• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP Page: <<   < prev  1 2 3 [4] 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion for article on Supporting Forms-based a... - 12.Dec.2006 1:15:37 AM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
Thanks for the great article. We've had everthing published via one DNS name for perhaps a year now. 2006 seems quite different. Glad I came back to this thread and found your note here about 2006 fixing the problem.

Here's what I've noticed:

Importing directly from the 2004 config seems to kind of work, but I get what looks like a basic auth popup screen after the FBA authentication screen
 
The Forms Based page no longer looks like the English version of the Exchange FBA page. I'm wondering if I can keep/copy the old one over so users don't notice the upgrade.
 
There's a new place for the internal URL in the To section - this is nice so I don't need a bogus HOSTS file any longer.

Any tips on how to unravel the previously necessary complexity into some elegant 2006 rules?

(in reply to tshinder)
Post #: 61
RE: Discussion for article on Supporting Forms-based a... - 12.Dec.2006 6:40:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Karl,

You might want to recreate the Web Publishing Rule instead of using the one the upgrade wizard created for you.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to karlf)
Post #: 62
RE: Discussion for article on Supporting Forms-based a... - 13.Dec.2006 3:06:52 PM   
andyhwc

 

Posts: 13
Joined: 23.May2006
Status: offline
I have a stupid question.  Can someone tell me how to configure the ISA so it will apply the OWA FBA rule for https://owa.msfirewall.org/exchange 192.168.1.70, and apply the OMA or Active-Sync rule for https://owa.msfirewall.org/oma or https://owa.msfirewall.org/active-sync 192.168.1.71?    

Should I have owa.msfirewall.org 192.168.1.70 on DNS?


thanks

(in reply to tshinder)
Post #: 63
RE: Discussion for article on Supporting Forms-based a... - 13.Dec.2006 3:55:32 PM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
Thanks, I just tried that. The main reason for chaining listeners appears to still be there. The FBA setting is specific to a listener, not the URL so I can't say for /Exchange only use FBA. I think I'm missing something important here.

(in reply to tshinder)
Post #: 64
RE: Discussion for article on Supporting Forms-based a... - 9.Jan.2007 9:23:01 PM   
tad_braun

 

Posts: 101
Joined: 31.Dec.2003
Status: offline
Hello,

We've grown up a bit. We used to have a DSL line with a single IP, and now we have a T1 with multiple external IP's. What's the best way to convert from Kai's article to use multiple IP's and listeners? What about certificates? New ones needed, maybe? Should the old one stay with the OWA FBA stuff?

Any articles or tips would be appreciated...


---Thaddeus

(in reply to karlf)
Post #: 65
RE: Discussion for article on Supporting Forms-based a... - 10.Jan.2007 5:00:33 PM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
No matter the connection size it's still nice to package all mail related services under the same URL and certificate for users.

Update to the thread: I found out my answer - you can have FBA and RPC/HTTP on one listener but you have to use Basic Authentication for RPC. What this means is that the old listener chaining method still is the only way I know to use NTLM for RPC so that Outlook doesn't challenge users for a password every time they launch it.


(in reply to tad_braun)
Post #: 66
RE: Discussion for article on Supporting Forms-based a... - 23.Jan.2007 4:15:01 PM   
Zabulon

 

Posts: 22
Joined: 23.Jan.2007
Status: offline
I am having the same issue on ISA 2006 with one NIC.  I need to be able to use OWA & Activesync but I can't because you can only bind one listener to the adapter.  How do I get around this... i see that people have said ISA 2006 fixes this problem but I am still stuck.

Thank you!

(in reply to karlf)
Post #: 67
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:14:47 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hork mode (single NIC) is never a desired configuration. Try a full deployment.

The trick mentioned in this article is not required in 2006 ISA Firewalls.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Zabulon)
Post #: 68
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:23:04 AM   
Zabulon

 

Posts: 22
Joined: 23.Jan.2007
Status: offline
Thanks Tom, but im a bit confused on what configuration I should use to deploy Activesync & OWA via the same certificate since you can only apply one listern per adapter????

Thanks

(in reply to tshinder)
Post #: 69
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:25:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
With 2006 ISA Firewalls a single listener supports both OWA and ActiveSync. Check my definitive article on this site.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Zabulon)
Post #: 70
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 10:05:34 AM   
Zabulon

 

Posts: 22
Joined: 23.Jan.2007
Status: offline
Let me explain what I am doing... It was under my impression you could not have Activesync working with form based authentication.  Our OWA is setup to use FBA/RSA SecurID so thus Activesync was not able to function. Is there a way to allow activesync to work as well?  I read threw your articles but i didnt see this setup.

Thanks!

(in reply to tshinder)
Post #: 71
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 12:13:08 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
With the 2006 ISA Firewall, non-browser clients fall back to Basic auth -- so a single listener can be used for FBA and ActiveSync.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Zabulon)
Post #: 72
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 3:10:06 PM   
Zabulon

 

Posts: 22
Joined: 23.Jan.2007
Status: offline
Tom,
I went ahead and setup a ISA 2006 Edge firewall with two NICs and setup 1 listner for OWA/Activesync together.  I am now getting the exact same error "denied connection" as I was before.  My smartphone just keeps prompting for a password.  I then setup a rule for just basic authentication for activesync and that worked fine once again. I just can't get OWA & Activesync to work at the same time.

Thoughts?

(in reply to tshinder)
Post #: 73
RE: Discussion for article on Supporting Forms-based a... - 25.Jan.2007 9:59:35 AM   
Zabulon

 

Posts: 22
Joined: 23.Jan.2007
Status: offline
You said it would automatically revert back to basic auth (EAS), but i checked my virtual directory on my Exchange box and both Integrated Windows authentication and Basic auth are checked... i dont think this is the issue since the ISA server denies the connection when the listener is setup as FBA.  What am I doing wrong? OWA works awesome but just cant get EAS to flow with a FBA listner.

(in reply to Zabulon)
Post #: 74
RE: Discussion for article on Supporting Forms-based a... - 27.Jan.2007 12:17:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Zab,

Try removing the integrated auth option in the EAS Exchange Directory.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Zabulon)
Post #: 75
RE: Discussion for article on Supporting Forms-based a... - 2.Mar.2007 11:09:40 PM   
jasmine

 

Posts: 2
Joined: 2.Mar.2007
Status: offline
Hi Tom,

I have a server with 1 external NIC.  I actually have OWA configured with SSL the way it's explained in Kai's article due to integration with another application that can only use basic authentication.  It's been working well for us.

We implemented ActiveSync for some users in a little "pilot" to evaluate it on port 80 using a different URL  (e.g., eas.company.com instead of myowaemail.company.com).   Now I need to apply the SSL and when I try to configure the rule to use the new web listener for the new URL, I received the error, "A web listener that listens on similar IP and port is already in use by the rule xxx..."  Is there a way around this without having to use the original owa url?  In addition, the original OWA URL is long and cumbersome to type so we prefer using the short EAS URL.

Any suggestion would be welcome.  Thank you. J

(in reply to tshinder)
Post #: 76
RE: Discussion for article on Supporting Forms-based a... - 22.Apr.2007 5:23:05 PM   
Je@nb

 

Posts: 8
Joined: 8.Mar.2006
Status: offline
Hi,

I administrate now a ISA 2004 with a Exchange 2003.

The ex admin had configured the ISA with a single listener with Basic Auth (for all our sites including OWA, OMA, Active sync, RPCoHTTP (all exchange related web publishing are in an only rule) etc.).
the form auth is configured on the Exchange.

Is it a mistakes ? What are the cons because in this way all work perfectly ?

We plan to move on exchange 2007, will this configuration still working ?

(in reply to jasmine)
Post #: 77
RE: Discussion for article on Supporting Forms-based a... - 29.Aug.2007 8:31:38 AM   
unarcher

 

Posts: 5
Joined: 29.Aug.2007
Status: offline
Hi Mr Shinder.

Actually using ISA 2006, I am facing the same problem despite the fact that you told that it will work without using this trick.

Access to OMA or OWA with IE and PC is working great with FBA
But as soon as I use a mobile device Access is denied, and I see this kind of logs in error logs.
Can I correct the problem without your trick with ISA 2006 changing a few parameters in the listener? Or is this the only way to succeed?


0.0.0.0 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 240x320) No Reverse Proxy  mail.mydomain.net TCP GET   - -  - Req ID: 0ba6d9b2; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 
https Denied Connection   12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  anonymous   http://mail.mydomain.net/oma 


Edit : I found that Custom Form used for OWA/OMA which was created by another administrator only contains a HTML directory, and no cHTML and xHTML directory.
Maybe that is my problem, I will check this

< Message edited by unarcher -- 29.Aug.2007 11:57:51 AM >

(in reply to tshinder)
Post #: 78
RE: Discussion for article on Supporting Forms-based a... - 30.Aug.2007 10:34:31 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, with ISA 2006 you don't have to use this trick, as the 2006 ISA Firewall will fall back to basic authentication for mobile clients. There was a bug with Symbian phones which involved a typo in the client-agents recognized as phone browsers, but there's a fix for that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to unarcher)
Post #: 79
RE: Discussion for article on Supporting Forms-based a... - 27.Sep.2007 1:50:45 PM   
bonzo

 

Posts: 14
Joined: 12.Mar.2004
Status: offline
Hi,
how about configuring a second listener for forms-based OWA on another port, let's say 8443 and use port 443 for rpc over https and so on? What I don't know is whether or not the same certificate could be used on the ISA. Would that be possible?
I like the solution presented in this paper. However, reading the text under "Warning" makes me wonder if it is a good idea to implement it in a production environment.

Thanks and regards
Ueli Strasser

(in reply to karlf)
Post #: 80

Page:   <<   < prev  1 2 3 [4] 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP Page: <<   < prev  1 2 3 [4] 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts