• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"GET" METHOD using "HTTP" Instead of "HTTPS"

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> "GET" METHOD using "HTTP" Instead of "HTTPS" Page: [1]
Login
Message << Older Topic   Newer Topic >>
"GET" METHOD using "HTTP" Instead o... - 10.Jan.2008 5:37:16 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
ISA 2006
Exchange 2003 Front-End/Back End 

I went through all the steps (in Tom's Tutorials) to publish OWA.

When I try to login to OWA (https://owa.mydomain.com) from a client's computer on the LAN the log file on the ISA server says "Denied Connection" for "HTTPS" even though I have HTTPS "Allowed". 

I noticed that the HTTP Method says "GET" and the url says http://owa.mydomain.com.

Shouldn't the "GET" Method say "HTTPS" instead of "HTTP"?  I know I specified SSL in every configuration.

Any Ideas?

Thanks,

Charlie

Post #: 1
RE: "GET" METHOD using "HTTP" Inste... - 14.Jan.2008 9:52:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Charlie,

You'll see allows and denies, because there's always a deny before then authentication request is sent.

Is this just a question about funny things in the logs, or is it not working for you?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to charlieit)
Post #: 2
RE: "GET" METHOD using "HTTP" Inste... - 14.Jan.2008 12:34:15 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
Hi Tom!

I'm really a big fan of yours.  I am implementing ISA 2006 with a Front End Exchange 2003 in an authenticated DMZ with a Back End Exchange 2003 on the LAN.  I have read your books and followed your tutorial (http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html) to the letter (I have uninstalled/reinstalled ISA serveral times and re-did each step in the tutorial to make sure I followed all the steps properly).

It's not working at all.  I get the ISA forms authentication screen.  But when I type my username and password, the screen says at the top that I do not have permission to login. 

You can see a copy of the log file here:  http://spreadsheets.google.com/pub?key=pVVg22cjtg2gEFpv7CN8KOQ&output=html

I'm not sure if there's any other tool (other than the logs) to help me understand what exactly is failing.  Is the Front End Server trying to communicate with the Back End Server and failing?  Is the ISA Server failing to decrypt, authenticate, and then re-encrypt the certificate?  Is the ISA Server receiving an HTTPS request and then trying to communicate with the Front End Server using HTTP?

I'm persistent, technical, and will read anything twice--but this one's got me banging my head big time!

Thanks, in advance, for any help you might be able to provide!

Charlie

(in reply to tshinder)
Post #: 3
RE: "GET" METHOD using "HTTP" Inste... - 15.Jan.2008 7:19:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Charlie,

Thanks for the kind words about my work :)

I ran into a problem like this yesterday, that is to say, a head banger. Took me two hours to figure out that I made a typo in an IP address on the external interface of one of the ISA firewalls, where it should have been .73 instead of .173. Ack!

Check the Event Viewer on the FE Exchange Server. Also, remember the ISA Firewall has to be a domain member so that it can do the pre-authentication and that you should be delegating as basic authentication.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to charlieit)
Post #: 4
RE: "GET" METHOD using "HTTP" Inste... - 15.Jan.2008 10:04:24 AM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
Thanks Tom,

I think my problem might be something very basic that is eluding me:

FE                            ISA (Auth)
IP: 192.0.3.2/24       IP: 192.0.3.1/24
DNS:  192.0.2.8      DNS: (n/a)
GW: 192.0.3.1
                              
                               ISA (WAN)
                               IP: 10.20.0.2/16
                               DNS: (n/a)
                               GW: 10.20.0.1

BE                            ISA (LAN)
IP:  192.0.2.12/24     IP: 192.0.2.3
DNS:  192.0.2.8       DNS: 192.0.2.8
GW:  192.0.2.3         GW:  n/a

I'm wondering whether the FE server can communicate with the BE through the ISA.  I don't have any problems pinging the FE from the BE.  I can't ping the BE from the FE (using IP address to take DNS out of the equation).  I can ping the ISA from the FE though.  I have played with System policies and firewall rules, but I just can't seem to ever be able to ping the BE from the FE.  There are no errors and no denies in the ISA log.

I'm just at a loss as to what else to look at.


(in reply to tshinder)
Post #: 5
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 8:54:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Charlie,

Before you we go too much forward, I need to make sure that the IP addressing is right. Are you really using 192.0.x.x?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to charlieit)
Post #: 6
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 9:45:30 AM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
Sorry, I was being paranoid about giving out all this info on a public forum and I wasn't thinking when I changed addresses.  Let's say I am using 192.168.x.x.

(in reply to tshinder)
Post #: 7
RE: "GET" METHOD using "HTTP" Inste... - 16.Jan.2008 6:02:09 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
Tom,

I figured this out!!!  But if you can just explain why it would be a big help:

Currently at this location we have a sonicwall as our front edge firewall.  Naturally, all of our clients currently use that as their gateway.  I am configuring this ISA Server to go in behind the Sonicwall and I will have all of the clients use it as their gateway when it is ready (I know, I know-- the ISA should go in front and behind and we should pitch the Sonicwall--but one step at a time).

I have the FE Exchange server hooked up directly into the Authenticated DMZ adapter on the ISA Server.  I have the LAN adapter on ISA plugged directly into my LAN. 

Here's what happened:  If I change the Gateway on my own computer (on the LAN) from the sonicwall to the ISA Server, I can ping the FE Server in the Authenticated DMZ.  If I ping my own computer (with ISA as the gateway) from the FE Server, I get replies.  But if I change the gateway on my computer to the sonicwall, I cannot ping my computer from the FE Server on the Auth DMZ.

So if I change the gateway on my DC, DNS server, and BE Exchange server, to be the ISA Server, then the OWA site works!

Why would the gateway setting of my computer effect whether I get successful pings from the Authenticated DMZ network?  The gateway is for external communications, no?  Also, is there something I can do so that I can continue to setup and test ISA with computers on my LAN that DO NOT have ISA as their Gateway?  My goal is to setup and test it so that late one night I can put it in place and have everything pre-tested.

Thank you!

Charlie

(in reply to charlieit)
Post #: 8
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 10:16:12 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Charlie,

The ping works when the ISA Firewall is set at the gateway, since the ICMP ping request  must be able to be routed to the destination, and the ICMP reply must be routed back to the machine that issued the request. Since the sonicwall device doesn't know the route to the destination, the ping fails.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to charlieit)
Post #: 9
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 11:07:50 AM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
Thanks Tom. 

So if I make an entry in the Sonicwall to route any requests from the DMZ subnet back to the ISA Server, I should be able to setup and test ISA against my production environment?

(in reply to tshinder)
Post #: 10
RE: "GET" METHOD using "HTTP" Inste... - 17.Jan.2008 1:01:46 PM   
charlieit

 

Posts: 108
Joined: 19.Aug.2004
From: US
Status: offline
It Works!!!!

Thank you Tom!

I am running to the store at lunch to purchase your new book!

Thank you!!!

Charlie

(in reply to tshinder)
Post #: 11
RE: "GET" METHOD using "HTTP" Inste... - 18.Jan.2008 9:34:04 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Charlie,

Great! Good to hear you got it working and thanks for getting the book! :)

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to charlieit)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> "GET" METHOD using "HTTP" Instead of "HTTPS" Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts