggestion of what I need to check? It could be something obvious that I omitted.
I've tested to make sure my certificates were correct. They are. I've tested LDAPS to make sure it authenticates, it does. I've even tested loggin in with a user account that does not have OWA permission, it doesn't let them in. I've tried logging in with an account that has permission, but used the wrong password. It lets me know the password is incorrect. I assume it's a rule problem. ?
I only have a few rules in the ISA server: the OWA rule, done according to Shinder's instructions; a rule allowing that server to surf the Internet; and a rule allowing LDAPS connections between the ISA server and a DC and the Exchange server.
What would cause the server to authenticate, but never show the email page? It just sits on the login screen and doesn't advance.
I've checked my firewall logs. I see traffic from outside to my ISA server on port 443. I see traffic from my ISA server to the specified DC on port 636. There is no other related traffic. ? I don't have anything coming from my ISA server to my Exchange server on port 443. It's not even trying to connect.
That should help me diagnose my problem, but I don't know where to look. Does that spark any ideas for anybody else?
I figured out what the problem was. It was the forward path I had in the OWA rule properties, Paths tab. I had the / external path forwarding to /Exchange. I tried /Exchange\ as instructed for ISA 2004, but of course, that erred. So I took the last \ off. It forwarded the page correctly, but after logging in, it never showed the email page. I removed that entry from the paths tab, and created a new rule to "Redirect to Forward Root Directory Connections to the /Exchange Path" according to the instructions in http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part5.html. Thanks Tom!