I'm not sure if there's any other tool (other than the logs) to help me understand what exactly is failing. Is the Front End Server trying to communicate with the Back End Server and failing? Is the ISA Server failing to decrypt, authenticate, and then re-encrypt the certificate? Is the ISA Server receiving an HTTPS request and then trying to communicate with the Front End Server using HTTP?
I'm persistent, technical, and will read anything twice--but this one's got me banging my head big time!
Thanks, in advance, for any help you might be able to provide!
I ran into a problem like this yesterday, that is to say, a head banger. Took me two hours to figure out that I made a typo in an IP address on the external interface of one of the ISA firewalls, where it should have been .73 instead of .173. Ack!
Check the Event Viewer on the FE Exchange Server. Also, remember the ISA Firewall has to be a domain member so that it can do the pre-authentication and that you should be delegating as basic authentication.
I think my problem might be something very basic that is eluding me:
FE ISA (Auth) IP: 22.214.171.124/24 IP: 126.96.36.199/24 DNS: 192.0.2.8 DNS: (n/a) GW: 188.8.131.52
ISA (WAN) IP: 10.20.0.2/16 DNS: (n/a) GW: 10.20.0.1
BE ISA (LAN) IP: 192.0.2.12/24 IP: 192.0.2.3 DNS: 192.0.2.8 DNS: 192.0.2.8 GW: 192.0.2.3 GW: n/a
I'm wondering whether the FE server can communicate with the BE through the ISA. I don't have any problems pinging the FE from the BE. I can't ping the BE from the FE (using IP address to take DNS out of the equation). I can ping the ISA from the FE though. I have played with System policies and firewall rules, but I just can't seem to ever be able to ping the BE from the FE. There are no errors and no denies in the ISA log.
I figured this out!!! But if you can just explain why it would be a big help:
Currently at this location we have a sonicwall as our front edge firewall. Naturally, all of our clients currently use that as their gateway. I am configuring this ISA Server to go in behind the Sonicwall and I will have all of the clients use it as their gateway when it is ready (I know, I know-- the ISA should go in front and behind and we should pitch the Sonicwall--but one step at a time).
I have the FE Exchange server hooked up directly into the Authenticated DMZ adapter on the ISA Server. I have the LAN adapter on ISA plugged directly into my LAN.
Here's what happened: If I change the Gateway on my own computer (on the LAN) from the sonicwall to the ISA Server, I can ping the FE Server in the Authenticated DMZ. If I ping my own computer (with ISA as the gateway) from the FE Server, I get replies. But if I change the gateway on my computer to the sonicwall, I cannot ping my computer from the FE Server on the Auth DMZ.
So if I change the gateway on my DC, DNS server, and BE Exchange server, to be the ISA Server, then the OWA site works!
Why would the gateway setting of my computer effect whether I get successful pings from the Authenticated DMZ network? The gateway is for external communications, no? Also, is there something I can do so that I can continue to setup and test ISA with computers on my LAN that DO NOT have ISA as their Gateway? My goal is to setup and test it so that late one night I can put it in place and have everything pre-tested.
The ping works when the ISA Firewall is set at the gateway, since the ICMP ping request must be able to be routed to the destination, and the ICMP reply must be routed back to the machine that issued the request. Since the sonicwall device doesn't know the route to the destination, the ping fails.