• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of Unihomed ISA Caching Only Server Series

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of Unihomed ISA Caching Only Server Series Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of Unihomed ISA Caching Only Server Series - 25.Apr.2004 11:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the Publishing OWA sites with a Unihomed ISA 2004 Web Proxy at http://isaserver.org/articles/2004unihomedowapart1.html.

Thanks!
Tom

[ April 25, 2004, 11:45 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of Unihomed ISA Caching Only Server Series - 26.Apr.2004 7:20:00 PM   
MooseFruit

 

Posts: 15
Joined: 26.Apr.2004
Status: offline
Nice article Tom.

Question: in a unihomed setup, does ISA 2004 need to be a domain member to act as a proxy for OWA?

Our setup here is similar to what you describe in your article. We have a firewall on the front end w/ port 443 open, we have a firewall on the back end w/ port 443 open, and we have ISA in between.

Thanks,
Joe

(in reply to tshinder)
Post #: 2
RE: Discussion of Unihomed ISA Caching Only Server Series - 26.Apr.2004 7:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Moose,

Thanks!

No. The unihomed ISA box does not need to be a domain member. It just forwards the credentials to the OWA box behind the back-end firewall.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of Unihomed ISA Caching Only Server Series - 3.Jun.2004 8:18:00 PM   
eric06

 

Posts: 21
Joined: 25.Apr.2003
Status: offline
Hi Tom,

I join the previous post...congratulations for your article !
I tested the follozing and I got a problem [ 500 Internal Server Error - The certificate chain was issued by an authority that is not trusted. (-2146893019) ]
- Frontend server exchange 2003 on the LAN setup and working with SSL
- The frontend also run the CA authority from windows 2003 in active directory but as standalone.
- OWA is published via ISA 2004 to the public network. The ISA server is in the DMZ with only TCP/80 and TCP/443 open to and from the frontend server. This is like in your doc, a single NIC server.
- I could export the SSL certificate and install it on ISA.
When I try to access the site from outside I got the prompt for the certificate. I click Yes to proceed and then got the error above.
If I stop the SSL briding at the ISA server and then proceed per HTTP it works fine!
Do you have any idea what am I doing wrong ?
Thanks a lot,
eric

(in reply to tshinder)
Post #: 4
RE: Discussion of Unihomed ISA Caching Only Server Series - 4.Jun.2004 1:35:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Eric,

Make sure that the name on the certificate you installed for the ISA Web Listener is the same name that the external users use to connect to the ISA box. Also, make sure that you have installed the CA certificate in the ISA firewall's Trusted Root Certification Authorities machine certificate store.

Also, the redirect must contain the same name as the certificate bound to the OWA Web site on the Exchange Server. So, in the Properties of the Web Publishing rule, make sure the name of the server on the Internal network is the same name as the Web site certificate installed on the OWA Web site.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of Unihomed ISA Caching Only Server Series - 1.Jul.2004 5:19:00 PM   
MooseFruit

 

Posts: 15
Joined: 26.Apr.2004
Status: offline
Tom,

I have our unihomed server setup and running beautifully, thanks for the help.

One more question. What is the best way to redirect users coming in on port 80 http://servername to port 443 https://servername/exchange ?

Mostly just a user convenience thing.

Thanks!
Joe

(in reply to tshinder)
Post #: 6
RE: Discussion of Unihomed ISA Caching Only Server Series - 6.Aug.2004 3:19:00 AM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Hello,

I am new to ISA, period.. :-p I follow your article to setup the unihomed ISA 2K4 with a Nokia CheckPoint FW in front. I put ISA 2K4 in CP's DMZ and ISA2K4 has one interface with internal DMZ IP address.

Here is the settings:
SYSTEMS:
CP: 3 interfaces: #1-external-12.44.1.1, #2-DMZ-172.1.1.1, #3-internal-10.1.1.1
ISA: in DMZ with IP=172.1.1.5
Exchange Frontend: in internal, IP=10.1.1.5

SETTINGS:
external IP to get to ISA = 12.44.1.5
CP NAT 12.44.1.5 to 172.1.1.5
Internal traffics are all NATed to CP address
DMZ traffics are all NATed to CP address

After I follow the articles to setup my environment, I test the access from outside but can't get through. What I found is:
1) CP log shows traffics get to 12.44.1.5, route to 172.1.1.5
2) ISA's logs show traffics comes in and is dest. to 172.1.1.5, incoming source from a outside client IP. ISA logs show this traffic is opened, but not through OWA or certificate proxy rule. It's actaully from my rule #3, which I open/allow all traffics (for testing). Then ISA logs show this traffic is closed, also by rule #3.
3) I check CP and ISA logs for between ISA and frontend exchange's traffics. Nothing is shown
4) I can ping, HTTP, and HTTPS (these are the three ports I open from CP) from ISA to Exchange frontend.

Any idea? Please help. Thank you.

(in reply to tshinder)
Post #: 7
RE: Discussion of Unihomed ISA Caching Only Server Series - 6.Aug.2004 2:01:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

The traffic forwarded by the ISA firewall to the OWA site does NOT require a rule. The ISA firewall creates dyanamic packet filters to allow the forwarded connection to the OWA site. So, the ISA firewall did not use rule #3, it just opened a dynamic packet filter to fulfill the request for redirection. This stateful filtering mechanism is part of the ISA firewall's feature set.

What is the default gateway setting on the ISA firewall?

What is the *exact* config of the OWA Web Publsihing rule on the ISA firewall?

Thanks!
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion of Unihomed ISA Caching Only Server Series - 6.Aug.2004 6:38:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Hello,

I follow your article to create the following two "rules":

Publish a Mail Server : Publish OWA Web Site (HTTPS)
Publish a Web Server : Publish Web Enrollment Site (HTTP)

I tested the access in internal LAN, both OWA and certificate access works. I also test them on ISA2K4 in DMZ, it also works. If I try to access it from outside, it won't work.

The DMZ's gateway is my CP FW's DMZ interface, 172.1.1.1. My internal network's gateway is FW's internal interface, 10.1.1.1

Do I need any other kind of "filter" added to see the OWA or web loggings?

Thank you.

(in reply to tshinder)
Post #: 9
RE: Discussion of Unihomed ISA Caching Only Server Series - 7.Aug.2004 2:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

I think the best thing I can do is do a doc on this config that more closely matches your config. Some other people have asked about this config, so there's a need for this info. Notice that your config is a bit different than that covered in my doc, which is more consistent with the ISA firewall in a DMZ between two legacy firewalls.

I'll get the article up this weekend and make it a point to clarify the rationale in the IP address schemes.

HTH,
Tom

(in reply to tshinder)
Post #: 10
RE: Discussion of Unihomed ISA Caching Only Server Series - 9.Aug.2004 11:34:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Thank you, thank you. :~D

It would be nice to just use ISA like you said since it is much cheaper. But we just put load balanced CP on it, just renewal all the licenses, and it IS expensive... If ISA works out good, I will switch it next year when CP contract ends.

:-)

(in reply to tshinder)
Post #: 11
RE: Discussion of Unihomed ISA Caching Only Server Series - 10.Aug.2004 7:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

Check out the article I published today! I think that will solve your current situation.

HTH,
Tom

(in reply to tshinder)
Post #: 12
RE: Discussion of Unihomed ISA Caching Only Server Series - 10.Aug.2004 9:01:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Thank you. I will set it up and let you know how it goes. :-D

(in reply to tshinder)
Post #: 13
RE: Discussion of Unihomed ISA Caching Only Server Series - 10.Aug.2004 10:47:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Tom, you did it! Thank you so much for your article, I am able to let OWA through SSL with CP DMZ settings working!

FYI, couple things I found:
1) in your article, you said add <CP_DMZ_IP> owa.fw.org to the ISA's hosts file. I found it won't work in my case, I have to put the internal FE Exchange server's internal IP to make this work. This is because CP does all the NATing for FE Exchange and ISA server
2) On my first try, I got the login form page, but I get

Unknown Request
The request could not be resolved by the server

error message after the login. I read your forum and someone said we need to take out the "web form" checkbox in Exchange's Exchange Manager. I did that and then it works.

I will try RPC/HTTP now. Since OWA works, I am sure RPC will work too. :-)

Once again, thank you.

(in reply to tshinder)
Post #: 14
RE: Discussion of Unihomed ISA Caching Only Server Series - 10.Aug.2004 11:06:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

Great! Good to hear some things are working.

In the article, the NAT relationship between the Internal and DMZ network is NAT, so can't directly access hosts on the Internal network using their actual IP address, you have to expose them via an IP address on the DMZ network interface. That's because NAT is a one-way routing relationship.

Very true about the forms-based authentication. You can enable it on the ISA firewall, or enable it on the Exchange Server, but not both.

RPC over HTTP will work too, but be very careful with your naming conventions. This is where your split DNS is absolutely critical.

HTH,
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion of Unihomed ISA Caching Only Server Series - 11.Aug.2004 1:05:00 AM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
I guess because my CP NAT for my internal LAN and also DMZ, so it will take care of the NATings for me by pointing my ISA SSL traffics direct to my internal FE Exchange.

Okay, as far as RPC/HTTPS... I tried many settings and it does not work. The best I can do is to have the RPC traffics get to FE Exchange, then it stops there. Here are my findings:

- on ISA, all I have to do is modify the existing OWA SSL "publish mail server rule" to include "/rpc/*" in the path. The "RPC over HTTP on Single Serve" says that I need to change the "To" "proxy requests to published server" to "Requests appear to come from original client". If I change that, then the incoming traffic will stop at ISA and doesn't go any further. If I keep it in "Requests appear to come from the ISA server computer", then the incoming traffics will pass ISA, go through CP's DMZ, get to my internal FE Exchange, and my FE Exchange's IIS log will have:

RPC_IN_DATA /rpc/rpcproxy.dll
RPC_OUT /rpc/rpcproxy.dll

So it seems like it works... but the traffic doesn't get back out to ISA. Any ideas what I did wrong? I currently using hosts file settings.

One thing I notice is that my ISA has following warning in event log... would this cause problem? btw, OWA works fine...

The Web Proxy filter failed to bind its socket to 172.1.1.5 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.

(in reply to tshinder)
Post #: 16
RE: Discussion of Unihomed ISA Caching Only Server Series - 11.Aug.2004 2:00:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

Make sure to disable all IIS services on the ISA firewall, that could create some socket contention.

Another thing to consider is that while you can use the same Web listener for OWA and RPC/HTTP, you cannot enable FBA on the ISA firewall because the ISA firewall will present the form to the RPC/HTTP client, which does not know how to deal with the form. In that case, you must use delegation of basic authentication on the ISA firewall.

A better option is for create a second listener for the RPC/HTTP config. That will require a second IP address on the ISA firewall's interface.

Where is the FE Exchange box in relation to BE Exchange box? Aren't they both on the Internal network?

Do you have a network diagram that shows the basic design?

Also, the NAT config seems a bit whack, but CP is whack in general and I wince whenever I see one [Wink]

HTH,
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion of Unihomed ISA Caching Only Server Series - 11.Aug.2004 2:48:00 AM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
>Make sure to disable all IIS services on the ISA firewall

oh... I thought I need to setup IIS, Default Web with RPC. Okay, I will simply unistall IIS on ISA. I guess I don't need to run that "http.. -i 172.1.1.5" command... do I need to reverse that and how?

>That will require a second IP address on the ISA firewall's interface.

How do I create a second IP, on the same NIC you mean? I don't know how to do that in MS... not something like "ifconfig", huh?

>Where is the FE Exchange box

Yep, FE and Clustered BE all in Internal LAN. ISA is in CP's DMZ, and then the third interface for CP is connect to external

>the NAT config seems a bit whack

My config is..
- CP NAT ISA's external IP with a proxy ARP setting. So, when ISA goes out to external, it will NAT to its external IP. And the incoming will NAT to ISA's DMZ IP
- CP also NAT DMZ/24 to its CP DMZ gateway IP
- CP also NAT internal/24 to its CP internal gateway IP

(in reply to tshinder)
Post #: 18
RE: Discussion of Unihomed ISA Caching Only Server Series - 11.Aug.2004 3:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

The RPC proxy runs on the FE Exchange Server.

HTH,
Tom

(in reply to tshinder)
Post #: 19
RE: Discussion of Unihomed ISA Caching Only Server Series - 11.Aug.2004 6:52:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Right... I have that on FE Exchange too. I guess I was reading ISA server 2004/Exchange Delpoyment kit, ch. 16, and it talks about puting RPC on ISA 2K4...

OK, let me take that out and see how it goes.

Thank you.

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of Unihomed ISA Caching Only Server Series Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts