I have been trying to figure this out for a while now, but without success... :(
I have a win2k3 sp1 server running iis and also isa2k6 on the same box. I have a virtual directory on iis (let's call it /dir1) which is configured for certificate based authentication (integrated auth only, require ssl, require 128, require user cert, enable cert mapping). All works fine when I am trying to access the server locally (through LAN). Cert popup, I choose the cert and then I get access to dir1.
I have created a web publishing rule in ISA for this directory, and am publishing it on the external interface of the isa as mydomain.com/dir1. The listener is on HTTPS, but no authentication is required ("require all users to authenticate" is not checked, users tab: all users). On the Authentication tab of the listener I chose "No Authentication", on the Authentication Delegation tab: "no delegation but allow client to authenticate directly".
If I try to access mydomain.com/dir1 from outside, I don't get the certificate popup, but get a standard IIS 403.7 Client certificate required error. The ISA logs are clean, the ISA allows through the connection as expected and closes it gracefully after some time (I guess when the TCP connection is closed).
UPDATE: In the IIS logs I only see one 403 attempt, and nothing else... while for the successful attempts (from the LAN) I see one 403, one 302 (redirect from .../dir1 to .../dir1/) and then the 200 ok.
Any ideas what might be the problem here? Why does it not work from outside when it works from inside and ISA just reverse NATs it though?
< Message edited by mcfly9 -- 17.Dec.2006 6:20:09 PM >