• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publishing Exchange 2007 OWA and Outlook Anywhere through ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Publishing Exchange 2007 OWA and Outlook Anywhere through ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publishing Exchange 2007 OWA and Outlook Anywhere throu... - 9.Nov.2009 4:01:04 PM   
rorthner

 

Posts: 2
Joined: 9.Nov.2009
Status: offline
Hi All,

Please Help!

We have just moved from Exchange 2003 to 2007 with no difficulty. I have previously published OWA and RPC/HTTPS successfully from Exchange 2003, and need to do the same in the new environment. OWA is giving no problem, but I am unable to get a working Outlook Anywhere connection on the internet (it works internally using Outlook 2003/2007, Windows XP SP3/Vista SP1/Windows 2003 TS).

Our environment is simple:

Internet Client (Outlook, IE) -->
ISA 2006 Std (domain member) running on Windows 2003 Std R2 -->
--> Exchange 2007 Std SP1 MB/CAS on Windows 2008 Ent SP1
--> DC / GC / DNS on Windows 2008 Ent R2

A SAN certificate has been created from an internal CA and installed on the Exchange 2007 server, and imported to the ISA 2006 server. The listener has been configured with that certificate, and the CA root certificate has been imported into the test client's Local Computer Trusted Root Certificates store.

Other information:
In the Exchange Management Console,
- OWA uses Integrated and Basic authentication
- RPCProxy HAS been installed
- Outlook Anywhere is enabled with Basic authentication

In IIS 7 on the Exchange server,
- The certificate is installed
- All virtual directories set to require SSL
- All virtual directories have Basic authentication enabled

On the ISA server:
- 1 listener created
- SSL connections enabled on port 443; HTTP conections disabled
- Certificate is installed (single certificate for this web listener)
- Authentication is HTML Form Authentication validating against AD

- Outlook Anywhere rule created
- TO tab shows INTERNAL fqdn
- Requests appear to come from the original client
- PUBLIC NAME tab shows EXTENAL fqdn
- PATHS are unchanged from default
- Authentication Delegation is Basic Authentication
- Bridging: Redirect requests to SSL port (443)
- Users: Authenticated Users

When Test Rule is clicked, all paths are green.

On the external (internet) client,
- Windows XP SP3 / Windows Vista SP1
- Outlook 2007
- Outlook Anywhere profile has:
- in Microsoft Exchange Settings, server name is INTERNAL fqdn
In Exchange Proxy Settings,
- URL is EXTERNAL fqdn
- Only connect to proxy servers that have this principal name in their certificate is checked
- SPN is msstd:<EXTERNAL fqdn>
- Connect using HTTP first is selected for both Fast and Slow networks
- Authentication type is Basic Authentication

When connecting internally, OWA and Outlook using RPC/HTTP work. OWA works externally, but connections using Outlook Anywhere cannot be completed. Several packet captures show the SSL handshaking is completed successfully, both between client ISA server, and between the ISA and Exchange servers.

I sense that I'm missing some ridiculously simple setting, but at the moment what I need most is another set of eyes to help me find out where.

Thanks
-ron
Post #: 1
RE: Publishing Exchange 2007 OWA and Outlook Anywhere t... - 9.Nov.2009 4:51:18 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

check these articles:
http://technet.microsoft.com/en-gb/library/bb794751.aspx
http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rorthner)
Post #: 2
RE: Publishing Exchange 2007 OWA and Outlook Anywhere t... - 9.Nov.2009 8:23:54 PM   
rorthner

 

Posts: 2
Joined: 9.Nov.2009
Status: offline
Hi Paulo,

Many thanks for these pointers. I've looked through both of them in the past day or two while struggling with this, but they remain excellent references for fine-tuning the system.

I did, however, stumble across the solution from the most unexpected direction: I made a slight modification on the Exchange server this afternoon as suggested in http://technet.microsoft.com/en-us/library/cc671176.aspx and tested it tonight - it worked!

Briefly, although IPv6 was disabled on the server's NICs, the hosts file still had an IPv6 reference for localhost. Because the CAS and MB roles are on one server, they use this address to communicate. However, the RPCProxy does not recognize the IPv6 stack, so communication fails.

Thanks again for your excellent suggestions.

-ron

(in reply to paulo.oliveira)
Post #: 3
RE: Publishing Exchange 2007 OWA and Outlook Anywhere t... - 10.Nov.2009 1:57:34 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Rather than disabling IPv6, you may want to apply Exchange Update Rollup 4 as this resolves the problem too...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rorthner)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Publishing Exchange 2007 OWA and Outlook Anywhere through ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts