Thanks for the great article. We've had everthing published via one DNS name for perhaps a year now. 2006 seems quite different. Glad I came back to this thread and found your note here about 2006 fixing the problem.
Here's what I've noticed:
Importing directly from the 2004 config seems to kind of work, but I get what looks like a basic auth popup screen after the FBA authentication screen
The Forms Based page no longer looks like the English version of the Exchange FBA page. I'm wondering if I can keep/copy the old one over so users don't notice the upgrade.
There's a new place for the internal URL in the To section - this is nice so I don't need a bogus HOSTS file any longer.
Any tips on how to unravel the previously necessary complexity into some elegant 2006 rules?
Thanks, I just tried that. The main reason for chaining listeners appears to still be there. The FBA setting is specific to a listener, not the URL so I can't say for /Exchange only use FBA. I think I'm missing something important here.
We've grown up a bit. We used to have a DSL line with a single IP, and now we have a T1 with multiple external IP's. What's the best way to convert from Kai's article to use multiple IP's and listeners? What about certificates? New ones needed, maybe? Should the old one stay with the OWA FBA stuff?
No matter the connection size it's still nice to package all mail related services under the same URL and certificate for users.
Update to the thread: I found out my answer - you can have FBA and RPC/HTTP on one listener but you have to use Basic Authentication for RPC. What this means is that the old listener chaining method still is the only way I know to use NTLM for RPC so that Outlook doesn't challenge users for a password every time they launch it.
I am having the same issue on ISA 2006 with one NIC. I need to be able to use OWA & Activesync but I can't because you can only bind one listener to the adapter. How do I get around this... i see that people have said ISA 2006 fixes this problem but I am still stuck.
Thanks Tom, but im a bit confused on what configuration I should use to deploy Activesync & OWA via the same certificate since you can only apply one listern per adapter????
Let me explain what I am doing... It was under my impression you could not have Activesync working with form based authentication. Our OWA is setup to use FBA/RSA SecurID so thus Activesync was not able to function. Is there a way to allow activesync to work as well? I read threw your articles but i didnt see this setup.
Tom, I went ahead and setup a ISA 2006 Edge firewall with two NICs and setup 1 listner for OWA/Activesync together. I am now getting the exact same error "denied connection" as I was before. My smartphone just keeps prompting for a password. I then setup a rule for just basic authentication for activesync and that worked fine once again. I just can't get OWA & Activesync to work at the same time.
You said it would automatically revert back to basic auth (EAS), but i checked my virtual directory on my Exchange box and both Integrated Windows authentication and Basic auth are checked... i dont think this is the issue since the ISA server denies the connection when the listener is setup as FBA. What am I doing wrong? OWA works awesome but just cant get EAS to flow with a FBA listner.
I have a server with 1 external NIC. I actually have OWA configured with SSL the way it's explained in Kai's article due to integration with another application that can only use basic authentication. It's been working well for us.
We implemented ActiveSync for some users in a little "pilot" to evaluate it on port 80 using a different URL (e.g., eas.company.com instead of myowaemail.company.com). Now I need to apply the SSL and when I try to configure the rule to use the new web listener for the new URL, I received the error, "A web listener that listens on similar IP and port is already in use by the rule xxx..." Is there a way around this without having to use the original owa url? In addition, the original OWA URL is long and cumbersome to type so we prefer using the short EAS URL.
I administrate now a ISA 2004 with a Exchange 2003.
The ex admin had configured the ISA with a single listener with Basic Auth (for all our sites including OWA, OMA, Active sync, RPCoHTTP (all exchange related web publishing are in an only rule) etc.). the form auth is configured on the Exchange.
Is it a mistakes ? What are the cons because in this way all work perfectly ?
We plan to move on exchange 2007, will this configuration still working ?
Actually using ISA 2006, I am facing the same problem despite the fact that you told that it will work without using this trick.
Access to OMA or OWA with IE and PC is working great with FBA But as soon as I use a mobile device Access is denied, and I see this kind of logs in error logs. Can I correct the problem without your trick with ISA 2006 changing a few parameters in the listener? Or is this the only way to succeed?
0.0.0.0 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 240x320) No Reverse Proxy mail.mydomain.net TCP GET - - - Req ID: 0ba6d9b2; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - https Denied Connection 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. anonymous http://mail.mydomain.net/oma
Edit : I found that Custom Form used for OWA/OMA which was created by another administrator only contains a HTML directory, and no cHTML and xHTML directory. Maybe that is my problem, I will check this
< Message edited by unarcher -- 29.Aug.2007 11:57:51 AM >
Yes, with ISA 2006 you don't have to use this trick, as the 2006 ISA Firewall will fall back to basic authentication for mobile clients. There was a bug with Symbian phones which involved a typo in the client-agents recognized as phone browsers, but there's a fix for that.
Hi, how about configuring a second listener for forms-based OWA on another port, let's say 8443 and use port 443 for rpc over https and so on? What I don't know is whether or not the same certificate could be used on the ISA. Would that be possible? I like the solution presented in this paper. However, reading the text under "Warning" makes me wonder if it is a good idea to implement it in a production environment.