Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of OWA FBA Publishing article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion of OWA FBA Publishing article Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of OWA FBA Publishing article - 1.Oct.2004 7:58:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

You can check out my OWA publishing articles and see if they help.

HTH,
Tom

(in reply to tshinder)
Post #: 21
RE: Discussion of OWA FBA Publishing article - 1.Oct.2004 10:08:00 AM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		clynn,

What have you entered in the server to publish field? is it an IP or FQDN? Are you bridging to 80 or 443? Is ISA a member of the domain?

JJ

(in reply to tshinder)
Post #: 22
RE: Discussion of OWA FBA Publishing article - 1.Oct.2004 11:52:00 PM   
clynn

 

Posts: 101
Joined: 8.Feb.2001
From: Farmington Hills, MI
Status: offline 		ISA is a member of the domain. Did so so I could RWW to it from home.

I published the server with the same name as the certificate: SERVERNAME.DOMAINNAME.com

FYI...
SBS2003 is my Exchange server, SERVERNAME.DOMAINNAME.local

Published name is SERVERNAME.DOMAINNAME.com

LMHOST on ISA has SERVERNAME.DOMAINNAME.com pointing to the IP of SERVERNAME.DOMAINNAME.local

Got a link to that article, Tom?

[ October 01, 2004, 11:56 PM: Message edited by: clynn ]

(in reply to tshinder)
Post #: 23
RE: Discussion of OWA FBA Publishing article - 2.Oct.2004 8:44:00 PM   
dclapp

 

Posts: 3
Joined: 2.Oct.2004
From: Wisconsin
Status: offline 		Myself and my co-workers have been struggling with an interesting problem with ISA 2004 and a front end Exchange 2003 server. We followed the steps out lined in the following document:
Outlook Web Access Server Publishing in ISA Server 2004

ISA 2004 Setup:
-A dual homed (two network cards.
-Windows 2003 server standard edition
-ISA 2004 Standard

IMPORTANT! The ISA 2004 server is in a workgroup and not joined to the domain.

We have one Windows 2003 domain controller with Exchange 2003 installed on it.

We made sure to always turn off the FBA feature on all installs of Exchange 2003.

Connecting to OWA works great in this single Exchange 2003 server that is also a Windows 2003 domain controller.

However, if we setup a seperate front end exchange 2003 server that is not on a domain controller we start to have problems.

Problem: Open a web browser on an external client PC. Type in the web addresss: i.e. webmail.miami.com

Click YES to accept the SSL. (Warning because we are using our own MS CA).

ISA presents it's forms based authentication web page.

However, before logging in we see some interesting things in the ISA 2004 monitoring log:

We see initiated SSL connections (good!)
Then we see about three denied with two GETS and a POST listed. Each one says the username is anonymous -but, we haven't typed any user name in at this point.

When we try to log into OWA we get a red error stating that we entered the password incorrectly.

The IIS server is logging successful status 200.

We are able from the ISA 2004 sever to load up it's IE and browse the OWA without any problems.

Questions:
Is there something we are missing because the dual homed ISA 2004 is not joined to the domain?

When it presents the Forms Based Authentication web page how does it know what users are good vs. bad?

Does Forms Based Authentication on ISA 2004 require ISA 2004 to be in a domain?

How does a front end / backend Exchange 2003 installation affect OWA Publishing?

I have worked with Microsoft on this problem and
they said they don't have any ISA 2004 experts to send out yet. And there aren't any books (I know they will be her in a week or two) and of course there isn't any classes for it as well.

Tom! Help! [Smile]

[ October 02, 2004, 08:50 PM: Message edited by: dclapp ]

(in reply to tshinder)
Post #: 24
RE: Discussion of OWA FBA Publishing article - 3.Oct.2004 9:56:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by dclapp:
Myself and my co-workers have been struggling with an interesting problem with ISA 2004 and a front end Exchange 2003 server. We followed the steps out lined in the following document:
Outlook Web Access Server Publishing in ISA Server 2004

ISA 2004 Setup:
-A dual homed (two network cards.
-Windows 2003 server standard edition
-ISA 2004 Standard

IMPORTANT! The ISA 2004 server is in a workgroup and not joined to the domain.

We have one Windows 2003 domain controller with Exchange 2003 installed on it.

We made sure to always turn off the FBA feature on all installs of Exchange 2003.

Connecting to OWA works great in this single Exchange 2003 server that is also a Windows 2003 domain controller.

However, if we setup a seperate front end exchange 2003 server that is not on a domain controller we start to have problems.

Problem: Open a web browser on an external client PC. Type in the web addresss: i.e. webmail.miami.com

Click YES to accept the SSL. (Warning because we are using our own MS CA).

ISA presents it's forms based authentication web page.

However, before logging in we see some interesting things in the ISA 2004 monitoring log:

We see initiated SSL connections (good!)
Then we see about three denied with two GETS and a POST listed. Each one says the username is anonymous -but, we haven't typed any user name in at this point.

When we try to log into OWA we get a red error stating that we entered the password incorrectly.

The IIS server is logging successful status 200.

We are able from the ISA 2004 sever to load up it's IE and browse the OWA without any problems.

Questions:
Is there something we are missing because the dual homed ISA 2004 is not joined to the domain?

When it presents the Forms Based Authentication web page how does it know what users are good vs. bad?

Does Forms Based Authentication on ISA 2004 require ISA 2004 to be in a domain?

How does a front end / backend Exchange 2003 installation affect OWA Publishing?

I have worked with Microsoft on this problem and
they said they don't have any ISA 2004 experts to send out yet. And there aren't any books (I know they will be her in a week or two) and of course there isn't any classes for it as well.

Tom! Help! [Smile]
Hi David,

Try joining the ISA firewall to the domain. Is there a reason why you haven't? I know that there are concerns about this, but I consider them unfounded. Each time I've queries a "security expert" regarding this, they come up empty. Now I join my ISA firewalls to the domain if they have an interface that is reachable to a DC. I.E., the internal interface is connected to a Network where the DC is located.

HTH,
Tom

(in reply to tshinder)
Post #: 25
RE: Discussion of OWA FBA Publishing article - 3.Oct.2004 9:58:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by clynn:
ISA is a member of the domain. Did so so I could RWW to it from home.

I published the server with the same name as the certificate: SERVERNAME.DOMAINNAME.com

FYI...
SBS2003 is my Exchange server, SERVERNAME.DOMAINNAME.local

Published name is SERVERNAME.DOMAINNAME.com

LMHOST on ISA has SERVERNAME.DOMAINNAME.com pointing to the IP of SERVERNAME.DOMAINNAME.local

Got a link to that article, Tom?
Hi C,

But the ISA firewall isn't on the Exchange/DC, right?

Thanks!
Tom

(in reply to tshinder)
Post #: 26
RE: Discussion of OWA FBA Publishing article - 3.Oct.2004 9:59:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by tshinder:
quote:
Originally posted by dclapp:
Myself and my co-workers have been struggling with an interesting problem with ISA 2004 and a front end Exchange 2003 server. We followed the steps out lined in the following document:
Outlook Web Access Server Publishing in ISA Server 2004

ISA 2004 Setup:
-A dual homed (two network cards.
-Windows 2003 server standard edition
-ISA 2004 Standard

IMPORTANT! The ISA 2004 server is in a workgroup and not joined to the domain.

We have one Windows 2003 domain controller with Exchange 2003 installed on it.

We made sure to always turn off the FBA feature on all installs of Exchange 2003.

Connecting to OWA works great in this single Exchange 2003 server that is also a Windows 2003 domain controller.

However, if we setup a seperate front end exchange 2003 server that is not on a domain controller we start to have problems.

Problem: Open a web browser on an external client PC. Type in the web addresss: i.e. webmail.miami.com

Click YES to accept the SSL. (Warning because we are using our own MS CA).

ISA presents it's forms based authentication web page.

However, before logging in we see some interesting things in the ISA 2004 monitoring log:

We see initiated SSL connections (good!)
Then we see about three denied with two GETS and a POST listed. Each one says the username is anonymous -but, we haven't typed any user name in at this point.

When we try to log into OWA we get a red error stating that we entered the password incorrectly.

The IIS server is logging successful status 200.

We are able from the ISA 2004 sever to load up it's IE and browse the OWA without any problems.

Questions:
Is there something we are missing because the dual homed ISA 2004 is not joined to the domain?

When it presents the Forms Based Authentication web page how does it know what users are good vs. bad?

Does Forms Based Authentication on ISA 2004 require ISA 2004 to be in a domain?

How does a front end / backend Exchange 2003 installation affect OWA Publishing?

I have worked with Microsoft on this problem and
they said they don't have any ISA 2004 experts to send out yet. And there aren't any books (I know they will be her in a week or two) and of course there isn't any classes for it as well.

Tom! Help! [Smile]
Hi David,

Try joining the ISA firewall to the domain. Is there a reason why you haven't? I know that there are concerns about this, but I consider them unfounded. Each time I've queries a "security expert" regarding this, they come up empty. Now I join my ISA firewalls to the domain if they have an interface that is reachable to a DC. I.E., the internal interface is connected to a Network where the DC is located.

HTH,
Tom
You might also set the listener to always authenticate. I recall a KB article regarding this.

HTH,
Tom

(in reply to tshinder)
Post #: 27
RE: Discussion of OWA FBA Publishing article - 4.Oct.2004 4:34:00 PM   
clynn

 

Posts: 101
Joined: 8.Feb.2001
From: Farmington Hills, MI
Status: offline
quote:
But the ISA firewall isn't on the Exchange/DC, right?
That is correct. ISA is dual-homed on a stand-alone Windows 2003 Std Server. It has a static IP.

I am able to access OWA from the ISA Server, but I get a pop-up for authentication instead of the form-base page.

(in reply to tshinder)
Post #: 28
RE: Discussion of OWA FBA Publishing article - 5.Oct.2004 12:50:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi C,

OK, did you set the Web listener to use FBA instead of basic auth?

Thanks!
Tom

(in reply to tshinder)
Post #: 29
RE: Discussion of OWA FBA Publishing article - 5.Oct.2004 2:44:00 PM   
dclapp

 

Posts: 3
Joined: 2.Oct.2004
From: Wisconsin
Status: offline 		I know they have HUGE concerns over joining it to the domain -because if ISA 2004 was compromised then the Windows networking security could be attacked directly (but, believe me I am on your side, I have never seen this). So the whole idea of a bastion host should work. I talked to Microsoft about this and they said it is perfectly fine not to have the ISA 2004 joined to the domain -I will test this scenario.

The ISA 2004 is a stand alone Windows 2003 Standard Server. It is not Exchange 2003 and it is not a Domain Controller (it's a member server in a work group).

The always authenticate is interesting. I was thinking of shutting this off (it is on). But, I seem to remember things really failing then.

All this confuses me. ISA 2004 with FBA turned on publishing OWA does not authorize credentials -it simply forwards the credentials to the OWA Front End Exchange server. However, if always athenticate IS ON then I might be confusing ISA 2004.

Hmmm... Any thoughts?

(in reply to tshinder)
Post #: 30
RE: Discussion of OWA FBA Publishing article - 5.Oct.2004 8:29:00 PM   
jsarabia

 

Posts: 1
Joined: 5.Oct.2004
From: CA
Status: offline 		Hello. I have OWA running using FBA through ISA over the Internet. I'd like to setup FBA for external and internal users. I know I can't enable FBA on the Exchange Virtual Server since that will break the FBA through ISA. I've tried modifying the Listener to listen on the Internal network, but I am unsure how the name resolution will work since the hostname on the certificate resolves to one IP address (the Exchange Virtual Server) and the hostname for the internal users resolves to another (the ip address of the listener on the internal interface). What should I do to make this work?

(in reply to tshinder)
Post #: 31
RE: Discussion of OWA FBA Publishing article - 5.Oct.2004 10:00:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi J,

Funny you should mention that. When writing chapter 4 of the book yesterday, I realized that there was ONE and only one scenario where you would want to allow looping back through the ISA firewall to access internal sites, and that's when FBA is enabled on the ISA fireall and not on the Exchange Server.

So, I've put that on my list of issues to cover on this web site, or in our next book "Protecting MS Exchange with ISA Firewalls" [Big Grin]

HTH,
Tom

(in reply to tshinder)
Post #: 32
RE: Discussion of OWA FBA Publishing article - 6.Oct.2004 5:06:00 AM   
dclapp

 

Posts: 3
Joined: 2.Oct.2004
From: Wisconsin
Status: offline 		Today, I set up a test lab and implemented the "ISA Server 2004/Exchange Server Deployment Kit: Publishing Outlook Web Access using a Unihomed (Single-NIC) ISA Server 2004 Web Proxy" from the "ISA Server 2004/Exchange Server Deployment Kit".

This document is great and very detailed.

I was able to achieve publishing OWA on a Front End Exchange 2003 server using a unihomed ISA 2004 Web Proxy server. The ISA 2004 server was not a part of a domain. And it did a very good job of forwarding the credentials entered on the fake FBA page to the FE Exchange 2003 OWA (IIS).

Now, why would this work when ISA 2004 is installed in web proxy mode, but not when I have it in firewall/proxy mode (dual NICS).

I will definitely need to do more testing. I know I did not have ISA 2004 Require Authentication option checked. The document I read stated that ISA 2004 should not participate in authentication of an FBA login -instead it just forwards the credentials entered to the OWA IIS server.

The most interesting thing I learned about is SSL during this whole excericie/lab. Important: If you request an SSL Web Cert for your IIS OWA server and within that same hour of requesting the SSL Web Cert -installed it into IIS and then you configure a client to connect to the SSL web site you will get an invalid SSL web cert. Once I moved the client into the future by a day then the cert was considered valid. There must be a time window where the certificate will become valid. I wish I knew what that interval was between issue a web server cert and when it will become valid for the client.

(in reply to tshinder)
Post #: 33
RE: Discussion of OWA FBA Publishing article - 6.Oct.2004 4:19:00 PM   
clynn

 

Posts: 101
Joined: 8.Feb.2001
From: Farmington Hills, MI
Status: offline
quote:
Originally posted by tshinder:
Hi C,

OK, did you set the Web listener to use FBA instead of basic auth?

Thanks!
Tom
Yes, Tom, I followed http://www.isaserver.org/tutorials/2004owafba.html to the letter.

Is it possible I need to do something with the Exchange server? Enable FBA?
****Edited****
I checked, and FBA is enable on E2k3. Compression was set to high, I switched to none.

When I try to log in to OWA I go to this page:
https://SERVERNAME.DOMAINNAME.com/CookieAuth.dll?Logon

With this error:
Unknown Request
The request could not be resolved by the server.

I gotta be missing somthing minor....

[ October 06, 2004, 04:27 PM: Message edited by: clynn ]

(in reply to tshinder)
Post #: 34
RE: Discussion of OWA FBA Publishing article - 21.Oct.2004 11:45:00 PM   
nshoemaker

 

Posts: 5
Joined: 6.Oct.2004
From: Texas
Status: offline 		OK I have set everything up according to the articles. I get a logon page and after entering my credentials, I get the dreaded 500 error. Help please!

(in reply to tshinder)
Post #: 35
RE: Discussion of OWA FBA Publishing article - 21.Oct.2004 11:51:00 PM   
nshoemaker

 

Posts: 5
Joined: 6.Oct.2004
From: Texas
Status: offline 		To add more to what I was stating before here is the error I get.

error code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)

(in reply to tshinder)
Post #: 36
RE: Discussion of OWA FBA Publishing article - 22.Oct.2004 6:09:00 PM   
wdennis

 

Posts: 10
Joined: 21.Oct.2004
From: Moorestown, NJ
Status: offline 		Hi all,

I'm having a problem publishing OWA via ISA FBA. Can you all take a look at my post on this forum, and if you have any possible solutions, post a response to it?

Link to my topic:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000237

Thanks!

(in reply to tshinder)
Post #: 37
RE: Discussion of OWA FBA Publishing article - 22.Oct.2004 11:36:00 PM   
wdennis

 

Posts: 10
Joined: 21.Oct.2004
From: Moorestown, NJ
Status: offline 		Hey Nick,

I got the same error at some point with my setup. Turns out that I was using a different DNS name in the publishing rule than the one on the cert that was SSL-izing the connection (both are valid DNS names for the OWA server; the one in the cert is a CNAME, but I was using the A-record name in the rule.) Once I changed the publishing rule to have the same name as the cert's, all was well.

HTH,
Will

(in reply to tshinder)
Post #: 38
RE: Discussion of OWA FBA Publishing article - 21.Nov.2004 2:00:00 PM   
jimmyweston

 

Posts: 11
Joined: 10.Dec.2002
Status: offline 		Hi there,

I found the article very useful thanks.
One additional question: we have a single Exchange server protected by a dual-homed ISA 2004 server.
Is it possible - on the the same fixed IP address that OWA FBA is now published on, to publish Exchange for Outlook users via RPC over HTTPS.
The problem - as I perceive it is that there will be 2 listeners needed on port 443 now.
Is this possible?
Thanks!

(in reply to tshinder)
Post #: 39
RE: Discussion of OWA FBA Publishing article - 29.Jan.2005 6:54:00 PM   
come2

 

Posts: 7
Joined: 29.Jan.2005
From: Taiwan
Status: offline 		Dear Tom, thanks for your document! And thanks for HansĘ sharing! After I add A record for my website, then my OWA with SSL was worked!

Thank you all of you very much!

quote:
Originally posted by tshinder:
Hi Hans,

You bet! Yes, the name on the "To" tab has to match the name on the certificate. Otherwise, you see the name mismatching error.

Thanks!
Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion of OWA FBA Publishing article Page: <<   < prev  1 [2] 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts