From: Philadelphia, PA
I have followed this article and used this technique successfully with one ISA 2004 SE server; however, in implemented an array in ISA 2004 EE I have discovered it will no longer work. The problem appears to be that the localhost certificate is different for each server in the array since they each register with our CA.
Have you tried this with ISA 2004 EE? Do you have any suggestions? I don't think there is a way for me to install the same localhost cert on each server in the array since I can't export the cert.
RE: Discussion for article on Supporting Forms-based a... - 22.Mar.2005 11:36:00 PM
First off I think this is an awesome idea!
However, I've followed this article at a client site to the T. (I did have to install an enterprize CA which I did and got it to work and created the localhost cert on my isa box successfully. But when I try to connect from an outside client, I get the following error:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
I know that I'm probably missing something simple, but any help on how to fix would be appreciated!
quote:Originally posted by tshinder: This thread is for discussing the article on supporting both FBA and Basic auth when you have only a single IP address on the external interface of the ISA firewall.
Hi Tom, I also applied settings discovered by Kai. Clever trick:) Works great. Anyway as for fine tunning. I removed anonymous auth. on mobile and owa rules to check user's credentials on ISA instead on backEnd IIS. But mobile devices stopped logging (they are timeOuted istead) even I see users authenticating on ISA (fw logs). When I use IE to access https:mail.comapany.org/oma and put user's cred. it works fine. I also put checkmark on "forward basic auth. cred." on Users of mobile rule properties but no way.. Do I make something wrong?
Another question, if i have 2 Exchange Server being published though 2 ISA 2004 servers i assume i then have a problem. I say this as I assume I can't get two certificates for localhost from the same CA which are for different physical ISA 2004 machines?
From: St. Louis MO
quote:On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will name the listener Localhost443 (FBA) to denote that the listener is listening on the external interface of the ISA Server 2004 firewall and that its configured to use Basic authentication. Click Next.
Tom, I found this quoted paragraph in your how-to document. It seems to be a typo, because just one paragraph later, you are instructing the administrator to select only FBA in the listener configuration. Am I correct?
FWIW, I just made my first attempt at getting this to work. No dice. I'll try again later today.
Recently I posted a message on publishing both SecurID and non-SecurID web sites on the same external IP address of an ISA server in the ISA 2004 Exchange Publishing message board. Only after that I was reading your article "Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener" based on Kai WilkeÆs suggestion and noticed the many similarities in the approaches. In both cases multiple authentication methods are required using the same IP address and protocol and in both cases it is solved by using chained web publishing rules (what I called the triple-jump approach). The difference is that you bridge to and listen on the localhost "network interface", while I bridge to and listen on a non-standard port number (on the internal interface). The advantage of using a non-standard port number is that you can use as many authentication methods (or other listener settings) as you like. You will also not run into port conflicts when the same port is used on multiple interfaces.
unfortunately I can exclusively connect successfully to the /cookieauth.dll link. All the rest will result in 403 error. So does the entering of an authorized account in the form-based login. Didn't touch my exchange while I confirured ISA according to this article and it used to work before according to http://www.isaserver.org/tutorials/2004owafba.html. Any help will be highly appreciated.
I have read the article several times and I am puzzled. A listener is for a combination of an IP address and a port. Why is it not possible to use port 443 for OWA and another port (say 4000) for OMA? The entry to get OMA would then be https://owa.contoso.com/oma:4000.
A follow up question if this works is, "Can only one certificate be used?" which in the example, owa.contoso.com.
I`ve ISA 2004 Enterprise Edt in a Array with a single NIC. I tried to follow the article, but when I shuold create Listener for Localhost, tha ISA cannot see the certificate. I only see the certificate for the external listerner. I have imported a certificate with name "localhost" in the personal store.
ALL, I am trying perform a similar setup using one armed ISA 04. Trying to set up reverse proxy on ISA 04 to pass through requests (no filter I assume) to RSA WebID agent 5.3 on an OWA LAN server. I thought I might use the dumbing down example below as a starting point. Looking for a little direction. Thanks!