Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Changing IP Address
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Changing IP Address - 30.Jun.2008 5:59:44 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi
I currently have OWA working through a Linux/ADSL server into an Exchange 2003 backend server (no frontend). mail.domain.org.uk - ip88.xxx.xxx.xxx
I can access this by typing https://88.xxx.xxx.xxx/exchange and https://mail.domain.org.uk/exchange
I also have ISA Server 2006 with a leased line - ip address 81.xxx.xxx.xxx. Before I change mail.domain.org.uk to the new ip address I am wanting to test it through the leased line. I have installed the mail.domain certificate on the ISA Server and disabled FBA on Exchange.
However if I go to https://81.xxx.xxx.xxx/exchange I get the security warning, but if I click Continue to this wesite (not recommended) I get a quote:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL).
Have I overlooked something obvious?
I want to use the IP address as a backup way of getting in, should the change of IP address not go smoothly.
Thanks
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 6:33:25 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi
Have made progress, added the new public IP address to the public name tab and have got rid of the 403 error. I now have quote:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019) .
Does the certificate on ISA have to be the same as waht the user enters i.e. The current certificate is for mail.domain.org.uk, but the user enters http://81.xxx.xxx.xxx/exchange?
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 9:01:48 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi TJ,
below are the answers.
quote:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
You have to add the certificate in the local computer store of ISA machine. To do this follow this steps: open the mmc of certificates and choose computer account. Import the certificate with the private key (do not choose the option to mark it as exportable) to Trusted root Certificate Authority.
quote:
Does the certificate on ISA have to be the same as waht the user enters i.e. The current certificate is for mail.domain.org.uk, but the user enters http://81.xxx.xxx.xxx/exchange?
It must be the same as the Public Name tab.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 9:06:44 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi Paulo
Thanks for coming back to me - I have imported certificates for both mail.domain.org.uk and 81.xxx.xxx.xxx and also have both in the Public Name. Removing one or the other (certificates and in Public Name tab) makes no difference - I still get the same error.
Any other ideas?
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 9:18:38 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi TJ,
are you using HTTPS bridging?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 9:28:24 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Not that I'm aware of - I've seen the tab but haven't done anything with it. I'm quite new to ISAServer and using ISAServer 2006 Unleashed as my guide - and of course the good people at isaserver.org
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 10:12:10 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi TJ,
in the bridging tab check what type of connection is marked for the web server.
Other question, what´s the certificate used for the IIS of your exchange server? Is only allowing https connections?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 10:19:41 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
The Bridging tab is ticked for Redirect requests to SSL port 443.
Yes certificate is only used for IIS of Exchange - not sure if it is just for HTTPS. How would I check?
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 10:35:38 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
quote:
The Bridging tab is ticked for Redirect requests to SSL port 443.
Good! You´re using https bridging. You have to import the certificate that exchange server is using in IIS into the Trusted root Certificate Authority as I posted before.
quote:
Yes certificate is only used for IIS of Exchange - not sure if it is just for HTTPS. How would I check?
Open the IIS snap-in manager expand your_server_name - expand Default website - right click on Exchange - properties - Security Directory tab - click the edit button and see if the chemark is placed in Require secure channel (SSL). If it is, the only way your users to connect to OWA is via https.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 10:38:52 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi Paulo
All that is in place - IIS shows as using SSL on Exchange and the certificate has been imported into ISA.
Thanks
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 11:00:22 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi Paulo
quote:
hummmm... you have to keep in mind that when you are using https bridging you have to use two certificates, one for the web listener and the other for the communication between ISA and the exchange server.
2 certificates or the same certificate in 2 places? I only have 1 active certificate -mail.domain.org.uk (88.xxx.xxx.xxx). I have tried a 2nd that points to our leased line public IP 81.xxx.xxx.xxx as I want to test the route before changing the MX records to this IP
TJ
|
|
|
|
|
RE: Changing IP Address - 30.Jun.2008 11:59:11 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi TJ,
it depends on your DNS configuration. If you use a split DNS infra-structure, then 1 certificate is fine for you, else, you have to use two, one for internal communication (ISA <--> exchange) and the other for external (Internet <--> ISA web listener).
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Changing IP Address - 1.Jul.2008 2:56:54 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi Paulo
Not sure what you mean by split DNS. If you mean domain.local (internal) domain.org.uk (public) then we don't, we use domain.org.uk internally and publicly. Internally, if we use OWA, we access via https://server/exchange and externally https://mail.domain.org.uk/exchange. We have only ever used a mail.domain.org.uk certificate. This is installed on Exchange server IIS and the web listener. If I need 2 certificates, what do they need to contain, I use SelfSSL to create my certificates
TJ
< Message edited by teejayuu -- 1.Jul.2008 2:59:03 AM >
|
|
|
|
|
RE: Changing IP Address - 2.Jul.2008 8:54:01 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Hi Paulo
quote:
It must not be the name of original owa (mail.domain.org.uk).
so maybe owa.domain.org.uk or 81.xxx.xxx.xxx?
Thanks
TJ
|
|
|
|
|
RE: Changing IP Address - 3.Jul.2008 3:23:38 AM
|
|
|
teejayuu
Posts: 34
Joined: 7.May2008
Status: offline
|
Thanks Paulo
Will try that. Am on annual leave for a week now so I will let you know when I get back
TJ
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
