Well, I finally got Outlook Anywhere to work for both internal and external clients. However, I do require pre-authentication at the ISA Firewall, otherwise we allow anonymous connections to the /rpc directory, which is not something I really want to do for security reasons.
I'll write the paper up next week showing the procedures from start to finish. I'll tell you PowerHell really earned its moniker!
I have a situation where I am installing Exchange 2007 to my network. We are moving from Communigate Pro and this has been a mission. If anyone needs some pointers on moving from Communigate to Exchange, let me know. This has been quite the learning experience.
My problems...
I can not get Outlook Anywhere to work correctly. Because of Active Sync, I don't think I will be able to use SSO with Exchange and Sharepoint. (This problem will be tackled later, but if someone has some advice, let me know.) Also, because Active Sync requires basic authentication, I don't think I have use forms based authentication with OWA. Anyone have those two working together?
The paper is 90% done and is about 200 pages (I screenshot each step and included Exchange Server configuration, that's what makes it so long).
It will be done this weekend and will be published probably in four parts. If you need the entire doc ASAP, send me a note to tshinder@isaserver.org and I'll forward you my "pre-release" version.
Ok... The article did give me some good stuff, but still couldn't get Outlook Anywhere to work until this weekend. The only problem is that I can't seem to get the ISA to pass NTLM authentication. It works fine with basic and watching ISA logging I can see the https traffic. When I switch to NTLM, nothing is sent to the internal IP of my Exchange Server. Any tips would be great.
One thing I noticed. When you enable Outlook Anywhere on the Exchange box, you have to select whether you will be using NTLM or basic. Mine has been set at NTLM the whole time, but has worked with basic authentication. I guess it just disregards that.
Question about forms based authenication. If my listener is set up for forms based, I know if will drop down to basic if necessary. Does it only do FBA or basic? Might my listener be the problem? I tried switching my listener, but it didn't help much.
Wow. I just re-read this whole thread and answered most of my questions. I still would like to have a more secure option than bypassing the ISA. Anyone who has that working should shout it out with pride!
When FBA is installed on the listener, it will automatically fallback to basic for RPC/HTTP clients. You can then delegate that as NTLM to the RPC/HTTP site.
I too am using NTLM via straight pass through (method described in earlier posts) to the Exchange server.
Also, we make extensive use of SharePoint lists in Outlook and Microsoft, by design apparently, requires a separate login for each list. To prevent users have to login a dozen or so times, we have also had to remove FBA for the SharePoint rule and use the same passthrough authentication.
Given the precedence MS gives to reminding us of the fact that ISA is the best way to publish Outlook and SharePoint, it would be great if they could find some way of allowing us to benefit from these features without the unworkable scenario of several logins each time Outlook Anywhere with SharePoint lists is fired up.
I am a big fan of ISA and would love to be able to take full advantage. I will wait and hope for a flexible FBA fallback configuration, if this is in any way possible.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi All,
As Tom knows, I am still trying to write some of this stuff up on my blog, as Ihave a lof this working in my own production network and for some customers...
My plan was to explain a lot of the concepts behind the scenes (like certs and the necessary Exchange setup to prepare for correct ISA publishing) but this is just taking too long and quite difficult!!!. Hence I may just release a few blogs that covers the "key" elements that you need in place for publishing Exchange 2007 advanced features with nice-to-haves like NLTM auth for Outlook Anywhere and full OWA document access with NTLM.
My original plan was to produce blog entries for the following:
· Publishing Exchange 2007 Services with ISA Server 2006 – Part 1: Things You Need to Know about Exchange 2007 · Publishing Exchange 2007 Services with ISA Server 2006 – Part 2: Things You Need to Know about Certificates · Publishing Exchange 2007 Services with ISA Server 2006 – Part 3: Preparing the Exchange 2007 Environment · Publishing Exchange 2007 Services with ISA Server 2006 – Part 4: Creating the Publishing Rules for OWA with the Document Access Feature · Publishing Exchange 2007 Services with ISA Server 2006 – Part 5: Creating the Publishing Rules for ActiveSync · Publishing Exchange 2007 Services with ISA Server 2006 – Part 6: Creating the Publishing Rules for Outlook Anywhere with Transparent Windows Authentication · Publishing Exchange 2007 Services with ISA Server 2006 – Part 7: Creating the Publishing Rules for Exchange 2003/2007 Coexistence
However, I am thinking of just skipping to parts 4-7 to get something out there...but I am not sure how well it will hang together without the introduction parts
I've done most of the screen captures, but just need to wrap the text around it which, as ever, is taking the time...I also have a life too!
If you can get the blog posts up, I could piece them together and include the 4-7 information and create a BIG article for ISAserver.org that ties them all together and includes all the step by steps, even for the simple stuff that you don't need to waste time on when writing it up on your blog.
I am pretty much in the same situation as itadmin is in this thread
"The only problem is that I can't seem to get the ISA to pass NTLM authentication. It works fine with basic and watching ISA logging I can see the https traffic. When I switch to NTLM, nothing is sent to the internal IP of my Exchange Server. Any tips would be great.
One thing I noticed. When you enable Outlook Anywhere on the Exchange box, you have to select whether you will be using NTLM or basic. Mine has been set at NTLM the whole time, but has worked with basic authentication. I guess it just disregards that.
Question about forms based authenication. If my listener is set up for forms based, I know if will drop down to basic if necessary. Does it only do FBA or basic? Might my listener be the problem?"
I am not sure if you have updated your blog or if you can point me to the solution for this problem that would be great!!!! And as a future reference I would really love to have a look at the 200-page document that has been created. I am kind of held up with getting NTLM to work.
An FBA listener can only fall back to basic; hence you will need to use two web listeners for the best user experience...
Cheers
JJ
Jason
I appreciate your prompt an quick response
Just wondering if you ever got a chance to finish the document about configuring ISA as mentioned in http://forums.isaserver.org/m_2002041377/mpage_2/tm.htm and if you are done I would really appreciate if you could forward me the doc as I am having a problem configuring outlookanywhere to communicate over ISA using NTLM. The current setting is 1.Exhange is set to use NTLM and IIS(RPC virtual directory is set to Integrated Windows Authentication) 2.ISA Weblistener is set to HTTP integrated and the Published Rule is set to use NTLM 3. The outlook client is set to use NTLM and I have no clue why its not working, but with the exact same setting if I change the Outlook client to Basic everything works fine(provided I type in the username and password) Please advice what am I doing incorrectly and any help is highly appreciated Thanks
That article covers most of what you need from the ISA/TMG end, but I never got time to expand the series...
What is the article missing?
Cheers
JJ
Hi JJ
None of the articles are missing but I thought you might have a pdf version of the same article. Can you tell me what is going wrong in the way everything is setup on my end.I have created 2 weblisteners(one for owa and other for Outlook Anywhere) and OWA works fine but I wanted Outlook Anywhere to work with NTLM authentication
I am having a problem configuring outlookanywhere to communicate over ISA using NTLM. The current setting is 1.Exhange is set to use NTLM and IIS(RPC virtual directory is set to Integrated Windows Authentication) 2.ISA Weblistener is set to HTTP integrated and the Published Rule is set to use NTLM 3. The outlook client is set to use NTLM and I have no clue why its not working, but with the exact same setting if I change the Outlook client to Basic everything works fine(provided I type in the username and password)
I have read your entire article and it's pretty informative and tried to do a KCD instead of NTLM but your article says:
" Active Directory will need to be running at Windows 2003 native functional level (or greater) in order to see the Delegation tab. Also, both computer objects will need to be in the same Active Directory domain for KCD to function (even with ISA Server 2006 SP1)."
In the setup that I have these two objects(ISA and CAS) are in two different domains and I am not sure how I would deal with this situation. Let me know if you have any thoughts