• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for the OWA Publishing Article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion for the OWA Publishing Article Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion for the OWA Publishing Article - 8.Mar.2004 2:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the OWA Publishing article at http://isaserver.org/articles/2004owapub.html.

HTH,
Tom

[ March 08, 2004, 02:05 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for the OWA Publishing Article - 9.Mar.2004 11:01:00 AM   
turbomcp

 

Posts: 36
Joined: 13.Nov.2002
Status: offline
hi tom

i have afew questions:

1. are you using a newer build of isa 2004 then the public beta? cause on your recent guide to publishing owa with isa 2004 you have print screens that i dont have in my isa 2004 publishing wizard(talking about print screen number 2 from the top)??

2. when i configure the listener to forms based authentication i never get prompt for password ,i just get to the exchange web access logon page(forms based authetication logon page)

3.this is not aquestion but still:) if i configured this forms based authentication on the listner and i want to use rpc/http publishing also it doesnt work(its expected) so i guess who ever wants to use rpc/https needs to have 2 diffrent listners on two diffrent ips(public)??

appreciate your comment

(in reply to tshinder)
Post #: 2
RE: Discussion for the OWA Publishing Article - 9.Mar.2004 11:22:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Turbo,

1. Yes, its a slightly later build, but we're only using the OWA functionaity in this article, so everything still applies to beta 2.

2. Correct. You should only see the log on page. That's the forms-based authentication page.

3. For RPC/HTTP, you'll need to use a different authentication method, because you don't really want to use the OWA form for log onto the site, since the log on interface isn't exposed to the RPC/HTTP client application. You'll need multiple addresses if you want to use both methods, or use only HTTP and not HTTPS for RPC/HTTP, but that's not a very good security config.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for the OWA Publishing Article - 9.Mar.2004 11:50:00 AM   
turbomcp

 

Posts: 36
Joined: 13.Nov.2002
Status: offline
thanks for the quick reply

regrading question 2 i thought that forms based authentication on the isa listener will prompt me once(to see who i am) and then if i pass this first logon i will get into the exchange forms based authentication logon of exchange 2003.
(this way the Owa logon page is not visible to un-authenticated users)

(in reply to tshinder)
Post #: 4
RE: Discussion for the OWA Publishing Article - 9.Mar.2004 12:00:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Turbo,

No. The ISA firewall generates the log on page. You disable forms-based auth at the Exchange site. This way, no unauthenticated users ever connect to the Exchange Server. This is a much higher security option, because if you allow unauthenticated users to connect to the Exchange Server to access the form generated by the Exchange Server machine, the unauthenticated user can then potentially hack the machine, even though he has never successfully authenticated. In contrast, when the firewall generates the form, unauthenticated users never touch the Exchange server. Result=much better protection of the Exchange site!

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for the OWA Publishing Article - 9.Mar.2004 12:21:00 PM   
turbomcp

 

Posts: 36
Joined: 13.Nov.2002
Status: offline
thanks toms
you answered my question:)
now i understand why things didnt work
it was because i enabled forms based on exchange also:)

thanks again
as always looking forward to your book:)

(in reply to tshinder)
Post #: 6
RE: Discussion for the OWA Publishing Article - 12.Mar.2004 12:37:00 AM   
RandyM

 

Posts: 29
Joined: 14.Mar.2003
Status: offline
I have a couple of problems that I hope someone can shed some light on. I have to leave the to tab set up as "requests appear to come from firewall" or it doesn't work behind any devices (even a linksys router). I also have some users that are behind firewalls at customer sites and they aren't able to connect. They were able to after I first set it up but I had to import a new certificate for a name change and now it fails again. This has been a problem for some time.

Is there a way to make it more friendly for firewalled users even if it means lowering the level of security a notch?

(in reply to tshinder)
Post #: 7
RE: Discussion for the OWA Publishing Article - 12.Mar.2004 12:56:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by turbomcp:
thanks toms
you answered my question:)
now i understand why things didnt work
it was because i enabled forms based on exchange also:)

thanks again
as always looking forward to your book:)

Hi Turbo,

Thanks! We're going to work hard to raise the bar on that book, so I think you'll like it!

Thanks!
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion for the OWA Publishing Article - 12.Mar.2004 12:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by RandyM:
I have a couple of problems that I hope someone can shed some light on. I have to leave the to tab set up as "requests appear to come from firewall" or it doesn't work behind any devices (even a linksys router). I also have some users that are behind firewalls at customer sites and they aren't able to connect. They were able to after I first set it up but I had to import a new certificate for a name change and now it fails again. This has been a problem for some time.

Is there a way to make it more friendly for firewalled users even if it means lowering the level of security a notch?

Hi Randy,

If you have the original IP address returned to the server, then the server will be a SecureNAT client. Is the machine a SecureNAT client?

What kind of failures are you seeing when machines behind non-ISA firewalls try to connect? What kind of access rules do they have that are blocking the connection?

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion for the OWA Publishing Article - 25.Mar.2004 4:28:00 AM   
adidell

 

Posts: 7
Joined: 5.Aug.2003
Status: offline
Thanks. This solved my OWA forms-based issue. I had enabled it on the Exchange virtual server within Systems Manager. I removed that setting on HTTP and it works now.

quote:
Originally posted by tshinder:
Hi Turbo,

No. The ISA firewall generates the log on page. You disable forms-based auth at the Exchange site. This way, no unauthenticated users ever connect to the Exchange Server. This is a much higher security option, because if you allow unauthenticated users to connect to the Exchange Server to access the form generated by the Exchange Server machine, the unauthenticated user can then potentially hack the machine, even though he has never successfully authenticated. In contrast, when the firewall generates the form, unauthenticated users never touch the Exchange server. Result=much better protection of the Exchange site!

HTH,
Tom


(in reply to tshinder)
Post #: 10
RE: Discussion for the OWA Publishing Article - 26.Mar.2004 1:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adidell,

Great! Good to hear you got it working and thanks for the follow up!

Tom

(in reply to tshinder)
Post #: 11
RE: Discussion for the OWA Publishing Article - 20.Apr.2004 7:20:00 AM   
tad_braun

 

Posts: 101
Joined: 31.Dec.2003
Status: offline
Hello,

I followed the mix of articles and OWA is up and running over HTTPS only...Yahoo!

But, now some of my E2K3 Public Folders won't respond correctly anymore. I had a Public Folder that was auto-forwarding to a set of external addresses (basically, it was emulating a listserver). Now, that function broke, and when I try to manage the Public Folders in Exchange System Manager, they give me an error that says the HTTP connection wasn't allowed (or something like that).

Any Exchange gurus have ideas on what I can do here? I read on other msexchange.com forums that an IISRESET will do the trick, but I have the feeling that'll waste all of my efforts in getting OWA over SSL only to work.

--Thaddeus

(in reply to tshinder)
Post #: 12
RE: Discussion for the OWA Publishing Article - 20.Apr.2004 10:40:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Thaddeus,

I've tested the Public Folders and they seem to work OK. Did you set SSL and authentication on the folder as outlined in the article?

Thanks!
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion for the OWA Publishing Article - 20.Apr.2004 4:35:00 PM   
tad_braun

 

Posts: 101
Joined: 31.Dec.2003
Status: offline
Hello,

I ran across another post in another bulletin board that said to simply reboot. That fits right in with my "simple stuff first" outlook on life, so I tried it, and it worked. I now have normal control of the folders. I hope this helps someone else. Thanks for the feedback, Big T. This is a great group!

(in reply to tshinder)
Post #: 14
RE: Discussion for the OWA Publishing Article - 23.Apr.2004 12:42:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tad,

You bet!

Thanks!
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion for the OWA Publishing Article - 27.Sep.2004 8:17:00 AM   
robkleinpeter

 

Posts: 3
Joined: 27.Sep.2002
From: Baton Rouge, Louisiana
Status: offline
Hello....I have a custom E2K3 OWA form. I am unable to find where it lives in ISA. Can I use it with ISA 2K4 forms based authentication? Thanks.

(in reply to tshinder)
Post #: 16
RE: Discussion for the OWA Publishing Article - 23.Feb.2005 6:30:00 PM   
brianw

 

Posts: 13
Joined: 4.Nov.2002
From: Phoenix
Status: offline
Hello Tom,

I hope it is not too late to post to this thread.

I have Ex2003EE running behind an ISA 2004 server. The ISA server is a standalone server. I have been publishing my OWA site w/FBA without any problems at all (thx to your tutorials!).

I have followed this article and am having some problems. I can access the following site internaly https://servername.domain.com/exchnage. But, when I try to access https://mail.domain.com/exchange from outside of the office, it will not work. I have gone through this article twice to verify that I have followed your instructions. Do you have any suggestions?

Thanks in advance!
Brian

(in reply to tshinder)
Post #: 17
RE: Discussion for the OWA Publishing Article - 23.Mar.2005 2:03:00 PM   
Guest
Hi guys,

I'm having a problem with the "requests appear to come from the original client" setting:

We are publishing OWA using FBA (published from ISA not exchange)

The server is in single NIC configuration between 2 firewalls - this will take the place of one of the firewalls at a later date.

It's not working - are there other considerations in order to make this work - I note from the online help that the ISA server or the client should use the ISA server as their default gateway

I find nothing of interest from the log files and a 404 error is received after the certificate exchange when "requests appear to come from the original client" is set.

Thanks
Mike

**********************************************
I liked it so much, I bought the book!
**********************************************

(in reply to tshinder)
  Post #: 18
RE: Discussion for the OWA Publishing Article - 7.Sep.2006 5:00:03 PM   
albracco

 

Posts: 10
Joined: 5.Sep.2006
Status: offline
Hello Tom,

Great article and I've referenced some of your other ones as well. I just can't seem to find something specific to my situation, which is placing a uni-homed ISA server in the DMZ of an existing harware firewall to act as a smart host and also publish OWA & OMA. I'm building a test environment and am stuck at this point:

I have an Exchange 2003 server on the internal network. Have a Watchguard internet firewall and a uni-homed ISA server in the DMZ of the firewall. Have set up the ISA server as an SMTP smart host & relay successfully (mails flows in both directions). Next step is to get OWA access to the Exchange working through the ISA server. I've created the correct HTTP firewall rules on the watchguard, just as I did for SMTP. The Watchguard firewall log shows the HTTP traffic as being allowed in. ( I know I should use SSL - that will be the next step once this works). I have used the mail server publishing wizard on the ISA server and setup the rule and told it to listen for all networks. It appears to me that the ISA server never "hears" the http traffic coming in and it dies right there. I know this because I set the Watchguard to also log http traffic allows from the DMZ to the internal network, and I never see such an allow log entry. I can get to Exchange OWA from the internal and DMZ networks just fine, it just doesn't work from the outside. The ISA firewall logs show my OWA connections when I try it from the ISA server in the DMZ to the internal Exchange server, but there no entries at all for any incoming HTTP traffic from the outside.

If you can take a moment to offer some guidance, it would be greatly appreciated.

Al 

(in reply to tshinder)
Post #: 19
OWA Browsing - 16.Mar.2007 1:11:16 PM   
njenkins

 

Posts: 18
Joined: 8.Mar.2006
Status: offline
Hi all. Wondering can anyone help. I have successfully setup the ISA rule to publish the exchange server as per document

http://www.isaserver.org/articles/2004owapub.html?printversion

For example the rule is setup to use http://owa.mysite.ie but when I try to logon using that it fails. However when I add http://owa.mysite.ie/exchange i get prompted for the logon screen and can successfully logon.

Is there a way to simply enter the http://owa.mysite.ie and get prompted from the logon page? The Paths tab in the OWA ISA rules are all the default

Internal Patch = /exchange/*

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion for the OWA Publishing Article Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts