Thanks for your article. great stuff. I went through step by step in order to make my owa working. The trouble is, i have problems with SSL, message error 440 login time out. Works fine with http. the difference is I have a SBS 2003 premium edition, so all servers on one machine, and this might be some different handling the ssl tunnel.
Posts: 2
Joined: 26.Jun.2004
From: Chicago
Status: offline
External OWA Connection Partially Loads on Default SBS2003 Configuration.
Hi Tom,
I've read through all your steps for publishing OWA and I'm pretty sure I've verified everything. I'm able to login via https, but the when the mailbox loads, IE starts returning errors. Line 14 object expected. Everything works great internally. I can login using the FQDN and presto. DNS is setup correctly to the extent that my FQDN is accessible internally and externally. The only thing I see different in my default configuration is my certificate is published by publishing.mydomain.com instead of FQDN.mydomain.com.
quote:Originally posted by Luiz H Dirickson: Great Article. But I get two problems when I implement this: 1. Testing inside my network, some users can't login OWA, others can (probably security issues...); 2. Testing outside, I got this message from our ISA server: "12206 - proxy chain loop" rigth after the user log in; Can you help me with this? Regards, Luiz
Hi Luiz,
These problems indicate that you have not configured a split DNS. Make sure you have configured a split DNS and all will be fine.
I got a workaround courtesy of MS Support. They have told us to terminate SSL at the ISA Server and use standard HTTP to talk to backend server.
Not ideal - but does give us some breathing space.
No idea why the SSL between the FE and BE was timing out...
Cheers,
The SunDude ;-)
Hi SunDude,
SSL from the FE to the BE Exchange Server is not supported.
However, there are no problems with SSL from the client to the ISA firewall's external interface and SSL form the ISA firewall's Internal interface to the FE server.
Thanks for your article. great stuff. I went through step by step in order to make my owa working. The trouble is, i have problems with SSL, message error 440 login time out. Works fine with http. the difference is I have a SBS 2003 premium edition, so all servers on one machine, and this might be some different handling the ssl tunnel.
any Idea how to get that fixed?
t.nowoitnick@crtpdl.com
Hi Thies,
This config will definitely NOT work when Exchange is installed on the firewall.
Great articles, just what I needed to lead me throught the Exchange 2003 OWA and ISA 2000 setup! What would ISA administrators do without you?
I'm almost there with OWA- one remaining problem. When outside users click on the link, SSL shoots right through the ISA server to the Exchange server and starts to load the OWA logon page. The User Name and Password boxes appear, but then everything grinds to a halt. The graphics do not come up and the page never finishes loading. You can see the phenomena at:
If I go to any internal network machine except the ISA server and type in the Exchange server's internal address (and "/exchange"), the logon page comes up just fine. If I try this on the ISA server, I get the same bad logon page load that a request from the outside would get.
So, it seems that it is something with ISA, where it just quits loading the page. I can't come up with the solution, I'm hoping that you can.
Regards my previous post, I kept picking at the problem and found 'a' solution, don't know if it's the correct solution, but it does work.
In IIS on the Exchange server, the instructions are to set Authentication to Basic Authentication only on the three Exchange folders. As an experiment, I expanded the ExchWeb folder to see the subfolders, such as controls, images, etc. On these subfolders, I changed the authentication to Anonymous Access only. The ExchWebfolder remained at Basic Authentication. Once I restarted the IIS service, I was able to come in from outside the network and get the logon page to display correctly.
I don't believe this will compromise security, but if anyone believes otherwise, please let me know.
Posts: 1
Joined: 1.Dec.2004
From: NW WA
Status: offline
I went through the steps and have one issue. Internally OWA works great (however that doesn't deal with ISA of course). However when I attempt to use it from an external machine I get the following error: "500 Internal Server Error - The target principal name is incorrect. (-2146893022)". I don't know if it's possible, but I would like to allow the user to type in "mail.logos.com" and have it automatically redirect them. However is this not working. Any ideas?
I am having some difficulty making OWA2k3 available for external use. I am running ISA Server 2000 on a Windows 2000 server, Exchange 2003 is running on a Windows Server 2003 machine. I have followed the steps in the series of articles and internally it works fine. Externally I am receiving a "Page cannot be displayed" error.
I have configured an A record externally, which maps "owa.mydomain.com" to an external ip address on the ISA machine. I do not believe it is a DNS issue because all NSLOOKUPS resolve fine and if I enter "http://owa.mydomain.com/exchange" (not secure) it sends back an error saying that a secure connection is required.
My internal DNS servers are set up to forward external requests to my ISP. I have placed an entry for the FQDN in the Hosts file.
Tom, Thank you for publishing these great articles. I used all five last night to implement my new w2k3 exch2k3 machine behind ISA.
I was trying to add the URL redirection so you don't have to type the "https:", you would get forwarded automatically. I tried the two suggestions on page 1 of this thread thinking it would work, but for some reason it doesn't. I get the following error: 403 Forbidden - The page must be viewed over a secure (that is, Secure Sockets Layer (SSL)) channel. Contact the server administrator. (12211)
I experimented with a few things and then remembered the setting "Redirect HTTP requests as". I decided to change it to SSL requests hoping that ISA would perform the redirection for me, but that didn't work either. Any help would be appreciated.
Posts: 14
Joined: 6.Feb.2004
From: uk
Status: offline
Hi Tom
great guide to publishing the OWA, but i can't get it to work!
I followed your guide to the letter, but whenever i try to access my server externaly i get a:
HTTP Error 404 - File or directory not found. Internet Information Services (IIS)
my set up is as follows:
ISA server running on windows 2003 DC Exchange 2003 runnign on W2K DC
If i go to my website (no /exchange) i get the under contruction page which is fine.
I have read through some of the replies on this forum and it was suggested to stop the WWW service on the isa server, which i did but this makes the entire website unavailable.
any idea what i have done wrong? i assume its something to do with the redirect on my ISA server, but can't find aything wrong!
Hello, I've done whatever the article says but i have a problem.. At the client computers Internet explorer I get the following error: "Cannot find server or DNS Error."
AD domain controller+CA server (Win2003 srv) ISA server (Win2000 Srv) Exchange server 2003 Ent. Edt.(Win2003 srv)
Internally everything works ok, meaning that i can see the OWA site. I tried to make an external connection to isa (via telnet to port 443)and it connects.
hello! Well..eventually,it was the client pc's problem:) Everything works ok! But may i ask you something? In my old exchange 5.5 OWA site, I used to give the account credentials twice, that is, the 1st time in order to connect to the ISA ext. interface (right?) and the 2nd one after the Mailbox credentials part. Now I'm only being asked once.. is this right??
I'm having the same problem as murph123 have/had when I try to access OWA from external networks it loads all the objects from the OWA page but it hangs on "loading..." in every folders from the mailbox. When I do it from internal network it works just fine.
Did you already know how to solve this problem? I have the Destination Set with the FQDN, not the IP.
Thanks in advance! Yours sincerely, Diogo Botto
The Problem is solved already. We had a Web filter configured on our ISA Server that was blocking this kind of traffic. It's working now!
Thanks anyway!
I too am having this issue. Most of the site comes up but where you should see the folder or message contents you only get "Loading...". Do you know what I am blocking so I can find it. Since I can see most of the site I have assumed that the publishing is working. I must be blocking something somewhere I just not sure what. The system is a complex back to back isa 2000 system.
Outer firewall = ISA 2000 SP1 FP1 Inner firewall = ISA 2000 SP1 (Is FP1 required for this to work? It would be a pain to install on this production system.)
Outer firewall uses Server Publishing and so just passes the SSL traffic into the inner firewall without inspection.
Inner firewall uses Web Publishing with FQDN in the Destination sets. SSL to SSL bridging is in place and working. Again I can see most of the site.
Since I do not have any Web Filters and do not have FP1 installed I do not think it can be a web filter.
Thank you for your site and writings! They have been invaluable to me since ISA 2000's release -Mark from Buffalo NY