Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion for article on Supporting Forms-based a... - 22.Mar.2005 7:21:00 PM
|
|
|
tubespac
Posts: 11
Joined: 9.Feb.2005
From: Philadelphia, PA
Status: offline
|
I have followed this article and used this technique successfully with one ISA 2004 SE server; however, in implemented an array in ISA 2004 EE I have discovered it will no longer work. The problem appears to be that the localhost certificate is different for each server in the array since they each register with our CA.
Have you tried this with ISA 2004 EE? Do you have any suggestions? I don't think there is a way for me to install the same localhost cert on each server in the array since I can't export the cert.
Regards,
Christopher
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 22.Mar.2005 11:36:00 PM
|
|
|
Guest
|
First off I think this is an awesome idea!
However, I've followed this article at a client site to the T. (I did have to install an enterprize CA which I did and got it to work and created the localhost cert on my isa box successfully. But when I try to connect from an outside client, I get the following error:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
I know that I'm probably missing something simple, but any help on how to fix would be appreciated!
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Mar.2005 6:01:00 PM
|
|
|
martynko
Posts: 3
Joined: 30.Mar.2004
Status: offline
|
quote:
Originally posted by tshinder:
This thread is for discussing the article on supporting both FBA and Basic auth when you have only a single IP address on the external interface of the ISA firewall.
HTH,
Tom
Hi Tom,
I also applied settings discovered by Kai. Clever trick:) Works great.
Anyway as for fine tunning. I removed anonymous auth. on mobile and owa rules to check user's credentials on ISA instead on backEnd IIS. But mobile devices stopped logging (they are timeOuted istead) even I see users authenticating on ISA (fw logs). When I use IE to access https:mail.comapany.org/oma and put user's cred. it works fine.
I also put checkmark on "forward basic auth. cred." on Users of mobile rule properties but no way..
Do I make something wrong?
Thanks in advance
Martin
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 25.Mar.2005 1:02:00 AM
|
|
|
ebrux
Posts: 2
Joined: 23.Mar.2005
From: Spokane, WA
Status: offline
|
Is this thread being monitored? REALLY good questions above, but no answers....
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 29.Mar.2005 7:25:00 PM
|
|
|
martynko
Posts: 3
Joined: 30.Mar.2004
Status: offline
|
don't know..
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 6.Apr.2005 1:12:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Another question, if i have 2 Exchange Server being published though 2 ISA 2004 servers i assume i then have a problem. I say this as I assume I can't get two certificates for localhost from the same CA which are for different physical ISA 2004 machines?
Am i assuming correctly?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 6.Apr.2005 3:08:00 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
You might try using a loopback adapter for this. I haven't tried it, but on paper, it should work.
HTH,
Tom
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 27.Apr.2005 8:44:00 PM
|
|
|
rbeck72
Posts: 1
Joined: 9.Mar.2005
From: Denver
Status: offline
|
First off, thanks for the help, getting RPC over HTTP to work has been driving me crazy, but this article was the solution to get it to work with OWA FBA with one external address....
One issue I'm haing is the logoff page is coming up as https://localhost/exchange/?Cmd=logoff
when our main address is https://webmail.mydomain.com/exchange, is there a way to get the logoff page to resolve to the external page as does the main logon page...not sure where to look
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 17.May2005 3:01:00 PM
|
|
|
TimTrace
Posts: 105
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
|
quote:
On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will name the listener Localhost443 (FBA) to denote that the listener is listening on the external interface of the ISA Server 2004 firewall and that its configured to use Basic authentication. Click Next.
Tom, I found this quoted paragraph in your how-to document. It seems to be a typo, because just one paragraph later, you are instructing the administrator to select only FBA in the listener configuration. Am I correct?
FWIW, I just made my first attempt at getting this to work. No dice. I'll try again later today.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 17.May2005 5:30:00 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tim,
You're correct. The Localhost listener should be using FBA.
HTH,
Tom
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.May2005 5:50:00 AM
|
|
|
gijsbert
Posts: 24
Joined: 5.Nov.2004
Status: offline
|
Hi Tom,
Recently I posted a message on publishing both SecurID and non-SecurID web sites on the same external IP address of an ISA server in the ISA 2004 Exchange Publishing message board. Only after that I was reading your article "Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener" based on Kai WilkeÆs suggestion and noticed the many similarities in the approaches. In both cases multiple authentication methods are required using the same IP address and protocol and in both cases it is solved by using chained web publishing rules (what I called the triple-jump approach). The difference is that you bridge to and listen on the localhost "network interface", while I bridge to and listen on a non-standard port number (on the internal interface). The advantage of using a non-standard port number is that you can use as many authentication methods (or other listener settings) as you like. You will also not run into port conflicts when the same port is used on multiple interfaces.
For more details see http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000545
Greetings,
Gijsbert van der Linden
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 2.Jun.2005 5:58:00 AM
|
|
|
schorsch
Posts: 1
Joined: 2.Jun.2005
From: Germany
Status: offline
|
Hi,
unfortunately I can exclusively connect successfully to the /cookieauth.dll link. All the rest will result in 403 error. So does the entering of an authorized account in the form-based login. Didn't touch my exchange while I confirured ISA according to this article and it used to work before according to http://www.isaserver.org/tutorials/2004owafba.html.
Any help will be highly appreciated.
Thanks in advance
George
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 21.Jun.2005 4:44:00 PM
|
|
|
ferrix
Posts: 355
Joined: 16.Mar.2005
Status: offline
|
Since this thread is dealing with Exchange, ActiveSync, OWA, and single IP configurations, I thought the following might be appropriate:
Our company's authentication filter, FlexAuth (at http://www.collectivesoftware.com) makes a lot of tasks around publishing Exchange much easier.
It provides seamless, customizable FBA to your OWA users, and Basic Auth to your ActiveSync users (all on the same listener).
Also, if (for some reason) you cannot put your ISA into the domain, FlexAuth supports LDAP and LDAP-SSL as authenticators (so you can still use Windows groups and users in your access rules).
Sorry for the shameless plug, but I hope that this information could help solve someone's problem who reads this thread ![[Smile]](/image/smiles/smile.gif)
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 29.Jun.2005 2:18:00 PM
|
|
|
pwaldeier
Posts: 36
Joined: 18.Feb.2004
From: Pennsauken NJ
Status: offline
|
I have read the article several times and I am puzzled. A listener is for a combination of an IP address and a port. Why is it not possible to use port 443 for OWA and another port (say 4000) for OMA? The entry to get OMA would then be https://owa.contoso.com/oma:4000.
A follow up question if this works is, "Can only one certificate be used?" which in the example, owa.contoso.com.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 29.Jun.2005 4:51:00 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi CP,
OMA publishing isn't supported on an alternate port, so we need to use 443.
The name on the certificate can be whatever you like, as long as you avoid name mismatch errors.
HTH<
Tom
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 30.Jun.2005 8:45:00 AM
|
|
|
pwaldeier
Posts: 36
Joined: 18.Feb.2004
From: Pennsauken NJ
Status: offline
|
Tom
Thanks for the quick reply. Is it possible to do the reverse and publish OWA on an alternate port such as 4000?
PaulW
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 25.Aug.2005 9:01:00 AM
|
|
|
brandy
Posts: 4
Joined: 25.Aug.2005
Status: offline
|
I`ve ISA 2004 Enterprise Edt in a Array with a single NIC.
I tried to follow the article, but when I shuold create Listener for Localhost, tha ISA cannot see the certificate. I only see the certificate for the external listerner.
I have imported a certificate with name "localhost" in the personal store.
Any comments?
regards Brandy
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 27.Aug.2005 12:19:00 PM
|
|
|
tarner
Posts: 8
Joined: 26.Aug.2005
From: MD/DC
Status: offline
|
ALL, I am trying perform a similar setup using one armed ISA 04. Trying to set up reverse proxy on ISA 04 to pass through requests (no filter I assume) to RSA WebID agent 5.3 on an OWA LAN server. I thought I might use the dumbing down example below as a starting point. Looking for a little direction. Thanks!
Any suggestions would be appreciated. Configuring all allow outbound (reversed) seems like the place to start. I posted this here (below) before, the exchange part of the forum seems more correct.
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000462
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Discussion for article on Supporting Forms-based a... - ![[Cool]](/image/smiles/cool.gif)
