I have createt the OWA Publishing on the ISA 2006 for External and Internal use. The Listener ist configured for the external and the Internal IP.
From External -> it works -> ok From Internal without Proxy entry in the IE -> it works -> ok From Internal with Proxy entry in the IE -> it down work ??
The Error on the ISA say:
Denied Connection Log type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.xxxxx) Destination: Local Host (10.xxxx:443) Request: webaccess.domain.com:443 Filter information: Req ID: 102d6fa5; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: SSL-tunnel User: anonymous
What is the problem? Must i allow the OWA to localhost...?
Posts: 269
Joined: 5.May2001
From: Redmond, WA
Status: offline
Can't we create an other WebListener with integrated authentification and then we do a standard NTLM delegation to authenticate to the CAS ? So we can do NTLM authentication securely with Outlook, can't we ?
You should understand that: 1. NTLM cannot be "delegated" from NTLM 2. Kerberos cannot function on the Internet without making a DC available there (WS08 RODC) 3. if you use Intengrated" on the web listener, you can *only* delegate using KCD
Me by possible. 1 Weblistener for External FBA Auth 2 Weblistener for Internal with integrated
The problem by this is that internal user to wont got to the webaccess web page becoms a popup from the Exchange Server(it was changed from FBA to Basic and Integratet) to publish over the ISA.
I found a other problem with Toms Article. The Outlook 2007 in the Internal Network go over the the webaccess URL to find the Autodiscovery.xml. But with NTLM on the Authantication thats degrade to Basic, a popup coms up.... :-(
thanks for your answer. I now that i must have split DNS. We have split DNS. All the relevant Names in the DNS in the Internal Network point to the Internal ISA NLB IP. We are in a Test phase of a company(over 2000 User) and we have configured ISA 2006 with NLB on both Internal and External... More than one CAS Server ... Real World..
The problem is that when i start the Outlook 2007 a user authentication popup coms up to outhenticate the user for the autodiscover.xml (without configure HTTPS/RPC in the client). The Outlook 2007 want get the autodiscover.xml File from the ISA Publishing, that depends on the ISA Publishing role! I see in the Connection Tab from the Outlook that all points to the Ex07 without one connection to the Public Folders. After i fill the popup with username and passwort a new connection is made to the CAS server for Public Folder referal. Have you Testet with public Folder? Have you Testet to open a Out of Office Tab in Outl07 (it depents on autodiscover.xml)? Have you Open Out of Office Tab with HTTP/RPC? Have you testet in a Mixt or Native 2007 Environment?
I think your Test works only in a smal environment without NLB and more then one CAS Server...
I am having an issue with Outlook Anywhere I was hoping you might be able to shed some light on; sharepoint lists that have been connected to outlook will not work over the https connection, brings up 'You do not have permission to view this sharepoint list...HTTP 302'
The web listener is configured to redirect from HTTP to HTTPS. All other settings are as per your guide.
I haven't tested this scenario yet, but if I had to guess, you might have to publish the SharePoint folders separately? This is just a wild guess. Can you identify the folder that the client is connecting to when it tries to reach the SharePoint folders?
The problem seems to have been the https to http redirection.
My Sharepoint installation is on a SBS - I could not make the Sharepoint site SSL as this would have needed SSL host headers to work alongside OWA, but ISA would only see the first subject name in the SAN.
As a tentative workaround (I am still watching to see how this works out), I created a SAN cert that uses a wildcard as its first entry (3 subject names in total: *.domain.com, host, host.fqdn) and attached this to both sites.
This way I was able to publish both OWA and SPS on the same machine on port 443. Accessing the SPS through HTTPS both internally and externally resolved the HTTP 302 error. Now Outlook Anywhere accesses the sharepoint site in exactly the same way standard Outlook does, and everything seems to be working. Fingers crossed.
Btw, you have probably noticed this yourself since you wrote the article, but to gain access to sharepoint folders through the OWA Documents tab, you need to configue the Remote File Servers settings at the Exchange console > Server Configuration > Client Access > OWA > Properties.
Thanks again for all the superb articles.
< Message edited by Levwinski -- 12.Apr.2008 1:51:08 PM >
Having got everything working as I wanted, I decided to start again and go into production with a fresh install.
However, now I have an issue with an Outlook Anywhere session prompting me for User & Password for each Sharepoint List in Outlook.
I worked through the article again, as far as I can make out, doing everything as I did the first time, just as described.
Internal Sharepoint (2007) communication with ISA is NTLM, with the same OWA FBA listener.
There is no windows authentication for the system to use because I am connecting externally on a standalone XP install which is not part of the domain.
Previously, I was logging into Outlook Anywhere with one prompt, the default Outlook prompt. Sharepoint lists were synchronising themselves after successful connecion to the exchange server. Since the reinstall the first SharePoint prompt appears behind the Outlook prompt, without even waiting for me to log into Outlook first.
When I am on the internal network, I can get a rpc/http connection just fine, also checking the connection overview of outlook, all on https
But I just tested it on an external line, and then I get the login box back every time. It asks for username/password, but it just keeps on asking and doesn't start outlook.
Could it be that I need to be able to authenticate to a domain controller also? This because when I see the connection information, it tries to connect to a domain controller of our network..
I'm having a same problem as mentioned by IVANDEN. Dr. Tom, after following your guide and doing everything according to it, I am still facing same problem with accessing http/rpc externally as mentioned by IVANDEN. Internally it works fine.
When I start a query on logging in ISA server, while trying to establish an http/rpc session externally, I get the following two errors logged:
Allowed Connection
HQ-SRV-004 5/31/2008 6:02:50 PM
Log type: Web Proxy (Reverse)
Status: 503 Service Unavailable
Rule: Outlook Anywhere
Failed Connection Attempt
HQ-SRV-004 5/31/2008 6:02:50 PM
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Outlook Anywhere
I have tried everything, checked the microsoft knowledge, read through the forums over here, but I can't find anything. I did find many people in the forums facing the same problem I am having, but no solutions to their problems.
Therfore, if you could help on this and illustrate on what can be done.
Are you guys running Exchange 2007 SP1? From what I hear, things have changed with the authentication, so you might have to update the configuration based on those changes.
I haven't worked with Exchange 2007 since I wrote that article (I refuse to until they mature the UI), so I'm not sure as to what the details might be. I'll check my EBS configuration and see how they did it.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Discussion about article on publishing Exchange 2007 
RE: Discussion about article on publishing Exchange 2007 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread