If you want some excellent security and configuration advice re: the ISA firewall:
BAG THE UNIHOMED ISA FIREWALL CONFIG
Remember, the ISA firewall is a firewall first, second and last.
You BREAK the ISA firewall's core design when you caponize it with a single NIC config.
If your network dolts tell you that its not a firewall, you can send them here for some education and enlightenment. They may also want to get their resumes ready
Has anyone gotten this to work for both FBA OWA, Active-Sync, OMA, and RPC over HTTP?
In my configuration, all but the RPC over HTTP seem to work. I've noticed a lot of conflicting information from the various documents I've read from Microsoft, so I'm not sure if there is a configuation error or what.
Which of the 3 rules should I add the path for RPC? Is it the "Exchange mobile services"?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:Originally posted by Marc Meltzer: Has anyone gotten this to work for both FBA OWA, Active-Sync, OMA, and RPC over HTTP?
In my configuration, all but the RPC over HTTP seem to work. I've noticed a lot of conflicting information from the various documents I've read from Microsoft, so I'm not sure if there is a configuation error or what.
Which of the 3 rules should I add the path for RPC? Is it the "Exchange mobile services"?
RE: Discussion for article on Supporting Forms-based a... - 30.Sep.2005 11:51:00 AM
Guest
quote:Originally posted by <jrrygrrd>: First off I think this is an awesome idea!
However, I've followed this article at a client site to the T. (I did have to install an enterprize CA which I did and got it to work and created the localhost cert on my isa box successfully. But when I try to connect from an outside client, I get the following error:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
I know that I'm probably missing something simple, but any help on how to fix would be appreciated!
I am also receiving this error message, any luck in resolving the issue?
You can get the fba, owa, activesync, and rpc via https all working yes (we have that in production here), but you will need to create seperate web publishing rules using seperate listeners, one for the OWA site, and one for activesync/rpc via https because you need to setup outlook using FBA (assume you do at least), while the rpc via https and activesync use basic auth (but over https).
As to how to publish them, they are just specific urls namely /Microsoft-Server-Activesync/* for the activesync and /rpc/* for the rpc via https
Also, for the guy getting the certificate error, thats usually when you have the destination server in your rule setup with its local name rather then the name on the cert, try creating a local entry in the ISA host table mapping the "external" name to the internal IP, or if you have split dns make a record for the external name mapping.
I can't even begin to tell you how stoked I am right now. Kai's article was EXACTLY what I needed to get my new E2K3 Server OWA and OMA/ActiveSync flowing on a single IP with security.
I want to thank Tom for the great site, and Kai for the great article. It's good to think out of the box like this...
I have implemented as per the directions in the article. We have a test environment setup like this: internet-->linksys-->dmz to isa2004 and all works fine internal to the linksys. Even when I point to the https://fqdn/exchange it appears I go to the public ip and come in the ISAS server and I can get to the OWA form.
From anywhere outside the linksys I get "cannot establish a connection" and I never see the OWA form. I see in ISA monitoring the https connect but it appears to timeout. I notice internally it is slow to get the OWA form up, once i authenticate OWA runs fine. is this some sort of timeout issue externally? Any ideas where I can look to troubleshoot?
Thanks for all of the hard work you do in this arena. My question is:
"When you use Kai Wilke's approach for using FBA and Basic on a single external IP can you also force your users from the internal network to use ISAs FBA as stated in your article Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients?
I would like to use FBA for both external and internal users and be able to support the Active sync process. I have the FBA and Active sync working with Kai's approach, but when I try and implement the internal listener I get an error " a web listener on similar IP and port is already in use by rule "OWA FBA(External to Localhost)". Web listener IP addresses and ports used by different rules cannot overlap".
Tom, maybe a dumb question (maybe!). But if you do this option then whilst the DNS pointers will work fine, if you are going back to the same backend server then isn't your certificate implementation going to go screwy? By standard install the site would have a cert for owa.msfirewall.org, but not the other two.
Great Article and solution to a single ip issue. i do have several customers that i can bind a second ip to the external nic as mentioned in the beginning of your article. i have searched for an article explaining what needs to be done to create the rule and how the web publishing rule uses the second ip for the basic authentication for the exchange mobile services. does a second web listner need to be created and bound to the second ip? does the rule use owa.name.com or do a records(host) need to be set up for oma,active-sync, and rpc. Any help would be appreciated. Again great article and web site.
If you have additional addresses, then you can create a second Web listener and bind a second certificate for the OWA/ActiveSync site. You won't be able to use the same certificate, so you'll need to create a second certificate with a different common/subject name on it.
today I followed your great "tutorial" to get owa and rpc over http running together. I created both listeners and configured them as described in the tutorial. I did not configured access for RPC over HTTP until now because I have problems accessing OWA. When I try to connect to OWA from external I get the form. When I enter my user name and password and submit the website again shows the form. I used the loggin function of the ISA. There I can see that he incoming connection from external is forwarded to the localhost. And then I wonder if it's correct that the local listener is trying to connect to again to 127.0.0.1. So both source IP and destination IP are the same. If I chane the local listener to forward to the internal ip address connecting to owa fails. If I change the local listener to forward to the internal DNS name of the exchange server the connection also fails, because of the wron cn in the certificate. So could somebody help me?
Thanks for the Article. We have ISA 2004 on our DMZ and Exchange Clustered Servers on our internal network. We are trying to configure OWA as you have on your article. One question..by default, our Exchange Virtual http server is not configured for SSL. If we configure this so we can have SSL-SSL tunnel between our ISA and Exhange servers, which certificate can we use? I have 2 certicates on my ISA that I use...one is for our external access...owa.company.com and the other is companyca.com which is the internal localhost certificate.
I have to chime in here too. I'd like to thank Tom and Kai for this great article. It works perfectly for me.
I also have to say this site is an invaluable resource. Just about every question I've had about the ISA server has been answered either in the articles or the forums.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP 
RE: Discussion for article on Supporting Forms-based a... - ![[Big Grin]](/image/smiles/biggrin.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread