This thread is for discussing the article on supporting both FBA and Basic auth when you have only a single IP address on the external interface of the ISA firewall.
I have a Exchange Server 2003 and ISA Server 2004 on one self-contained box in a colocation environment. We want to use it for Exchange hosting. We have two IPs assigned to the box and my question is how to configure the Exchange Server in conjunction with ISA Server so we can get RPC over HTTP for our clients. Thanks for your help!
Any way to get the Exchange Server off the firewall? That would greatly simplify the config and significantly improve the level of security provided by the firewall.
Posts: 3
Joined: 22.Jun.2001
From: London, UK
Status: offline
Hi,
You have a screen shot in thisarticle that shows a check box for Exchange ActiveSync. I don't have that on my Beta copy but I read on another post that you are now using the release candidate. Is it possible to post the settings that this check box sets up please as I can't persuade active sync to go through ISA at all despite a lot of trying.
I followed the instructions to set up this chained routing of FBA requests, however i keep on getting "Error Code 64: Host not available" when i try to reach OWA from the internet. Any clues? From the logs it seems like the first rule (External -> localhost) fails. I also checked that localhost doesn't translate on the ISA machine itself... might this be the problem?
Figured out meanwhile... The problem was that I have set both rules (ext -> loc, loc -> exch) to show the originating host in the source. It seems that this trick only works if you set originate from isa on both rules. However it is a bit suspicious to me that this only lies on some name resolving issue.
This is definitely an off-label config and not something regression tested by MS or by us. We know it works, but like all hacks, there are bound to be some limitations.
Posts: 10
Joined: 28.Oct.2004
From: England
Status: offline
This article shows an illustration of the filewall policy, with the configured rules. My question is how did you configure the Last Default Rule to deny all Protocols in both directions, as they default is to deny all traffic. Also all publishing rules also appear to show protocols in both directions????
I have the option to bind a second IP address to my ISA Servers external interface but I don't understand how DNS is supposed to resolve the correct IP address for Forms or Basic authentication. Any ideas?
Posts: 1
Joined: 8.Nov.2004
From: Sweden
Status: offline
Tom, Thanks for a nice article. I run into the problem you describe when I tried to configure OWA, OMA, Activesync on a ISA2004 with one NIC. I donÆt understand how this work but it does: Configure the mail rules for OWA + a FBA listener Configure a second mail rule for OMA + Activesync, use the same listener
With this configuration it works. If you add OMA+ Activesync to the same rule it does not work.
Do you have any idTe why? If you are interested I can send you a configuration file!
I am getting a bigger fan of ISA 2004 every day, but like so many I've discovered the new way ISA uses the listeners for authentication.
You guys have made a great solution for using FBA and basic at the same time, so I thought let's try this also for SecurID and basic.
I failed.. I tried adding webId.dll to the paths in the (External to Localhost) rule (next to cookieauth.dll) but this does not help either.
All I get is a broken startpage where the SecurID banner is gone but I can see the rest. I type my username/password and then I get :
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Did anyone try to have both OWA and RPCoverHTTPS/OMA/ActiveSynch working at the same IP? It worked with ISA 2000 but I think I'll have to use a new IP for my OWA with RSA SecurID authentication.
Why is cookieauth.dll required actually? Can you explain this to me?
I tried implementing the rules as per the article and my external clients are unable to get access to CookieAuth.dll. When I look at the log files it seems that it's having problems when it tries to send redirect it internally, however the rule says it's going to 127.0.0.1. Any thoughts on troubleshooting CookieAuth.dll?
I fouund this article fantastic and used it for two of my customers without a problem at all. My most recent attempt has had another result and I cannot figure out what is different. ALl services are working, but I am not getting FBA for OWA. It is as if ISA is not inserting the cookieauth form that it should. It looks as if the entire session is passed to exchange for Integrated auth. Is it possible that if FBA fails for some reason this happens? My rule "local to exchange" listener only has FBA set. I must be overlooking something.
Posts: 112
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
Have I found a non-wanted Feature?
Ok, everything seems to work. If we go to mail.contoso.com/OMA And login using Basic Auth. Nice. We surf to an external Web (ex. www.astalavista.com) not closing IE. type in mail.contoso.com/exchange Now we are running OWA on Basic Auth.
Any idea how to not get this "Feature" ?? - PatrickM -
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion for article on Supporting Forms-based auth and Basic Auth with one IP 
Discussion for article on Supporting Forms-based auth ... - 
![[Frown]](/image/smiles/frown.gif)
RE: Discussion for article on Supporting Forms-based a... - ![[Big Grin]](/image/smiles/biggrin.gif)
![[Cool]](/image/smiles/cool.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread