Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Publishing OWA using ISA Firewalls
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Publishing OWA using IS... - 11.Dec.2004 9:30:00 PM
|
|
|
joestern
Posts: 3
Joined: 11.Dec.2004
From: Philadelphia, PA
Status: offline
|
Got over a stumbling block -
We had been running OWA on Exchange 2003 behind ISA 2000 for some time. Today we upgraded to ISA 2004, and had trouble with OWA. We could see the initial login screen but could get no further. I stepped though every one of Tom's instructions, but could not proceed.
I then checked MS's instructions on enabling OWA in ISA 2004 and remembered that we were using Forms-Based Authentication on Exchange. You can't use forms-based authentication on both Exchange and ISA at the same time! I had to go into my Exchange System Manager and turn it off.
The tradeoff is that I get authentication at the edge of my network now, but have lost the compression that I had before. I will need to evaluate the perceived speed of OWA to decide if I want to go back to the way things were before.
Note that when you make this change, MS recommends some cache rules. Check out http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx for the dirty details.
I hope this helps the upgraders out there.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 12.Dec.2004 1:16:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Joe,
That's right. You definitely cannot run FBA on both the Exchange Server and the ISA firewall. One or the other.
The cache rules are interesting because I've never implemented them, and never had any problems. YMMV.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 16.Dec.2004 3:55:00 PM
|
|
|
2nd-protocol
Posts: 3
Joined: 16.Feb.2004
From: UK
Status: offline
|
Good Afternoon Tom,
I am stuck with a puzzling issue after setting up an OWA 2003 box to go through ISA 2004 as per your article. I have ISA 2004 - Exchange 2003 FE - Multiple Exchange 2003 BE
Step 29 reads:
In the OWA Web site Properties dialog box, click the To tab. On the To tab, select the "Requests appear to come from the original client" option.
When I set the radio button for this option and apply the change, I can no longer get to my OWA front-end server. It produces an "object not found" error. I don't even get the Authentication page. If I set the option back to "Appear to come from this server", everything is OK again.
Any idea where I should start looking for the cause of this one?
Also, is the note about anonymous permissions on Exchweb of any consequence? It is detailed in the MS document "Outlook Web Access Server Publishing in ISA Server 2004" http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx
Thanks
Clive
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 28.Dec.2004 2:10:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Clive,
I've always wondered about the anonymous permissions issue -- it doesn't sound like a good security posture and I've never required it, so I don't do it. Though YMMV.
If you use the "requests appear to come from original client" option, make sure that any host that responds to these communications is configured as a SecureNAT client.
HTH,
Tom
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 16.Feb.2005 5:15:00 PM
|
|
|
johnnynjr
Posts: 2
Joined: 16.Feb.2005
From: Minnesota
Status: offline
|
In this article you use an internal certificate authority. My OWA server currently has a Thawte certificate bound to so that it can have trusted access to an outsourced cell phone e-mail provider. Currently, the certificate does not allow export of the public key. I think I can reregister the certificate to allow the export of the public key. Can this certificate be imported to the ISA server? Has anyone done this? I have the proper split DNS setup and the names match.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 18.Feb.2005 10:24:00 AM
|
|
|
Snowfresh
Posts: 31
Joined: 18.Feb.2005
Status: offline
|
quote:
Originally posted by tshinder:
Hi Mike,
Even though you have different domain names, you still must create a split DNS infrastructure to make things work. And the next time you set up a new network, remember NEVER USE the .local domain EVER!
HTH,
Tom
Hi Thomas,
Why can't you use .local for your internal network?
regards,
Remy
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 18.Feb.2005 5:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Snow,
You can, but your life will be more complicated. Better to do it right.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 22.Feb.2005 7:49:00 PM
|
|
|
vastconspiracy
Posts: 2
Joined: 22.Feb.2005
Status: offline
|
I have OWA on Exchange 2003 published via ISA 2004, and it's working perfectly, except for one issue. It's described in this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;837865
I'm trying to implement the workaround mentioned here (see steps below), but get stuck at step 4. When I go to the Traffic tab, the Filtering button is greyed out. Any ideas why?
1. Start the ISA Server Management tool.
2. Expand ServerName, where ServerName is the name of your ISA Server computer.
3. Click Firewall Policy, click the Web publishing rule that you created to publish the Exchange Server computer for access by OWA users, and then click Edit Selected Rule.
4. Click the Traffic tab, click Filtering, and then click Configure HTTP.
5. Click to clear the Block high-bit characters check box, and then click OK two times.
6. Click Apply to update the firewall policy, and then click OK.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 22.Feb.2005 10:24:00 PM
|
|
|
Tuberider
Posts: 1
Joined: 22.Feb.2005
From: Belgium
Status: offline
|
Excellent article!
OWA through ISA2004 is working.
Currently using https://owa.company.com/exchange as URL.
How can I configure ISA2004 so that https://owa.company.com is working (without /echange).
Easier URL to remember for end users
Thanks
Hans Peeters
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 23.Feb.2005 3:48:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by vastconspiracy:
I have OWA on Exchange 2003 published via ISA 2004, and it's working perfectly, except for one issue. It's described in this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;837865
I'm trying to implement the workaround mentioned here (see steps below), but get stuck at step 4. When I go to the Traffic tab, the Filtering button is greyed out. Any ideas why?
1. Start the ISA Server Management tool.
2. Expand ServerName, where ServerName is the name of your ISA Server computer.
3. Click Firewall Policy, click the Web publishing rule that you created to publish the Exchange Server computer for access by OWA users, and then click Edit Selected Rule.
4. Click the Traffic tab, click Filtering, and then click Configure HTTP.
5. Click to clear the Block high-bit characters check box, and then click OK two times.
6. Click Apply to update the firewall policy, and then click OK.
Hi Vast,
Right click the rule and click "configure HTTP" and fix it there.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 28.Feb.2005 3:44:00 PM
|
|
|
vastconspiracy
Posts: 2
Joined: 22.Feb.2005
Status: offline
|
I don't have that option when right-clicking the rule. Maybe it's different from ISA 2000 to ISA 2004? I can click "Properties," then go to the Traffic tab, but the Filtering button is still greyed out.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 1.Mar.2005 1:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Vast,
We're only talking about the new ISA firewall here.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 6.May2005 8:15:00 PM
|
|
|
PCC
Posts: 185
Joined: 13.Nov.2001
From: Michigan
Status: offline
|
I'm having a similar problem as the first post in this thread but can't seem to resolve it. I'm running Exchange 2003 SP1 on a Win 2K3 box and ISA 2004 SP1 on a Win 2K3 SP1 box.
I'm using an edited hosts file instead of a split DNS because we don't control our external name space. I can access the OWA site just fine from the ISA server itself. But not from a client. From a client I'm getting an error page that says:
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.1
Date: 5/6/2005 5:16:01 PM
Server: isa.company.internal
Source: proxy
I have tried it with and without FBA and get the same results. I have also tried setting everything to anonymous access and also get the same results. Any suggestions would be appreciated.
Pete
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.May2005 5:40:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Pete,
It sounds like the name on the Public tab in the OWA Web Publishing Rule is incorrect.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 10.May2005 12:28:00 AM
|
|
|
PCC
Posts: 185
Joined: 13.Nov.2001
From: Michigan
Status: offline
|
Hi Tom, Thanks for the reply.
Let me elaborate on this a little more. I can access the site from the ISA server itself or from an external client. But I can't get to it from an internal client. It's like the ISA server isn't reading the hosts file when an internal client requests the site or something.
I have a similar situation with a published web site. I can get to it from the ISA Server itself but not from any clients, internal or external. I get the same error I mentioned above.
Any ideas?
Thanks,
Pete
[ May 10, 2005, 05:49 PM: Message edited by: PCC ]
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 10.May2005 1:16:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Pete,
You should use Direct Access for internal sites. Check out the two part series I did on this site on Direct Access for details. The key is that protected clients should not loop black through the ISA firewall for internal resources.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 12.May2005 2:13:00 PM
|
|
|
PCC
Posts: 185
Joined: 13.Nov.2001
From: Michigan
Status: offline
|
I am set up for direct access. And I have read the articles. I'll have to read them again though just to refresh my memory.
I do have a question regarding a split DNS if that is ok since it is related to this problem?
Our internal domain name is "company.internal" our external domain name is "company.com" and is controlled by our ISP. I'm currently using a hosts file on our ISA server, but is it possible to just setup a DNS forward lookup zone for our "company.com" domain on our internal DNS server? And if this is possible do I need to add all DNS records or just the ones that I want to control for internal access?
Thanks for all the help.
Pete
[ May 13, 2005, 08:30 PM: Message edited by: PCC ]
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 5.Jul.2005 12:56:00 PM
|
|
|
Rock-HOG
Posts: 2
Joined: 5.Jul.2005
From: Tucson
Status: offline
|
Dear Tom,
I have recently deployed ISA 2004 and with the help of your book and the articles on the Internet you have helped me a great deal. I would like to say thank you for the time and effort that you put in to help others learn ISA Server.
That being said I have one last issue with ISA that seems to be a thorn in my side. I followed your article as well as microsofts to the "T" and I still can not get OWA to work through the proxy. I can get the logon page and I enter my logon and recieve a "403 forbidden" after the logon page goes away. On the Proxy under logging I see the connection and when I enter my user name and password I see my user name in the log but it puts me in the default enterprise rule. In the log it says the I get a "12210 the isa server denied the specefied URL"
Not sure what I am doing wrong but would appreciate the help. Thanks again.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Oct.2005 10:17:00 PM
|
|
|
aje
Posts: 8
Joined: 13.Jan.2005
Status: offline
|
quote:
NEVER USE the .local domain EVER!
Why should you never use the .local domain? I have read a few MS KB's that suggest it.
Thanks,
Adam
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 26.Dec.2005 1:25:38 PM
|
|
|
yba
Posts: 12
Joined: 24.May2005
Status: offline
|
Sorry, a mistake
< Message edited by yba -- 26.Dec.2005 2:42:17 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
