Hi, i used this guide for setup Exchange 07 with ISA06 http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx Everythink work fine except Outlook Anywhere Authentificatin. When i use NTLM Outlook client always promt for password and dont connect to Exchange Server.(Basic auth working fine). Any solutions?
so u mean i should use another web listerner for rpc/http with the option to use integrated authentication ? ..in that case should i use Basic Authentication for the access rule for rpc/http or what?
you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role
and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)
when you can deal with the option to allow RPC in a Company i think you can also deal with this
Yes Actually this is working for E2k7 and ISA 2006. i use one Rule for OWA and Activesync with NTLM Delegation and FBA enabled Listener and i created a 2nd Rule over the OWA Rule with only RPC Virtual Directory.
This Rule i configured to use Delegation: "no delegation but client can directly authenticate" and its working with the same FBA enabled Listener (single IP Publishing)
The RPC Client (Outlook 2003 & 2007 will still work with Basic & NTLM Settings...
I tested only in a single E2k7 Scenario but i think its also working with a separated CAS because it will nothing change on the idee.
i have more Feedbacks for the Scenario with MSRPC and NTLM.
so i had a interesting conversation with some Experts and why this is working with a single FBA Listener
Because the MSRPC User Agent ignors FBA by Default. You can check this by use a Script to read the actually USer Agent Configs with FBA.
so when i use Authentication Delegation "no delegation but client can directly authenticate on my upper Rule i can use NTLM but he also goes direct to Exchange so the Security isnt really strong.
I think when you use HTTPS SSL to Publish this Scenario which is the Best Practice it makes no really different to use only Basic or also NTLM Auth. with MSRPC (from the Security Part)
I will need to get a new computer to test this. I tried to work with the 32bit trial version of Exchange 2007, but the SMTP "service" failed to work correctly and there were other problems. I have a Pentium D series 820 dual core machine, but it's not VT enabled, so I can't run 64 bit guests. So I'm likely going to have to wait a few months before I can rest Exchange 2007 scenarios.
Tom
< Message edited by tshinder -- 22.May2007 8:53:20 AM >
"you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role
and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)
when you can deal with the option to allow RPC in a Company i think you can also deal with this"
Uzimmermann,
Can you post some more detail on the rules you use to get NTLM to work externally? I've tried a 2nd rule for same listener, but can't get NTLM to work thru ISA 2006. Basic work fine Internally and Externally or NTLM will work Internally. I can't get NTLM to work externally.
phew...finally got mine to work. what i did was to recreate the certificate from the Exchange server to include also the hostname of the ISA server using alternative domain name which allows multiple domain names in 1 certificate..
after that Outlook configured with NTLM works internally from LAN and also when outside of the LAN.
How did you recreate the certificate? One gotcha I found when using the dreaded PowerHell to request the certificate is that you cannot export the certificate from the CAS with its private key -- so I had to create a new certificate using the Web enrollment site for the ISA Firewall to get OWA and ActiveSync to work -- still don't have Outlooko 2007 RPC/HTTP working yet. The Microsoft doc on how to publish Exchange 2007 is not much help in this area.
I found that the only way to get Outlook Anywere to work with NTLM while using an FBA listener is like uz described. Here are some more details as requested;
Use a separate web publishing rule for /rpc path. Allow it for "All users" (not "All authenticated users") and make sure to uncheck the "require all users to authenticate". These together will effectively prevent ISA from doing any authentication, so also not the Fallback Basic auth challenge of the FBA listener. Finally set authentication delegation to "no delegation but client can directly authenticate" and enable integrated auth on the rpc directory on the exchange server.
Note: Using this method the RPC users are NOT authenticated by ISA, but only and directly on Exchange server, as they pass anonymously through the FBA listener and this rpc rule.
< Message edited by adenhaan -- 10.Jun.2007 12:28:33 AM >