Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion of Unihomed ISA Caching Only Server Series
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 12.Aug.2004 2:33:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Batmon,
Check out the FE/BE Exchange article.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 13.Aug.2004 12:23:00 AM
|
|
|
batmon
Posts: 28
Joined: 21.Feb.2004
Status: offline
|
Hi Tom,
Thanks for all your help, now both OWA and RPC/HTTP are working~ :-)
I found ISA's web form authenication still work with RPC/HTTP. So, I just put them under the same rule, just add "/rpc/*" to the path. The reason it didn't work before is that I point it to FE Exchange on the client Outlook side. I have to point it to the BE Exchange server.
Thanks. :-)
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Dec.2004 4:41:00 PM
|
|
|
isaerik
Posts: 1
Joined: 27.Dec.2004
Status: offline
|
Tom,
Is there a way to customize the FBA page? I would like to add our company's disclaimer to it.
Is it better to have a seperate IP for each published site?
thanks
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 28.Dec.2004 1:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by batmon:
Hi Tom,
Thanks for all your help, now both OWA and RPC/HTTP are working~ :-)
I found ISA's web form authenication still work with RPC/HTTP. So, I just put them under the same rule, just add "/rpc/*" to the path. The reason it didn't work before is that I point it to FE Exchange on the client Outlook side. I have to point it to the BE Exchange server.
Thanks. :-)
Hi Batmon,
No, if the listener the Outlook client uses to access the site has the FBA auth enabled, then the connection will fail. So, the Outlook RPC/HTTP connection is taking place over some other mechanism, but I is definitely *not* taking place over the listener that has FBA enabled.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 29.Dec.2004 9:07:00 PM
|
|
|
mcmillch
Posts: 1
Joined: 29.Dec.2004
Status: offline
|
Hi Tom,
I have an ISA 2004 server set up as a unihomed server, and I only want to use it to publish an Exchange OWA server, as we have a hardware firewall already in place. I am trying to enable FBA on the front-end for internal users, and use RSA securid on the ISA server listener for internet users. When testing this, the securid portion completes and forwards me to the FBA logon page, but it won't let me log on, and no errors are generated. If I switch the front-end to basic auth only, everything works fine, but I would like to use the FBA internally if possible. The ISA server is not a member of the domain. Any thoughts?
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 30.Dec.2004 4:53:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mc,
I don't think that FBA and SecurID are supported on the same listener. So, you'll need to use SSL/Basic Auth/SecurID.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 3.Feb.2005 6:39:00 PM
|
|
|
CJames
Posts: 1
Joined: 3.Feb.2005
Status: offline
|
Hopefully someone will be able to grant some insights for me on this one, as I'm at wits end.
I have an existing firewall/DMZ setup and a single Exchange 2003 server on Windows 2003. I placed a newly minted ISA server in the DMZ and configured it as shown in the article posted by Tom.
One issue I ran into was - I don't get the option to generate a certificate immediately on my Exchange/OWA server.. it only allows me to enter one at a later time. We have generated a certificate from Verisign to use in a trial capacity and that is the one that I installed on the IIS (Exchange) portion and exported to ISA.
No matter what I do - I get the:
500 Internal Server Error - The certificate chain was issued by an authority that is not trusted. (-2146893019) ]
..message when I attempt to connect from outside. Going directly to the server internally using HTTPS works fine, however.
Any insights or other information I can provide to help?
[ February 04, 2005, 06:33 PM: Message edited by: CJames ]
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 3.Mar.2005 4:50:00 PM
|
|
|
frecar
Posts: 15
Joined: 3.Mar.2005
Status: offline
|
A couple more thing...
If I change the to "Requests apear to com from the original client" under the "To" tab IŠll get the folowing error message.
Error Code: 404 Not Found. The requested item could not be located. (12028)
When I monitor the trafic in the ISA server IŠll get "Failed connection attempt" when the ISA server is trying to connect to the internal OWA server.
If I make a rule in the ISA server that says from local host to OWA server I can use 443 then https://owa.mydomain.com will work.
Thanks alot for a realy great site!
/F
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 4.Mar.2005 2:55:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by CJames:
Hopefully someone will be able to grant some insights for me on this one, as I'm at wits end.
I have an existing firewall/DMZ setup and a single Exchange 2003 server on Windows 2003. I placed a newly minted ISA server in the DMZ and configured it as shown in the article posted by Tom.
One issue I ran into was - I don't get the option to generate a certificate immediately on my Exchange/OWA server.. it only allows me to enter one at a later time. We have generated a certificate from Verisign to use in a trial capacity and that is the one that I installed on the IIS (Exchange) portion and exported to ISA.
No matter what I do - I get the:
500 Internal Server Error - The certificate chain was issued by an authority that is not trusted. (-2146893019) ]
..message when I attempt to connect from outside. Going directly to the server internally using HTTPS works fine, however.
Any insights or other information I can provide to help?
Hi CJ,
The common/subject name on the certificate has to match the FQDN the user uses to access the site. In addition, this name must be the same as the certificate bound to the Web site behind the ISA firewall.
Finally, the ISA firewall need to resolve the name on the certificate to the IP address of the OWA sites on the ISA firewall Protected Network.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 4.Mar.2005 3:00:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by FreddieC:
A couple more thing...
If I change the to "Requests apear to com from the original client" under the "To" tab IŠll get the folowing error message.
Error Code: 404 Not Found. The requested item could not be located. (12028)
When I monitor the trafic in the ISA server IŠll get "Failed connection attempt" when the ISA server is trying to connect to the internal OWA server.
If I make a rule in the ISA server that says from local host to OWA server I can use 443 then https://owa.mydomain.com will work.
Thanks alot for a realy great site!
/F
Hi Freddie,
That often indicates that the ISA firewall doesn't have the same name on the "To" tab as the name on the certificate at the Web site, or the Web site isn't operational, or the ISA firewall doesn't have the correct IP address for the Internal site.
What is the DNS addressing on the internal and external interfaces of the ISA firewall?
Thanks!
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 4.Mar.2005 3:23:00 PM
|
|
|
frecar
Posts: 15
Joined: 3.Mar.2005
Status: offline
|
Hi Tom!
Thanks for your answer!
I have only use one NIC on my ISA server. The IP address for that NIC is 192.168.3.12 and resides on my DMZ. My OWA server have 192.168.1.28 and resides on my LAN.
I route trafic between my LAN and DMZ.
The hosts file on my ISA server has the following record: 192.168.1.28 owa.mydomain.com
Under the "To" tab I have the name owa.mydomain.com. The external users type https://owa.mydomain.com to access the owa. The CN at my certificate has owa.mydomain.com.
I use the same certificate on my OWA server as I do on my ISA server.
What about this message?
When I monitor the trafic in the ISA server IŠll get "Failed connection attempt" when the ISA server is trying to connect to the internal OWA server.
Best regards
Freddie
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 13.Mar.2005 5:32:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Freddie,
Great! Good to hear you got it working and thanks for the follow up!
Tom
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 13.May2005 3:53:00 PM
|
|
|
Guest
|
I am using ISA 2004 to publish OWA for Exchange 2003. I followed your steps to create an internal certificate and installed the certificate on the ISA server.
When ever I use the certificate in the Web Listener to secure the connection, I get the following error when applying the changes:
"The configuration changes were saved to storage, but at least one service failed to load these changes. The event log may include additional information on possible reasons for the failure."
There are no entries in the event logs. If I change it so that I am not using a certificate (no SSL) it saves fine and works normally.
Any suggestions?
-Brad
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.May2005 6:54:00 PM
|
|
|
gregh_fpc
Posts: 3
Joined: 26.May2005
Status: offline
|
I just finished implementing a unihomed ISA setup for OWA access, everything works great! Thanks for the article.
The question I have is: Is there an anti-virus product that I can install on the ISA box that will check OWA e-mail attachments so potentially infected files don't make it to my front-end server? I'm using SSL all the way through and didn't know if anti-virus software could check https traffic or not. Any help will be appreciated. Thanks...
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.May2005 6:56:00 PM
|
|
|
gregh_fpc
Posts: 3
Joined: 26.May2005
Status: offline
|
I just finished implementing a unihomed ISA setup for OWA access, everything works great! Thanks for the article.
The question I have is: Is there an anti-virus product that I can install on the ISA box that will check OWA e-mail attachments so potentially infected files don't make it to my front-end server? I'm using SSL all the way through and didn't know if anti-virus software could check https traffic or not. Any help will be appreciated. Thanks...
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Jun.2005 7:55:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
Hi Tom,
I'm having the same issue as Freddyc, except I have a mutihomed box.
Here's my setup:
-Dualhomed ISA 2004 sp1 Server running on Win2k3 Sp1
-Single Exchange 2k3 Server, OWA configured and working internally via internal dns hostname (http://exchange.corp.domain.com/exchange)
-Win2k3 Sp1 DC
I have followed 5 or 6 sets of directions, including yours, and all have failed me. (Or more likely, *I* failed THEM!)
Software settings:
-I installed CA on my Win2k3 DC, issued cert to my OWA/Exchange server, installed it in IIS. The CN is "webmail.domain.com". The INTERNAL name of the box is "exchange.corp.domain.com", if that matters.
-I exported the cert to a pfx file and copied it to my ISA server, installed it in Trusted Root Certs.
etc....
If I jump on an outside box and type "http://webmail.domain.com" I get a '403 Forbidden. Server denied URL (12202)' error.
If I type "http://webmail.domain.com/exchange" I get a 403 Forbidden 'must be viewed over SSL (12211)' error.
If I type "https://webmail.domain.com/exchange" it sits there for 45 seconds, pops up a SSL dialog (woohoo!) but then gives me a Error Code 404 Not Found. The requested item could not be located (12028).
Any ideas? I'm running out of coffee. ![[Frown]](/image/smiles/frown.gif)
Thank you, you're the MAN!
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Jun.2005 7:56:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
Hi Tom,
I'm having the same issue as Freddyc, except I have a mutihomed box.
Here's my setup:
-Dualhomed ISA 2004 sp1 Server running on Win2k3 Sp1
-Single Exchange 2k3 Server, OWA configured and working internally via internal dns hostname (http://exchange.corp.domain.com/exchange)
-Win2k3 Sp1 DC
I have followed 5 or 6 sets of directions, including yours, and all have failed me. (Or more likely, *I* failed THEM!)
Software settings:
-I installed CA on my Win2k3 DC, issued cert to my OWA/Exchange server, installed it in IIS. The CN is "webmail.domain.com". The INTERNAL name of the box is "exchange.corp.domain.com", if that matters.
-I exported the cert to a pfx file and copied it to my ISA server, installed it in Trusted Root Certs.
etc....
If I jump on an outside box and type "http://webmail.domain.com" I get a '403 Forbidden. Server denied URL (12202)' error.
If I type "http://webmail.domain.com/exchange" I get a 403 Forbidden 'must be viewed over SSL (12211)' error.
If I type "https://webmail.domain.com/exchange" it sits there for 45 seconds, pops up a SSL dialog (woohoo!) but then gives me a Error Code 404 Not Found. The requested item could not be located (12028).
Any ideas? I'm running out of coffee.
Thank you, you're the MAN!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Smile]](/image/smiles/smile.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
