I found the article very useful thanks. One additional question: we have a single Exchange server protected by a dual-homed ISA 2004 server. Is it possible - on the the same fixed IP address that OWA FBA is now published on, to publish Exchange for Outlook users via RPC over HTTPS. The problem - as I perceive it is that there will be 2 listeners needed on port 443 now. Is this possible? Thanks!
Yes, but you won't be able to use FBA if you only have a single IP adddres, unless you use the Kai Wilke trick we wrote about on this site.
Hello, i have some questions about the 2004owafba tutorial, because all requests are answered with the error code: 403 Forbidden ... (12202), and i think i have an failure on my certificate.
Can you say which names i have to use when the name of the local domain, (where the exchange server is included) is called "company", the exchange and the CA server name is "exchange" my domain in the internet is called "example.com" and the name of the isa server is "isa"!
local domain: "company" exchange and the CA server: "exchange" internet domain: "example.com" isa server: "isa"
Can you say, which common name for the CA, which common name, which web mail server, which public name i have to use? Because I donŽt know, if the name "owa" of the example name in the tutorial owa.liran.org in the tutorial, is the name of the server or a subdomain? Please help me, iŽm a newbie!
Desperately seeking help for small educational charity. ISA 2000 as part of an SBS 2003 Premium setup (donated graciously by Microsoft). 12206 - proxy chain loop nightmare. Have an SSL Certificate and that is when this started. Trying to get to the root of it by reading every article around (host files, cache timing, routing et al) no luck and the charity is losing donations and/or memeberships when people get frustrated with this. Please offer some help and guidance. I'll check here but email@example.com is my address and would be beyond grateful if someone could send me some information.
I followed this article, but it isn't working from external. When I check the monitoring, it is like the rule isn't really listening. I get an error on 443, denied by default rule. Although the OWA rule is at the top of list... From my internal network, as from the ISA I can access the OWA page without errors on the certificate, it has the same name , etc.. When i do a ping from the isa server to the owa site , I get the correct internal address... I first tried to add a dns entry for my internal network which points the OWA site to the correct address, but doesn't work. I then tried it with the hosts entry-> not working What am I doing wrong?
Just as a test , I tried and installed a new publishing rule for an https server, which became my owa site. It now works... I don't really know what happens... It really seems that the HTTPS isn't listening while used with the mailservers wizard.
After follow the Step-by-Step: Publishing a Single Exchange 2003 OWA with ISA 2004 Firewall Forms Based Authentication by Liran Zamir Tutorial
And doing some internal tests: - accessing the OWA from ISA server to the exchange server using SSL - testing the internal dns owa.domainxpto.com that connects to the exchange server - testing the external dns owa.domainxpto.com that connects to the ISA server All worked ok.
But from the internet after establishing the SSL connection with the ISA Server(accepting the owa.domainxpto.com certificate) the browser displays that ˘the page cannot be found÷; ˘HTTP 404 ű file not found÷
From the ISA logs I notice that I only manage to make a SSL connection after applying a security rule that allows SSL connection between the exterior and the ISA server. There are no logs of the OWA Mail server created using the tutorial.
IĂm I missing something?
Thanks for any help!
ServerA with Exchange 2003
ServerB with ISA2004 Standard as a Single Network Adapter (Web proxy only)
From: Burlingame CA
Hello Hope you can help me re this article Step-by-Step: Publishing a Single Exchange 2003 OWA with ISA 2004 Firewall Forms Based Authentication http://www.isaserver.org/tutorials/2004owafba.html I have followed this article pretty well but not sure where I have gone wrong or even if I have even made any mistakes. Basically I have the SSL working behind my firewall when going to https://exchangeserver/exchange I get the certificate prompt then get the form to login I am able to login so that is great. Also I can do the same logged in from the ISA Server desktop so thatĂs cool,
My problem is when using the FQDN logging in from the DMZ I have dedicated FQDN for my ISA server IP Address when entering the URL I get the certificate prompt (that is good) then I get the outlook form to login but can not login and I am receiving the following dialog in red on the login form ˘You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.÷ Needles to say my account credentials are fine so know it is not that. Any information on how to troubleshoot my authentication problem would be greatly appreciated.
I'm posting here to mention that there is another alternative to get Exchange up and running through ISA with more flexibility and less hassles.
1) Publish Exchange via the very helpful ISA 2004 wizard. 2) Use WebDirect to funnel requests from HTTP to HTTPS, and to add the /Exchange path if not present. 3) Use FlexAuth to provide seamless, customizable FBA as well as Basic Auth to your OMA/ActiveSync clients (all on the same listener!)
Also, if (for some reason) you cannot put your ISA into the domain, FlexAuth supports LDAP and LDAP-SSL as authenticators (so you can still use Windows groups and users in your access rules).
From: New Zealand
I read your article and have setup our FBA on ISA2004 connecting to our only Exchange server 2003.
From the internet if I select the 'Basic' logon using FBA and everything works fine, can view everything.
If I select the 'Premium' logon it almost works. The problem here is that the actual messages are linked by our internal exchange servers name (which is not known to an external client) instead of the internet common name. So the messages can't be viewed.
I have link translation turned on for the ISA publishing rule to translate internal name to external name but it doesn't touch these links.
Any ideas please?
Thanks, Bryce Stenberg Harness Racing New Zealand Inc. IT Department.
RE: Discussion of OWA FBA Publishing article - 11.Jul.2005 5:14:00 AM
Hello. I foollowed this article to publish my internal EXCH2K3 server as OWA server. The externals cleitns come to the formbased authentication page, but when thy enter their credentials, they receive a 403 error. Not authorized. the server refused the url. There is no problem form the isa server (except that from it, there is no form-base authentication, but that is natural ) Thank s!
RE: Discussion of OWA FBA Publishing article - 11.Jul.2005 5:21:00 AM
More precisions. If i configure my exchange not to use SSL authenti^cation, and publish the owa serrver so that i have no SSL between the exchaneg and the isa. everything is fine. So i think i did it wrong between the isa and th exchange ?
Hi guys, I follow the steps, but I have already generated certificate with IIS 6 Resource Kit Tools - SelfSSL. And the the place of the certificate is in the personal place. Then I exported it and I imported in the ISA 2004. And when I reached the New Listener wizard and check SSL and then Select certificate it says that I must install at least one identical certificate on each member machine. Why is that?...I have identical certificate on the both machine!
I've followed the instructions but it does not work for me, I can access the form based page from the outside but the when I try to logon I get the following message: You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.
Solved, but since I haven't been able to find this (although it may be because of my bad english cause I'm french and I wasn't a good student :-) ) I will explain my case...
I've followed that great tutorial and then when I'd tried to athenticate... It's come back to my authetication form without any error message. And it does this as I typed correct information so as I typed incorrects ones...
I've looked everywhere on the Internet without finding my answer... I've tried undoing all my configuration (witch leads me to errors in my AD about certificates wuch I aven't solved totally for example my second DC seems to be unable to enroll a certificate).
It was really simple... It was only the chekbutton telling (in french to english) demands seems to come from ISA server which was checked in the rule. After moving it to demands seems to come from the orgininal client It's starts working fine...
That was my previous version of my post... It doesn't work anymore!!!
It loops again on the form authentication page. I've checked everything. Remade my rule.
(I work with a SBS 2003 SP1 with exchange OWA form and my certification autority and another serveur 2003 sp1 standard with isa 2004 SP2 on it)
< Message edited by cyrcocq -- 5.Jun.2006 6:20:38 PM >
Our configurations is: - Cluster Windows server 2003 and Exchange 2003 BE - Windows 2003 Server as FE - ISA 2004 SP2
I want use also http and https for the OWA external users, and i want use FBA of ISA. Then HTTP all work. On HTTPS, i receive the certificate, then i arrived to FBA for the login and i insert my username and my password but i received this error:
Error Code: 500 Internal Server Error. The network logon failed. (1790) I can't understand where is the problem.