Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion for article on Supporting Forms-based a... - 12.Dec.2006 1:15:37 AM
|
|
|
karlf
Posts: 6
Joined: 29.Jun.2006
Status: offline
|
Thanks for the great article. We've had everthing published via one DNS name for perhaps a year now. 2006 seems quite different. Glad I came back to this thread and found your note here about 2006 fixing the problem.
Here's what I've noticed:
Importing directly from the 2004 config seems to kind of work, but I get what looks like a basic auth popup screen after the FBA authentication screen
The Forms Based page no longer looks like the English version of the Exchange FBA page. I'm wondering if I can keep/copy the old one over so users don't notice the upgrade.
There's a new place for the internal URL in the To section - this is nice so I don't need a bogus HOSTS file any longer.
Any tips on how to unravel the previously necessary complexity into some elegant 2006 rules?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 12.Dec.2006 6:40:09 AM
|
|
|
tshinder
Posts: 47154
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Karl,
You might want to recreate the Web Publishing Rule instead of using the one the upgrade wizard created for you.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 13.Dec.2006 3:55:32 PM
|
|
|
karlf
Posts: 6
Joined: 29.Jun.2006
Status: offline
|
Thanks, I just tried that. The main reason for chaining listeners appears to still be there. The FBA setting is specific to a listener, not the URL so I can't say for /Exchange only use FBA. I think I'm missing something important here.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 9.Jan.2007 9:23:01 PM
|
|
|
tad_braun
Posts: 94
Joined: 31.Dec.2003
Status: offline
|
Hello,
We've grown up a bit. We used to have a DSL line with a single IP, and now we have a T1 with multiple external IP's. What's the best way to convert from Kai's article to use multiple IP's and listeners? What about certificates? New ones needed, maybe? Should the old one stay with the OWA FBA stuff?
Any articles or tips would be appreciated...
---Thaddeus
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 10.Jan.2007 5:00:33 PM
|
|
|
karlf
Posts: 6
Joined: 29.Jun.2006
Status: offline
|
No matter the connection size it's still nice to package all mail related services under the same URL and certificate for users.
Update to the thread: I found out my answer - you can have FBA and RPC/HTTP on one listener but you have to use Basic Authentication for RPC. What this means is that the old listener chaining method still is the only way I know to use NTLM for RPC so that Outlook doesn't challenge users for a password every time they launch it.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 23.Jan.2007 4:15:01 PM
|
|
|
Zabulon
Posts: 22
Joined: 23.Jan.2007
Status: offline
|
I am having the same issue on ISA 2006 with one NIC. I need to be able to use OWA & Activesync but I can't because you can only bind one listener to the adapter. How do I get around this... i see that people have said ISA 2006 fixes this problem but I am still stuck.
Thank you!
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:14:47 AM
|
|
|
tshinder
Posts: 47154
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hork mode (single NIC) is never a desired configuration. Try a full deployment.
The trick mentioned in this article is not required in 2006 ISA Firewalls.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:23:04 AM
|
|
|
Zabulon
Posts: 22
Joined: 23.Jan.2007
Status: offline
|
Thanks Tom, but im a bit confused on what configuration I should use to deploy Activesync & OWA via the same certificate since you can only apply one listern per adapter????
Thanks
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 9:25:59 AM
|
|
|
tshinder
Posts: 47154
Joined: 10.Jan.2001
From: Texas
Status: online
|
With 2006 ISA Firewalls a single listener supports both OWA and ActiveSync. Check my definitive article on this site.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 10:05:34 AM
|
|
|
Zabulon
Posts: 22
Joined: 23.Jan.2007
Status: offline
|
Let me explain what I am doing... It was under my impression you could not have Activesync working with form based authentication. Our OWA is setup to use FBA/RSA SecurID so thus Activesync was not able to function. Is there a way to allow activesync to work as well? I read threw your articles but i didnt see this setup.
Thanks!
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 12:13:08 PM
|
|
|
tshinder
Posts: 47154
Joined: 10.Jan.2001
From: Texas
Status: online
|
With the 2006 ISA Firewall, non-browser clients fall back to Basic auth -- so a single listener can be used for FBA and ActiveSync.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 24.Jan.2007 3:10:06 PM
|
|
|
Zabulon
Posts: 22
Joined: 23.Jan.2007
Status: offline
|
Tom,
I went ahead and setup a ISA 2006 Edge firewall with two NICs and setup 1 listner for OWA/Activesync together. I am now getting the exact same error "denied connection" as I was before. My smartphone just keeps prompting for a password. I then setup a rule for just basic authentication for activesync and that worked fine once again. I just can't get OWA & Activesync to work at the same time.
Thoughts?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 25.Jan.2007 9:59:35 AM
|
|
|
Zabulon
Posts: 22
Joined: 23.Jan.2007
Status: offline
|
You said it would automatically revert back to basic auth (EAS), but i checked my virtual directory on my Exchange box and both Integrated Windows authentication and Basic auth are checked... i dont think this is the issue since the ISA server denies the connection when the listener is setup as FBA. What am I doing wrong? OWA works awesome but just cant get EAS to flow with a FBA listner.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 2.Mar.2007 11:09:40 PM
|
|
|
jasmine
Posts: 2
Joined: 2.Mar.2007
Status: offline
|
Hi Tom,
I have a server with 1 external NIC. I actually have OWA configured with SSL the way it's explained in Kai's article due to integration with another application that can only use basic authentication. It's been working well for us.
We implemented ActiveSync for some users in a little "pilot" to evaluate it on port 80 using a different URL (e.g., eas.company.com instead of myowaemail.company.com). Now I need to apply the SSL and when I try to configure the rule to use the new web listener for the new URL, I received the error, "A web listener that listens on similar IP and port is already in use by the rule xxx..." Is there a way around this without having to use the original owa url? In addition, the original OWA URL is long and cumbersome to type so we prefer using the short EAS URL.
Any suggestion would be welcome. Thank you. J
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 22.Apr.2007 5:23:05 PM
|
|
|
Je@nb
Posts: 8
Joined: 8.Mar.2006
Status: offline
|
Hi,
I administrate now a ISA 2004 with a Exchange 2003.
The ex admin had configured the ISA with a single listener with Basic Auth (for all our sites including OWA, OMA, Active sync, RPCoHTTP (all exchange related web publishing are in an only rule) etc.).
the form auth is configured on the Exchange.
Is it a mistakes ? What are the cons because in this way all work perfectly ?
We plan to move on exchange 2007, will this configuration still working ?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 29.Aug.2007 8:31:38 AM
|
|
|
unarcher
Posts: 4
Joined: 29.Aug.2007
Status: offline
|
Hi Mr Shinder.
Actually using ISA 2006, I am facing the same problem despite the fact that you told that it will work without using this trick.
Access to OMA or OWA with IE and PC is working great with FBA
But as soon as I use a mobile device Access is denied, and I see this kind of logs in error logs.
Can I correct the problem without your trick with ISA 2006 changing a few parameters in the listener? Or is this the only way to succeed?
0.0.0.0 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 240x320) No Reverse Proxy mail.mydomain.net TCP GET - - - Req ID: 0ba6d9b2; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - -
https Denied Connection 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. anonymous http://mail.mydomain.net/oma
Edit : I found that Custom Form used for OWA/OMA which was created by another administrator only contains a HTML directory, and no cHTML and xHTML directory.
Maybe that is my problem, I will check this
< Message edited by unarcher -- 29.Aug.2007 11:57:51 AM >
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 30.Aug.2007 10:34:31 AM
|
|
|
tshinder
Posts: 47154
Joined: 10.Jan.2001
From: Texas
Status: online
|
Yes, with ISA 2006 you don't have to use this trick, as the 2006 ISA Firewall will fall back to basic authentication for mobile clients. There was a bug with Symbian phones which involved a typo in the client-agents recognized as phone browsers, but there's a fix for that.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 27.Sep.2007 1:50:45 PM
|
|
|
bonzo
Posts: 14
Joined: 12.Mar.2004
Status: offline
|
Hi,
how about configuring a second listener for forms-based OWA on another port, let's say 8443 and use port 443 for rpc over https and so on? What I don't know is whether or not the same certificate could be used on the ISA. Would that be possible?
I like the solution presented in this paper. However, reading the text under "Warning" makes me wonder if it is a good idea to implement it in a production environment.
Thanks and regards
Ueli Strasser
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
