I join the previous post...congratulations for your article ! I tested the follozing and I got a problem [ 500 Internal Server Error - The certificate chain was issued by an authority that is not trusted. (-2146893019) ] - Frontend server exchange 2003 on the LAN setup and working with SSL - The frontend also run the CA authority from windows 2003 in active directory but as standalone. - OWA is published via ISA 2004 to the public network. The ISA server is in the DMZ with only TCP/80 and TCP/443 open to and from the frontend server. This is like in your doc, a single NIC server. - I could export the SSL certificate and install it on ISA. When I try to access the site from outside I got the prompt for the certificate. I click Yes to proceed and then got the error above. If I stop the SSL briding at the ISA server and then proceed per HTTP it works fine! Do you have any idea what am I doing wrong ? Thanks a lot, eric
Make sure that the name on the certificate you installed for the ISA Web Listener is the same name that the external users use to connect to the ISA box. Also, make sure that you have installed the CA certificate in the ISA firewall's Trusted Root Certification Authorities machine certificate store.
Also, the redirect must contain the same name as the certificate bound to the OWA Web site on the Exchange Server. So, in the Properties of the Web Publishing rule, make sure the name of the server on the Internal network is the same name as the Web site certificate installed on the OWA Web site.
I am new to ISA, period.. :-p I follow your article to setup the unihomed ISA 2K4 with a Nokia CheckPoint FW in front. I put ISA 2K4 in CP's DMZ and ISA2K4 has one interface with internal DMZ IP address.
Here is the settings: SYSTEMS: CP: 3 interfaces: #1-external-220.127.116.11, #2-DMZ-18.104.22.168, #3-internal-10.1.1.1 ISA: in DMZ with IP=22.214.171.124 Exchange Frontend: in internal, IP=10.1.1.5
SETTINGS: external IP to get to ISA = 126.96.36.199 CP NAT 188.8.131.52 to 184.108.40.206 Internal traffics are all NATed to CP address DMZ traffics are all NATed to CP address
After I follow the articles to setup my environment, I test the access from outside but can't get through. What I found is: 1) CP log shows traffics get to 220.127.116.11, route to 18.104.22.168 2) ISA's logs show traffics comes in and is dest. to 22.214.171.124, incoming source from a outside client IP. ISA logs show this traffic is opened, but not through OWA or certificate proxy rule. It's actaully from my rule #3, which I open/allow all traffics (for testing). Then ISA logs show this traffic is closed, also by rule #3. 3) I check CP and ISA logs for between ISA and frontend exchange's traffics. Nothing is shown 4) I can ping, HTTP, and HTTPS (these are the three ports I open from CP) from ISA to Exchange frontend.
The traffic forwarded by the ISA firewall to the OWA site does NOT require a rule. The ISA firewall creates dyanamic packet filters to allow the forwarded connection to the OWA site. So, the ISA firewall did not use rule #3, it just opened a dynamic packet filter to fulfill the request for redirection. This stateful filtering mechanism is part of the ISA firewall's feature set.
What is the default gateway setting on the ISA firewall?
What is the *exact* config of the OWA Web Publsihing rule on the ISA firewall?
I think the best thing I can do is do a doc on this config that more closely matches your config. Some other people have asked about this config, so there's a need for this info. Notice that your config is a bit different than that covered in my doc, which is more consistent with the ISA firewall in a DMZ between two legacy firewalls.
I'll get the article up this weekend and make it a point to clarify the rationale in the IP address schemes.
It would be nice to just use ISA like you said since it is much cheaper. But we just put load balanced CP on it, just renewal all the licenses, and it IS expensive... If ISA works out good, I will switch it next year when CP contract ends.
Tom, you did it! Thank you so much for your article, I am able to let OWA through SSL with CP DMZ settings working!
FYI, couple things I found: 1) in your article, you said add <CP_DMZ_IP> owa.fw.org to the ISA's hosts file. I found it won't work in my case, I have to put the internal FE Exchange server's internal IP to make this work. This is because CP does all the NATing for FE Exchange and ISA server 2) On my first try, I got the login form page, but I get
Unknown Request The request could not be resolved by the server
error message after the login. I read your forum and someone said we need to take out the "web form" checkbox in Exchange's Exchange Manager. I did that and then it works.
I will try RPC/HTTP now. Since OWA works, I am sure RPC will work too. :-)
In the article, the NAT relationship between the Internal and DMZ network is NAT, so can't directly access hosts on the Internal network using their actual IP address, you have to expose them via an IP address on the DMZ network interface. That's because NAT is a one-way routing relationship.
Very true about the forms-based authentication. You can enable it on the ISA firewall, or enable it on the Exchange Server, but not both.
RPC over HTTP will work too, but be very careful with your naming conventions. This is where your split DNS is absolutely critical.
I guess because my CP NAT for my internal LAN and also DMZ, so it will take care of the NATings for me by pointing my ISA SSL traffics direct to my internal FE Exchange.
Okay, as far as RPC/HTTPS... I tried many settings and it does not work. The best I can do is to have the RPC traffics get to FE Exchange, then it stops there. Here are my findings:
- on ISA, all I have to do is modify the existing OWA SSL "publish mail server rule" to include "/rpc/*" in the path. The "RPC over HTTP on Single Serve" says that I need to change the "To" "proxy requests to published server" to "Requests appear to come from original client". If I change that, then the incoming traffic will stop at ISA and doesn't go any further. If I keep it in "Requests appear to come from the ISA server computer", then the incoming traffics will pass ISA, go through CP's DMZ, get to my internal FE Exchange, and my FE Exchange's IIS log will have:
So it seems like it works... but the traffic doesn't get back out to ISA. Any ideas what I did wrong? I currently using hosts file settings.
One thing I notice is that my ISA has following warning in event log... would this cause problem? btw, OWA works fine...
The Web Proxy filter failed to bind its socket to 126.96.36.199 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
Make sure to disable all IIS services on the ISA firewall, that could create some socket contention.
Another thing to consider is that while you can use the same Web listener for OWA and RPC/HTTP, you cannot enable FBA on the ISA firewall because the ISA firewall will present the form to the RPC/HTTP client, which does not know how to deal with the form. In that case, you must use delegation of basic authentication on the ISA firewall.
A better option is for create a second listener for the RPC/HTTP config. That will require a second IP address on the ISA firewall's interface.
Where is the FE Exchange box in relation to BE Exchange box? Aren't they both on the Internal network?
Do you have a network diagram that shows the basic design?
Also, the NAT config seems a bit whack, but CP is whack in general and I wince whenever I see one
>Make sure to disable all IIS services on the ISA firewall
oh... I thought I need to setup IIS, Default Web with RPC. Okay, I will simply unistall IIS on ISA. I guess I don't need to run that "http.. -i 188.8.131.52" command... do I need to reverse that and how?
>That will require a second IP address on the ISA firewall's interface.
How do I create a second IP, on the same NIC you mean? I don't know how to do that in MS... not something like "ifconfig", huh?
>Where is the FE Exchange box
Yep, FE and Clustered BE all in Internal LAN. ISA is in CP's DMZ, and then the third interface for CP is connect to external
>the NAT config seems a bit whack
My config is.. - CP NAT ISA's external IP with a proxy ARP setting. So, when ISA goes out to external, it will NAT to its external IP. And the incoming will NAT to ISA's DMZ IP - CP also NAT DMZ/24 to its CP DMZ gateway IP - CP also NAT internal/24 to its CP internal gateway IP