and OWA work fine but with outlook anywhere if i set authentication type to NTLM in outlook client configuration i can't connect but if i set authentication type to basic i could connect but i have to write user name and password. do u know where the problem might be?!!! note: i'm using a machine with local account not logging in with domain account would that affect NTLM authentication?
hi je@nb, i agree with ur opinion but the problem if you try to create another web listener it won't agree if you use the same port and ip address and that's silly. for NTLM authentication i can't get it work with outlook client but basic authentication works fine if i write username and password and that's silly for sure. is there another way to get NTLM authentication done?. another thing why we added rule OWA(NTLM) i didn't understand why we created it though with the first rule OWA (basic) every thing work fine for OWA. thanks.
and OWA work fine but with outlook anywhere if i set authentication type to NTLM in outlook client configuration i can't connect but if i set authentication type to basic i could connect but i have to write user name and password. do u know where the problem might be?!!! note: i'm using a machine with local account not logging in with domain account would that affect NTLM authentication?
That's normal. You can't use NTLM authentication to the ISA Firewall because the ISA Firewall doesn't do NTLM to NTLM delegation.
hi je@nb, i agree with ur opinion but the problem if you try to create another web listener it won't agree if you use the same port and ip address and that's silly. for NTLM authentication i can't get it work with outlook client but basic authentication works fine if i write username and password and that's silly for sure. is there another way to get NTLM authentication done?. another thing why we added rule OWA(NTLM) i didn't understand why we created it though with the first rule OWA (basic) every thing work fine for OWA. thanks.
Read the article again -- I said that there were supposed to be "special features" that were only supported by NTLM -- I didn't say I knew what they were because no one has said anything other than "special features".
As for NTLM auth, as I said, you can't do NTLM auth with the ISA Firewall and then delegate as NTLM. No supported.
thanks tom, so you suggest that i keep on entering username and password everytime i try to open outlook anywhere? isn't there an easier way that it could get my login username and password to authenticate? this is so irritating to keep on entering username and password. thanks again.
If you configure your ISA Firewall to use KCD and configure the /rpc folder to use Integrated, and configure the ISA Firewall to use Integrated authentication with KCD, then it should work.
I am setting up a net new hosting environment. Normally I'd setup Exchange 2003 but with Exchange 2007 out I feel like I should be deplying the latest so its less work later (and less change management when as upgrading and changing the firewall for 2007 looks like it could be an uptime killer).
That said, I get a little nervous finding that Tom doesn't have a production ready document ready as he can't even figure it out. Doesn't give me great confidence in my ability to get a correctly setup environment running without deploying just like the lab because I am under a time constraint.
So...have others gotten a production ready environment running with ISA 2006 in a proper configuration or are we all using Tom's "Lab" whitepaper?
Technically with the publishing users are never actually hitting the OWA website, but hitting the ISA server which is checking each request and then making the request to OWA on behalf of the user.
You can blacklist any IP you want by creating an access rule at the very top and making it a deny rule for specific IP's.
What I mean by blacklisting is from the perspective of application not the IP stack. ISA will create a blacklist by creating a URL list that can only connect to each OWA listener. What about the whitelisting functionality? How does it verify or attempt to prevent harmful unknown code from hacking into the connection.
I've never used any blacklisting or whitelisting capabilities for ISA to block from connecting to OWA so I'm not sure.
In reality it doesn't need whitelists or blacklists to stop hacks. It actually inspects the code to see if its a valid request for the website type. If the code is attempting to create a buffer overflow (which is 99% of all attacks,) it will just drop the connection).
For instance if I am trying to attack a site by using an application that hides within an ssl packet, the server decrypts the ssl packet, inspects the request, sees that its not a valid website request and drops it.
Unless of course you just use ssl tunneling and then you've turned isa into a pix,asa, home router, and at that point its a whole 'nother ball game...
I am setting up a net new hosting environment. Normally I'd setup Exchange 2003 but with Exchange 2007 out I feel like I should be deplying the latest so its less work later (and less change management when as upgrading and changing the firewall for 2007 looks like it could be an uptime killer).
That said, I get a little nervous finding that Tom doesn't have a production ready document ready as he can't even figure it out. Doesn't give me great confidence in my ability to get a correctly setup environment running without deploying just like the lab because I am under a time constraint.
So...have others gotten a production ready environment running with ISA 2006 in a proper configuration or are we all using Tom's "Lab" whitepaper?
Hi Rumple,
It can be done securely, and Jason Jones has demonstrated this to me. My problem is that I'm hamstrung by Exchange 2007 because my 32-bit version timed out and I don't have a lab machine that will run my VMs in 64bit mode (I missed a Pentium D VT enabled processor by about two months).
I'll be doing a hardware refresh in December and I'll work with Jason to come up with a definitive set of guides on how to publish Exchange 2007 services using ISA 2006. Right now, as you pointed out, there really isn't anything definitive out there and you pretty much have to feel your way through the Exchange Team's muck and mire and put the pieces together yourself -- although my article should get you close to where you want to be.
i setup my ISA 2006 like your article. All works fine but the outlook anywhere Role i first creat with NTLM Authentication (same as you). I try with a Outlook 2007 client with Basic or NTLM Authentication. Nothing works... I change the Outlook anywhere role on the ISA from NTLM to Basic Authentication. Now all Works fine.
How can i setup the Outlook anywhere role with NTLM?
My Config that work Client ISA Outlook Anywhere Role CAS Outlook Anywhere Auth. Basic Basic NTLM
The trick is that you set NTLM authentication on the /rpc folder on the CAS server, but you need to enable the Web listener for FBA. Then you configure the Outlook client to use Basic.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: Rumple
I am setting up a net new hosting environment. Normally I'd setup Exchange 2003 but with Exchange 2007 out I feel like I should be deplying the latest so its less work later (and less change management when as upgrading and changing the firewall for 2007 looks like it could be an uptime killer).
That said, I get a little nervous finding that Tom doesn't have a production ready document ready as he can't even figure it out. Doesn't give me great confidence in my ability to get a correctly setup environment running without deploying just like the lab because I am under a time constraint.
So...have others gotten a production ready environment running with ISA 2006 in a proper configuration or are we all using Tom's "Lab" whitepaper?
Yep, we are using it in production and also deploying production systems based around Exch2k7 and ISA2k6 for customers. The key is to use Kerberos Contrained Delegation (KCD) in combination with a dedicated web listener that is configured to use Integrated authentication.
As Tom suggested, I am more than happy to work on an article with him to flesh out the exact specifics...
Posts: 21
Joined: 23.Dec.2002
From: Vancouver BC
Status: offline
Jason, In your scenario the CAS is in a perimeter network or same network as Mailbox server? I am concerned about Microsoft stating they won't support the CAS in a perimeter network.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: tmurfet
Jason, In your scenario the CAS is in a perimeter network or same network as Mailbox server? I am concerned about Microsoft stating they won't support the CAS in a perimeter network.
Cheers, Tony Murfet.
Hi Tony,
Although most of my Exchange 2003 designs place the FE in an authenticated access DMZ using ISA (to follow a least privilige approach) Microsoft do not currently support this topology for Exchange 2007, even if ISA is used as the firewall. From what I understand this isn't just about whether it can be done, but more about what has been tested and subsequently documented.
At this point in time MS do not support placing the CAS in a perimeter network so as an MS partner, we have to be seen to follow the current support restrictions. Subsequently we have used this model for our own production network.
I have several customers who are not worried about support however, so once they go to Exchange 2007 I will be able to test the exact configuration to make the CAS work in an ISA perimeter network. I would imagine it isn't that hard in practice, especially as MS have now published their security document for Exchnage whcih details all of the protocols that are used betwen different Exchange server roles. You can find it here: http://technet.microsoft.com/en-us/library/bb691338.aspx# under a section called Protecting Exchange Data Paths.
Cheers
JJ
< Message edited by Jason Jones -- 23.Oct.2007 6:36:16 PM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Discussion about article on publishing Exchange 2007 
RE: Discussion about article on publishing Exchange 2007 - 
RE: Discussion about article on publishing Exchange 2007 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread