Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (Full Version)

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing



Message


tshinder -> Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (11.Mar.2004 3:12:00 AM)

This thread is for discussing the article on supporting both FBA and Basic auth when you have only a single IP address on the external interface of the ISA firewall.

HTH,
Tom




tyronet -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (13.Mar.2004 7:35:00 AM)

I have a Exchange Server 2003 and ISA Server 2004 on one self-contained box in a colocation environment. We want to use it for Exchange hosting. We have two IPs assigned to the box and my question is how to configure the Exchange Server in conjunction with ISA Server so we can get RPC over HTTP for our clients. Thanks for your help!

Tyrone




tshinder -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (14.Mar.2004 8:04:00 PM)

Hi Tyrone,

Any way to get the Exchange Server off the firewall? That would greatly simplify the config and significantly improve the level of security provided by the firewall.

HTH,
Tom

[ March 14, 2004, 08:06 PM: Message edited by: tshinder ]




turbomcp -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (17.Mar.2004 10:54:00 AM)

great article
great idea
exactly my problem/question from 2 weeks ago:)




tshinder -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (17.Mar.2004 1:17:00 PM)

Hi Turbo,

Exactly! We're lucky that Kai sent me a note about this showing the solution!

Thanks!
Tom




AndyD -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (5.Apr.2004 1:16:00 PM)

Hi,

You have a screen shot in thisarticle that shows a check box for Exchange ActiveSync. I don't have that on my Beta copy but I read on another post that you are now using the release candidate. Is it possible to post the settings that this check box sets up please as I can't persuade active sync to go through ISA at all despite a lot of trying.

Thanks

Andy




tshinder -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (6.Apr.2004 8:47:00 AM)

Hi Andy,

Unfortunately, its a big more complex than enabling the ActiveSync option [Frown]

Part of the solution is the one in the article by Kai Wilke and myself, which was posted to this site a couple of weeks ago.

We'll be working on this issue when we update the ISA 2000/Exchange Deployment Kit to ISA 2004 in the next few weeks.

HTH,
Tom




mcfly9 -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (29.Oct.2004 2:38:00 AM)

Hello,

I followed the instructions to set up this chained routing of FBA requests, however i keep on getting "Error Code 64: Host not available" when i try to reach OWA from the internet. Any clues? From the logs it seems like the first rule (External -> localhost) fails. I also checked that localhost doesn't translate on the ISA machine itself... might this be the problem?




mcfly9 -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (29.Oct.2004 3:17:00 AM)

Figured out meanwhile... The problem was that I have set both rules (ext -> loc, loc -> exch) to show the originating host in the source. It seems that this trick only works if you set originate from isa on both rules. However it is a bit suspicious to me that this only lies on some name resolving issue.




tshinder -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (29.Oct.2004 8:02:00 AM)

Hi McFly,

This is definitely an off-label config and not something regression tested by MS or by us. We know it works, but like all hacks, there are bound to be some limitations.

HTH,
Tom




JDSFIAD -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (3.Nov.2004 10:50:00 AM)

This article shows an illustration of the filewall policy, with the configured rules. My question is how did you configure the Last Default Rule to deny all Protocols in both directions, as they default is to deny all traffic. Also all publishing rules also appear to show protocols in both directions????




sdsmtss -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (6.Nov.2004 11:18:00 AM)

Tom,
I noticed in the article that you said...
quote:
One solution to this problem is to bind a second IP address to the external interface of the ISA Server 2004 firewall machine.
http://www.isaserver.org/tutorials/2004pubowamobile.html

I have the option to bind a second IP address to my ISA Servers external interface but I don't understand how DNS is supposed to resolve the correct IP address for Forms or Basic authentication. Any ideas?

Thanks,
Stephen




tshinder -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (7.Nov.2004 3:33:00 PM)

Hi Slacker,

You create separate DNS entries for OWA and OMA/RPC over HTTP sites.

For example, separate entries for:

owa.msfirewall.org
outlook.msfirewall.org
oma.msfirewall.org

HTH,
Tom




bjorn.axell@advisec.com -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (8.Nov.2004 1:26:00 PM)

Tom,
Thanks for a nice article. I run into the problem you describe when I tried to configure OWA, OMA, Activesync on a ISA2004 with one NIC.
I donÆt understand how this work but it does:
Configure the mail rules for OWA + a FBA listener
Configure a second mail rule for OMA + Activesync, use the same listener

With this configuration it works. If you add OMA+ Activesync to the same rule it does not work.

Do you have any idTe why? If you are interested I can send you a configuration file!

Thanks!

Bj÷rn




Jeroen_317 -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (24.Nov.2004 12:05:00 PM)

Hi Tom,

I am getting a bigger fan of ISA 2004 every day, but like so many I've discovered the new way ISA uses the listeners for authentication.

You guys have made a great solution for using FBA and basic at the same time, so I thought let's try this also for SecurID and basic.

I failed.. [Frown]
I tried adding webId.dll to the paths in the (External to Localhost) rule (next to cookieauth.dll) but this does not help either.

All I get is a broken startpage where the SecurID banner is gone but I can see the rest. I type my username/password and then I get :

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Did anyone try to have both OWA and RPCoverHTTPS/OMA/ActiveSynch working at the same IP? It worked with ISA 2000 but I think I'll have to use a new IP for my OWA with RSA SecurID authentication.

Why is cookieauth.dll required actually? Can you explain this to me?

Thanks for any answer,
kind regards,
Jay




colinbo -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (31.Dec.2004 6:13:00 PM)

Hi,

I tried implementing the rules as per the article and my external clients are unable to get access to CookieAuth.dll. When I look at the log files it seems that it's having problems when it tries to send redirect it internally, however the rule says it's going to 127.0.0.1. Any thoughts on troubleshooting CookieAuth.dll?

Thanks,
Colin




colinbo -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (2.Jan.2005 12:57:00 AM)

Figured out my problem. I didn't disable FBA on Exchange.




jeffthomes -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (5.Jan.2005 8:01:00 PM)

I fouund this article fantastic and used it for two of my customers without a problem at all. My most recent attempt has had another result and I cannot figure out what is different. ALl services are working, but I am not getting FBA for OWA. It is as if ISA is not inserting the cookieauth form that it should. It looks as if the entire session is passed to exchange for Integrated auth. Is it possible that if FBA fails for some reason this happens? My rule "local to exchange" listener only has FBA set. I must be overlooking something.




Leathal -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (9.Feb.2005 10:54:00 PM)

Question,

How does this tutorial apply to RPC over HTTP? I see that you are publishing OWA, OMA, and ActiveSync but I don't see any mention of publishing RPC.

Leathal




PatrickM -> RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP (15.Feb.2005 4:53:00 PM)

Have I found a non-wanted Feature?

Ok, everything seems to work.
If we go to mail.contoso.com/OMA
And login using Basic Auth.
Nice.
We surf to an external Web (ex. [Big Grin] www.astalavista.com) not closing IE.
type in mail.contoso.com/exchange
Now we are running OWA on Basic Auth.

Any idea how to not get this "Feature" ??
[Cool]
- PatrickM -

[ February 16, 2005, 08:35 AM: Message edited by: PatrickM ]




Page: [1] 2 3 4 5   next >   >>