Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion for article on Supporting Forms-based a... - 23.Sep.2005 3:32:00 PM
|
|
|
mmeltzer
Posts: 28
Joined: 17.Nov.2003
Status: offline
|
Has anyone gotten this to work for both FBA OWA, Active-Sync, OMA, and RPC over HTTP?
In my configuration, all but the RPC over HTTP seem to work. I've noticed a lot of conflicting information from the various documents I've read from Microsoft, so I'm not sure if there is a configuation error or what.
Which of the 3 rules should I add the path for RPC? Is it the "Exchange mobile services"?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 26.Sep.2005 6:05:00 PM
|
|
|
Jason Jones
Posts: 1982
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
Originally posted by Marc Meltzer:
Has anyone gotten this to work for both FBA OWA, Active-Sync, OMA, and RPC over HTTP?
In my configuration, all but the RPC over HTTP seem to work. I've noticed a lot of conflicting information from the various documents I've read from Microsoft, so I'm not sure if there is a configuation error or what.
Which of the 3 rules should I add the path for RPC? Is it the "Exchange mobile services"?
Latest and probs best guide to date: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall-exchange2003.mspx
Also check out my observations here:
JJ
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 30.Sep.2005 11:51:00 AM
|
|
|
Guest
|
quote:
Originally posted by <jrrygrrd>:
First off I think this is an awesome idea!
However, I've followed this article at a client site to the T. (I did have to install an enterprize CA which I did and got it to work and created the localhost cert on my isa box successfully. But when I try to connect from an outside client, I get the following error:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
I know that I'm probably missing something simple, but any help on how to fix would be appreciated!
I am also receiving this error message, any luck in resolving the issue?
Andy Friar
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 30.Sep.2005 1:34:00 PM
|
|
|
pantherfan
Posts: 45
Joined: 7.Jun.2001
Status: offline
|
You can get the fba, owa, activesync, and rpc via https all working yes (we have that in production here), but you will need to create seperate web publishing rules using seperate listeners, one for the OWA site, and one for activesync/rpc via https because you need to setup outlook using FBA (assume you do at least), while the rpc via https and activesync use basic auth (but over https).
As to how to publish them, they are just specific urls namely /Microsoft-Server-Activesync/* for the activesync and /rpc/* for the rpc via https
Also, for the guy getting the certificate error, thats usually when you have the destination server in your rule setup with its local name rather then the name on the cert, try creating a local entry in the ISA host table mapping the "external" name to the internal IP, or if you have split dns make a record for the external name mapping.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 14.Oct.2005 10:33:00 AM
|
|
|
mmeltzer
Posts: 28
Joined: 17.Nov.2003
Status: offline
|
The question now is how do I configure the clients to access RPC, OMA, or ActiveSync?
For OWA, I was able to easily redirect requests for http://owa.msfirewall.org to https://owa.msfirewall.org/exchange just by modifying the default.asp on the FE server.
Is there a way to do that for RPC or OMA, or do the clients have to fully type out https://oma.msfirewall.org/oma etc.?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 15.Oct.2005 1:10:00 AM
|
|
|
tad_braun
Posts: 94
Joined: 31.Dec.2003
Status: offline
|
Hello,
I can't even begin to tell you how stoked I am right now. Kai's article was EXACTLY what I needed to get my new E2K3 Server OWA and OMA/ActiveSync flowing on a single IP with security.
I want to thank Tom for the great site, and Kai for the great article. It's good to think out of the box like this...
---Thaddeus B.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 14.Mar.2006 1:41:40 AM
|
|
|
WebHouse
Posts: 6
Joined: 14.Mar.2006
Status: offline
|
I have implemented as per the directions in the article. We have a test environment setup like this: internet-->linksys-->dmz to isa2004 and all works fine internal to the linksys. Even when I point to the https://fqdn/exchange it appears I go to the public ip and come in the ISAS server and I can get to the OWA form.
From anywhere outside the linksys I get "cannot establish a connection" and I never see the OWA form. I see in ISA monitoring the https connect but it appears to timeout. I notice internally it is slow to get the OWA form up, once i authenticate OWA runs fine. is this some sort of timeout issue externally? Any ideas where I can look to troubleshoot?
Thanks for any help!
Dan
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 22.Mar.2006 8:58:30 PM
|
|
|
rtandres
Posts: 1
Joined: 22.Mar.2006
Status: offline
|
Tom.
Thanks for all of the hard work you do in this arena. My question is:
"When you use Kai Wilke's approach for using FBA and Basic on a single external IP can you also force your users from the internal network to use ISAs FBA as stated in your article Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients?
I would like to use FBA for both external and internal users and be able to support the Active sync process. I have the FBA and Active sync working with Kai's approach, but when I try and implement the internal listener I get an error " a web listener on similar IP and port is already in use by rule "OWA FBA(External to Localhost)". Web listener IP addresses and ports used by different rules cannot overlap".
I do have a spilt DNS infrastructure in place.
I appreciate any help anyine can provide.
Thanks,
--Robert
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 23.Mar.2006 4:22:09 PM
|
|
|
moorbygp
Posts: 1
Joined: 11.Mar.2006
Status: offline
|
This is a super article that solves my problem exactly
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 16.May2006 1:27:35 PM
|
|
|
peter_bryant
Posts: 6
Joined: 9.Aug.2004
Status: offline
|
quote:
ORIGINAL: tshinder
You create separate DNS entries for OWA and OMA/RPC over HTTP sites. For example, separate entries for:
owa.msfirewall.org
outlook.msfirewall.org
oma.msfirewall.org
Tom, maybe a dumb question (maybe!). But if you do this option then whilst the DNS pointers will work fine, if you are going back to the same backend server then isn't your certificate implementation going to go screwy? By standard install the site would have a cert for owa.msfirewall.org, but not the other two.
So what have i missed ?
Cheers, Peter
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 20.May2006 6:41:13 PM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Peter,
You can use the same name on the To tab for all the publishing rules. You don't have to use the same name from end to end.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 3.Jul.2006 9:55:27 PM
|
|
|
dlees
Posts: 1
Joined: 3.Jul.2006
Status: offline
|
Great Article and solution to a single ip issue. i do have several customers that i can bind a second ip to the external nic as mentioned in the beginning of your article. i have searched for an article explaining what needs to be done to create the rule and how the web publishing rule uses the second ip for the basic authentication for the exchange mobile services. does a second web listner need to be created and bound to the second ip? does the rule use owa.name.com or do a records(host) need to be set up for oma,active-sync, and rpc. Any help would be appreciated. Again great article and web site.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 4.Jul.2006 3:51:07 PM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi D,
If you have additional addresses, then you can create a second Web listener and bind a second certificate for the OWA/ActiveSync site. You won't be able to use the same certificate, so you'll need to create a second certificate with a different common/subject name on it.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 10.Jul.2006 6:29:23 PM
|
|
|
vuvur
Posts: 11
Joined: 3.Feb.2006
From: Germany
Status: offline
|
Hi, have somebody succeded with RSA for OWA + basic for Activesync on a single IP? I've seen some attempts were made...
And how it SHOULD BE done right? What's the difference with FBA?
Regards,
Sergey
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 21.Jul.2006 10:07:06 PM
|
|
|
bwagrocki
Posts: 1
Joined: 21.Jul.2006
Status: offline
|
Hello tshinder,
today I followed your great "tutorial" to get owa and rpc over http running together. I created both listeners and configured them as described in the
tutorial. I did not configured access for RPC over HTTP until now because I have problems accessing OWA. When I try to connect to OWA from external I get the form. When I enter my user name and password and submit the website again shows the form. I used the loggin function of the ISA. There I can see that he incoming connection from external is forwarded to the localhost. And then I wonder if it's correct that the local listener is trying to connect to again to 127.0.0.1. So both source IP and destination IP are the same. If I chane the local listener to forward to the internal ip address connecting to owa fails. If I change the local listener to forward to the internal DNS name of the exchange server the connection also fails, because of the wron cn in the certificate. So could somebody help me?
Best regards,
-Benjamin Wagrocki-
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 28.Jul.2006 5:06:08 AM
|
|
|
RodolfoG29
Posts: 1
Joined: 28.Jul.2006
Status: offline
|
Hi Tom,
Thanks for the Article. We have ISA 2004 on our DMZ and Exchange Clustered Servers on our internal network. We are trying to configure OWA as you have on your article. One question..by default, our Exchange Virtual http server is not configured for SSL. If we configure this so we can have SSL-SSL tunnel between our ISA and Exhange servers, which certificate can we use? I have 2 certicates on my ISA that I use...one is for our external access...owa.company.com and the other is companyca.com which is the internal localhost certificate.
Thanks for your asistance.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 28.Jul.2006 3:16:16 PM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
As you know, Microsoft does not support this method and we use it at our own risk.
The good news is that if you use ISA 2006, it fixes the problem.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 4.Dec.2006 2:27:19 PM
|
|
|
joebubba
Posts: 2
Joined: 4.Dec.2006
Status: offline
|
I have to chime in here too. I'd like to thank Tom and Kai for this great article. It works perfectly for me.
I also have to say this site is an invaluable resource. Just about every question I've had about the ISA server has been answered either in the articles or the forums.
Cheers Tom!
--Joe
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
