I have set up publishing of OWA to the point where I can see the logon page and put in login details. However, we use webchaining to an external proxy and once login has been clicked the page waits a while and comes back with a page from the external proxy which says: (actual IPs and identifying entries changed by me in this post) ============================================ This page has been blocked by your Proventia Web Filter ... ...because it belongs to the categories: PRoxies and is matching the following rules: OUR_RULE Details: Request: 26:11:2008:14:21:49,750 IP: (OUR ROUTER EXTERNAL IP) User: URL: OUR OWA EXCHANGE URL URL Categories: Anonymous Proxies ====================================== If I look in the ISA logs for our OWA rule I get ====================================== Failed Connection Attempt OUR-ISA 1/12/2008 10:07:55 Log type: Web Proxy (Reverse) Status: 10061 No connection could be made because the target machine actively refused it. Rule: OUR OWA PUB Source: External (EXTERNAL CLIENT IP) Destination: - (WEB CHAINED PROXY IP on PORT 8080) Request: GET OUR OWA EXCHANGE URL Filter information: Req ID: 0b097af6; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes Protocol: https User: CLIENT LOGIN CREDS Additional information Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:22.214.171.124) Gecko/2008102920 Firefox/3.0.4 Object source: Upstream (Object was returned from an upstream proxy cache.) Cache info: 0x0 Processing time: 66516 ms MIME type: -
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0... Object source: Upstream (Object was returned from an upstream proxy cache.) Cache info: 0x41840000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the LAST-MODIFIED header. Response includes the EXPIRES header. Response should not be cached.) Processing time: 93297 ms MIME type: - ===================================================== I spoke to the ISP who provide our external Proxy which we wechain to, and they seem to think it is to do with our ISA using the external proxy which effectively sends the OWA response back to the external client via that proxy, generating the web filter page. If I make the OWA server an exception in the WebChaining Rule the OWA server can no longer reach the internet as it has the ISA server internal IP as it's gateway. Can anyone give me pointers on getting the OWA working without the interference of the Proventia External Web Proxy? Our normnal exchange mail goes through ISA no problem. If you need more information let me know and I'll do my best to provide it.
How many NICs you have in your ISA Server? Why do you have the internal IP as your ISA Server's gateway? Hows the ISP's web proxy setup?
I am not sure about the web filter you are using because i havent worked on Proventia Web Filter before.
I have made a test setup at my end as below and tested
Internal ==> ISA Server ==> ISP Proxy Server ==> Internet
I hope i am correct in my setup as per what you have there in your environment...
1. I created a web chaining rule from my downstream ISA to my ISP Proxy Server 2. Since, i dont have any other proxy server so i used the ISA server to act as a upstream ISA. On the upstream proxy server i have done server publishing for the downstream ISA Server to route the traffic. In your case i am not sure how you are forwarding the requests to the downstream ISA Server. But make sure your request for https://mail.yourdomain.com goes to the downstream ISA server. 3. Created OWA publishing rule on downstream ISA 4. Make sure you have same Root certificates on your proxy server which you are using for OWA publishing on downstream ISA server 5. Your ISA Server's external Gateway should point to either your upstream proxy server or your external router
During my setup and working on this scenario i learnt that web chaining will be used by the downstream ISA to send internet requests from internal to external network. When someone from external network accesses your OWA it actually/should point(s) directly to the External Interface of your downstream ISA sever. One more thing which is important is that the Name Resolution. Your ISA server should be able to resolve the public name which your are using in your web listner either through internal/DMZ DNS or through Host file.
Traces on ISA Server will help you understand what exactly the problem is.
< Message edited by inderjeet -- 1.Dec.2008 11:12:46 AM >
It's ok. I sorted it. DNS issue meant OWA traffic was going back out via the external proxy to the external OWA client. I also fell victim to having FBA enabled on Exchange Virtual Server and in ISA publishing rule. Once I unchecked it on EVS then all worked.