Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for article on Supporting Forms-based auth and Basic Auth with one IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion for article on Supporting Forms-based auth and Basic Auth with one IP Page: [1] 2 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion for article on Supporting Forms-based auth ... - 11.Mar.2004 3:12:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		This thread is for discussing the article on supporting both FBA and Basic auth when you have only a single IP address on the external interface of the ISA firewall.

HTH,
Tom
Post #: 1
RE: Discussion for article on Supporting Forms-based a... - 13.Mar.2004 7:35:00 AM   
tyronet

 

Posts: 2
Joined: 13.Mar.2004
Status: offline 		I have a Exchange Server 2003 and ISA Server 2004 on one self-contained box in a colocation environment. We want to use it for Exchange hosting. We have two IPs assigned to the box and my question is how to configure the Exchange Server in conjunction with ISA Server so we can get RPC over HTTP for our clients. Thanks for your help!

Tyrone

(in reply to tshinder)
Post #: 2
RE: Discussion for article on Supporting Forms-based a... - 14.Mar.2004 8:04:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tyrone,

Any way to get the Exchange Server off the firewall? That would greatly simplify the config and significantly improve the level of security provided by the firewall.

HTH,
Tom

[ March 14, 2004, 08:06 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 3
RE: Discussion for article on Supporting Forms-based a... - 17.Mar.2004 10:54:00 AM   
turbomcp

 

Posts: 36
Joined: 13.Nov.2002
Status: offline 		great article
great idea
exactly my problem/question from 2 weeks ago:)

(in reply to tshinder)
Post #: 4
RE: Discussion for article on Supporting Forms-based a... - 17.Mar.2004 1:17:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Turbo,

Exactly! We're lucky that Kai sent me a note about this showing the solution!

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for article on Supporting Forms-based a... - 5.Apr.2004 1:16:00 PM   
AndyD

 

Posts: 3
Joined: 22.Jun.2001
From: London, UK
Status: offline 		Hi,

You have a screen shot in thisarticle that shows a check box for Exchange ActiveSync. I don't have that on my Beta copy but I read on another post that you are now using the release candidate. Is it possible to post the settings that this check box sets up please as I can't persuade active sync to go through ISA at all despite a lot of trying.

Thanks

Andy

(in reply to tshinder)
Post #: 6
RE: Discussion for article on Supporting Forms-based a... - 6.Apr.2004 8:47:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Andy,

Unfortunately, its a big more complex than enabling the ActiveSync option [Frown]

Part of the solution is the one in the article by Kai Wilke and myself, which was posted to this site a couple of weeks ago.

We'll be working on this issue when we update the ISA 2000/Exchange Deployment Kit to ISA 2004 in the next few weeks.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion for article on Supporting Forms-based a... - 29.Oct.2004 2:38:00 AM   
mcfly9

 

Posts: 19
Joined: 10.Apr.2004
Status: offline 		Hello,

I followed the instructions to set up this chained routing of FBA requests, however i keep on getting "Error Code 64: Host not available" when i try to reach OWA from the internet. Any clues? From the logs it seems like the first rule (External -> localhost) fails. I also checked that localhost doesn't translate on the ISA machine itself... might this be the problem?

(in reply to tshinder)
Post #: 8
RE: Discussion for article on Supporting Forms-based a... - 29.Oct.2004 3:17:00 AM   
mcfly9

 

Posts: 19
Joined: 10.Apr.2004
Status: offline 		Figured out meanwhile... The problem was that I have set both rules (ext -> loc, loc -> exch) to show the originating host in the source. It seems that this trick only works if you set originate from isa on both rules. However it is a bit suspicious to me that this only lies on some name resolving issue.

(in reply to tshinder)
Post #: 9
RE: Discussion for article on Supporting Forms-based a... - 29.Oct.2004 8:02:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi McFly,

This is definitely an off-label config and not something regression tested by MS or by us. We know it works, but like all hacks, there are bound to be some limitations.

HTH,
Tom

(in reply to tshinder)
Post #: 10
RE: Discussion for article on Supporting Forms-based a... - 3.Nov.2004 10:50:00 AM   
JDSFIAD

 

Posts: 7
Joined: 28.Oct.2004
From: England
Status: offline 		This article shows an illustration of the filewall policy, with the configured rules. My question is how did you configure the Last Default Rule to deny all Protocols in both directions, as they default is to deny all traffic. Also all publishing rules also appear to show protocols in both directions????

(in reply to tshinder)
Post #: 11
RE: Discussion for article on Supporting Forms-based a... - 6.Nov.2004 11:18:00 AM   
sdsmtss

 

Posts: 45
Joined: 5.Nov.2003
Status: offline 		Tom,
I noticed in the article that you said...
quote:
One solution to this problem is to bind a second IP address to the external interface of the ISA Server 2004 firewall machine.
http://www.isaserver.org/tutorials/2004pubowamobile.html

I have the option to bind a second IP address to my ISA Servers external interface but I don't understand how DNS is supposed to resolve the correct IP address for Forms or Basic authentication. Any ideas?

Thanks,
Stephen

(in reply to tshinder)
Post #: 12
RE: Discussion for article on Supporting Forms-based a... - 7.Nov.2004 3:33:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Slacker,

You create separate DNS entries for OWA and OMA/RPC over HTTP sites.

For example, separate entries for:

owa.msfirewall.org
outlook.msfirewall.org
oma.msfirewall.org

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion for article on Supporting Forms-based a... - 8.Nov.2004 1:26:00 PM   
bjorn.axell@advisec.com

 

Posts: 1
Joined: 8.Nov.2004
From: Sweden
Status: offline 		Tom,
Thanks for a nice article. I run into the problem you describe when I tried to configure OWA, OMA, Activesync on a ISA2004 with one NIC.
I donÆt understand how this work but it does:
Configure the mail rules for OWA + a FBA listener
Configure a second mail rule for OMA + Activesync, use the same listener

With this configuration it works. If you add OMA+ Activesync to the same rule it does not work.

Do you have any idTe why? If you are interested I can send you a configuration file!

Thanks!

Bj÷rn

(in reply to tshinder)
Post #: 14
RE: Discussion for article on Supporting Forms-based a... - 24.Nov.2004 12:05:00 PM   
Jeroen_317

 

Posts: 73
Joined: 18.Dec.2002
From: Belgium
Status: offline 		Hi Tom,

I am getting a bigger fan of ISA 2004 every day, but like so many I've discovered the new way ISA uses the listeners for authentication.

You guys have made a great solution for using FBA and basic at the same time, so I thought let's try this also for SecurID and basic.

I failed.. [Frown]
I tried adding webId.dll to the paths in the (External to Localhost) rule (next to cookieauth.dll) but this does not help either.

All I get is a broken startpage where the SecurID banner is gone but I can see the rest. I type my username/password and then I get :

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Did anyone try to have both OWA and RPCoverHTTPS/OMA/ActiveSynch working at the same IP? It worked with ISA 2000 but I think I'll have to use a new IP for my OWA with RSA SecurID authentication.

Why is cookieauth.dll required actually? Can you explain this to me?

Thanks for any answer,
kind regards,
Jay

(in reply to tshinder)
Post #: 15
RE: Discussion for article on Supporting Forms-based a... - 31.Dec.2004 6:13:00 PM   
colinbo

 

Posts: 11
Joined: 30.Dec.2004
Status: offline 		Hi,

I tried implementing the rules as per the article and my external clients are unable to get access to CookieAuth.dll. When I look at the log files it seems that it's having problems when it tries to send redirect it internally, however the rule says it's going to 127.0.0.1. Any thoughts on troubleshooting CookieAuth.dll?

Thanks,
Colin

(in reply to tshinder)
Post #: 16
RE: Discussion for article on Supporting Forms-based a... - 2.Jan.2005 12:57:00 AM   
colinbo

 

Posts: 11
Joined: 30.Dec.2004
Status: offline 		Figured out my problem. I didn't disable FBA on Exchange.

(in reply to tshinder)
Post #: 17
RE: Discussion for article on Supporting Forms-based a... - 5.Jan.2005 8:01:00 PM   
jeffthomes

 

Posts: 1
Joined: 5.Jan.2005
Status: offline 		I fouund this article fantastic and used it for two of my customers without a problem at all. My most recent attempt has had another result and I cannot figure out what is different. ALl services are working, but I am not getting FBA for OWA. It is as if ISA is not inserting the cookieauth form that it should. It looks as if the entire session is passed to exchange for Integrated auth. Is it possible that if FBA fails for some reason this happens? My rule "local to exchange" listener only has FBA set. I must be overlooking something.

(in reply to tshinder)
Post #: 18
RE: Discussion for article on Supporting Forms-based a... - 9.Feb.2005 10:54:00 PM   
Leathal

 

Posts: 36
Joined: 10.Nov.2004
Status: offline 		Question,

How does this tutorial apply to RPC over HTTP? I see that you are publishing OWA, OMA, and ActiveSync but I don't see any mention of publishing RPC.

Leathal

(in reply to tshinder)
Post #: 19
RE: Discussion for article on Supporting Forms-based a... - 15.Feb.2005 4:53:00 PM   
PatrickM

 

Posts: 70
Joined: 23.May2001
From: Sweden
Status: offline 		Have I found a non-wanted Feature?

Ok, everything seems to work.
If we go to mail.contoso.com/OMA
And login using Basic Auth.
Nice.
We surf to an external Web (ex. [Big Grin] www.astalavista.com) not closing IE.
type in mail.contoso.com/exchange
Now we are running OWA on Basic Auth.

Any idea how to not get this "Feature" ??
[Cool]
- PatrickM -

[ February 16, 2005, 08:35 AM: Message edited by: PatrickM ]

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion for article on Supporting Forms-based auth and Basic Auth with one IP Page: [1] 2 3 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts