Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion of Unihomed ISA Caching Only Server Series
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Jun.2005 7:57:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
Hi Tom,
I'm having the same issue as Freddyc, except I have a mutihomed box.
Here's my setup:
- Dualhomed ISA 2004 sp1 Server running on Win2k3 Sp1
- Single Exchange 2k3 Server, OWA configured and working internally via internal dns hostname (http://exchange.corp.domain.com/exchange)
- Win2k3 Sp1 DC
I have followed 5 or 6 sets of directions, including yours, and all have failed me. (Or more likely, *I* failed THEM!)
Software settings:
-I installed CA on my Win2k3 DC, issued cert to my OWA/Exchange server, installed it in IIS. The CN is "webmail.domain.com". The INTERNAL name of the box is "exchange.corp.domain.com", if that matters.
-I exported the cert to a pfx file and copied it to my ISA server, installed it in Trusted Root Certs.
etc....
If I jump on an outside box and type "http://webmail.domain.com" I get a '403 Forbidden. Server denied URL (12202)' error.
If I type "http://webmail.domain.com/exchange" I get a 403 Forbidden 'must be viewed over SSL (12211)' error.
If I type "https://webmail.domain.com/exchange" it sits there for 45 seconds, pops up a SSL dialog (woohoo!) but then gives me a Error Code 404 Not Found. The requested item could not be located (12028).
Any ideas? I'm running out of coffee. ![[Frown]](/image/smiles/frown.gif)
Thank you, you're the MAN!
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Jun.2005 7:58:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
Hi Tom,
I'm having the same issue as Freddyc, except I have a mutihomed box.
Here's my setup:
- Dualhomed ISA 2004 sp1 Server running on Win2k3 Sp1
- Single Exchange 2k3 Server, OWA configured and working internally via internal dns hostname (http://exchange.corp.domain.com/exchange)
- Win2k3 Sp1 DC
I have followed 5 or 6 sets of directions, including yours, and all have failed me. (Or more likely, *I* failed THEM!)
Software settings:
-I installed CA on my Win2k3 DC, issued cert to my OWA/Exchange server, installed it in IIS. The CN is "webmail.domain.com". The INTERNAL name of the box is "exchange.corp.domain.com", if that matters.
-I exported the cert to a pfx file and copied it to my ISA server, installed it in Trusted Root Certs.
etc....
If I jump on an outside box and type "http://webmail.domain.com" I get a '403 Forbidden. Server denied URL (12202)' error.
If I type "http://webmail.domain.com/exchange" I get a 403 Forbidden 'must be viewed over SSL (12211)' error.
If I type "https://webmail.domain.com/exchange" it sits there for 45 seconds, pops up a SSL dialog (woohoo!) but then gives me a Error Code 404 Not Found. The requested item could not be located (12028).
Any ideas? I'm running out of coffee.
Thank you, you're the MAN!
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 27.Jun.2005 9:21:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tech,
Did you create the HOSTS file entry to resolve the name on the "To" tab to the actual IP address of the OWA site? The HOSTS file entry is created on the ISA firewall.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 28.Jun.2005 12:31:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
quote:
Originally posted by tshinder:
Hi Tech,
Did you create the HOSTS file entry to resolve the name on the "To" tab to the actual IP address of the OWA site? The HOSTS file entry is created on the ISA firewall.
HTH,
Tom
Hi Tom,
Thanks for the reply, and forgive me for the duplicate posts!
Yes, I edited the hosts file @ %windir%\system32\drivers\etc\hosts... added this line:
10.0.0.17 webmail.domain.com
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 28.Jun.2005 12:39:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
I'm not sure if this matters, but my South NIC (LAN) is the only one with DNS servers in it's tcp/ip properties. When I do an nslookup on "webmail.domain.com" from my ISA box I get the ip of my North NIC (WAN) on my ISA box. I set this up, of course, on my registrar's DNS so I could get to my box!
My concern is that since I added "webmail.domain.com" in my HOSTS file with a different IP, I'm wondering if it is actually resolving to the WAN ip instead of the LAN when trying to publish my OWA. Does that make any sense?
Thanks again!
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 28.Jun.2005 1:50:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tech,
That's the problem. The ISA firewall must resolve the name to the private address on your internal network.
Configure the internal interface to use a DNS server on the internal network that is able to resolve Internet host names.
If you don't have an internal DNS server, configure a caching-only DNS server on the ISA firewall. That way, there will be no issues with the HOSTS file entry being overriden.
That said, when the machine is rebooted, the HOSTS file entries will be loaded into memory and will be referenced before DNS lookups.
HTH,
Tom
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 28.Jun.2005 3:40:00 PM
|
|
|
techleet
Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
|
quote:
Originally posted by tshinder:
Hi Tech,
That's the problem. The ISA firewall must resolve the name to the private address on your internal network.
Configure the internal interface to use a DNS server on the internal network that is able to resolve Internet host names.
If you don't have an internal DNS server, configure a caching-only DNS server on the ISA firewall. That way, there will be no issues with the HOSTS file entry being overriden.
That said, when the machine is rebooted, the HOSTS file entries will be loaded into memory and will be referenced before DNS lookups.
HTH,
Tom
Fantastic, i'll give it a shot!
One question...
Right now I have CORP.DOMAIN.COM for my Win2k3 domain, which is to say that CORP is my main DNS zone.
Should I add the Zone "DOMAIN.COM" and A record for WEBMAIL.DOMAIN.COM and point it to the Internal IP of my OWA?
Thank you for all your help, I know you're a busy guy!
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 29.Jun.2005 1:58:00 PM
|
|
|
Rickymag
Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
|
Hello all,
Great Article Tom,
I know some installations need only one NIC.
For Much Much more functionality ad one more NIC
Just some thoughts
RM
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 6.Oct.2005 2:12:00 PM
|
|
|
Guest
|
Tom,
Quick question. I have an exchange 2000 fe/be setup and my company wants to impliment OWA for external sales reps. I do not want to do this without FB authenication, so I am looking at ISA2004 to give me this functionality. We have an existing CP front-end back end firewall configuration. I want to install ISA2004 in-between in the CP's in Proxy mode. I have read your article on Single-NIC ISA OWA publishing and I have a question about the "OWA Publishing Rule not being able to forward the actual IP address.." does that mean that my Exchange FE server is going to respond directly to requesting OWA client on the Internet?.. if so .. is that anything I need to be concerned about? Also before I purchase ISA2004 is there any benifit in my proposed configuration to buying the enterprise edition of ISA?
Thanks for your time.
James
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 30.Dec.2005 8:52:08 PM
|
|
|
arkumar
Posts: 2
Joined: 30.Dec.2005
Status: offline
|
Tom,
I follwed your articles Part 1 and 2 to publish websites and Exchange server on uni-homed ISA Server 2004. My configuration is typical. I created additional IP addresses on ISA Server 2004, which is in DMZ and it is not member of our domain. This ISA Server is used to publish several sites. We have Cisco PIX as front-end firewall and created static mapping in firewall from different public ip addresses to different ip addresses of ISA Server. Every thing works fine. Now I tried to publish our mail server thru SSL. I created another listener for SSL ans diifferent IP address for ISA Server, which is mapped to our mail server's public ip (in Cisco firewall). I used SSL bridging, which never worked. If I use SSL to HTTP, it works fine. I made entry for Internal mail server in hosts file of ISA server.
I am not able to open SSL session from ISA Server 2004 to internal mail server. telnet mailserver_ip server 443, the connection fails. I can create this session from any other server in DMZ to our internal server. It fails only in ISA server. Is there any thing I need to do open SSL traffic except publishing rule. I already opened SSL traffic ISA Server in DMZ to internal mail server in firewall.
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 14.Jun.2006 11:46:54 AM
|
|
|
conroyd
Posts: 2
Joined: 18.Jan.2005
From: UK
Status: offline
|
Tom, I've used this article many many times, so firstly thanks.
I have an issue and I am looking for some clarification. I suspect everything is working as designed, but I basically need somebody to say yes or no once and for all so that I can move on.
I have a customer site with multiple back end servers. If the ISA publishing rule points the users to Server A where the mailbox resides, then I get FBA and a single authentication request.
If the rule points at Server A, and the mailbox is on Server B, the user gets prompted to authenticate twice.
The customer does not want to get prompted twice. They want implicit logon, FBA and a single authentication request. Sound like a simlpe request....
I have played with the different permutations here, and can't find a way around.
The classic FE/BE solution without ISA gives me two choices, dual-auth with implicit logon, or pass-thru with explicit logon, so no joy.
My understadning of the problem is that FBA by design will re-authenticate if you close the browser, end the session, or "navigate to a different web-site" and that with E2K3 multiple BE servers implies multiple web-sites.
Am I missing something obvious, or can this not be done.
ISA server 2004, no FE, multiple BE server, implicit logon and one authentication request.
Any help greatly appreciated.
Declan
|
|
|
|
|
RE: Discussion of Unihomed ISA Caching Only Server Series - 1.Apr.2007 3:42:05 AM
|
|
|
Kalotaibi
Posts: 2
Joined: 27.Mar.2007
Status: offline
|
Hi Tom,
Finally, I found the article that I need and I hope I can use it for my own setup, however, I have few questions.
I would like to know if I need to issue and bind web site certificate to the OWA Web site for BOTH nodes of my Clustered Exchange 2003 Server. Also, do I need to import both certificates to the ISA Server?
One more thing, do I need to use the virtual IP of my Exchange Server to my ISA hosts file?
In case you would like to know my setup:
1. Clustered Exchange 2003 Server (2 nodes), No Front end server.
2. Unihomed ISA 2004 Server located in the DMZ
3. Ports 80 and 443 are open for both ISA and Exchange.
Thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Smile]](/image/smiles/smile.gif)
