Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Publishing OWA using ISA Firewalls
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: pls help i'm facing a difficult problem - 24.Jan.2006 3:32:05 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Assmaa,
1. What is the EXACT configuration of your Web publishing rule?
2. What is the EXACT common/subject name on the Web site certificate used for the Web listener?
3. What is the EXACT common/subject name on the Web site certificate bound to the OWA Web site?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Jan.2006 9:26:56 AM
|
|
|
assmaa
Posts: 2
Joined: 24.Jan.2006
Status: offline
|
Hi Mr.tshinder
Thanks for your prompt email and your very useful article.
As I said yesterday, assume the real IP of my company was 192.168.0.2 and 192.168.0.3 there were two rules in ISA server one for excsrv and the other for excsrv2, the external network card on ISA have IP address 192.168.0.1 (real IP) for the role of excsrv it accepts all incoming requests from any where to external IP 192.168.0.2 and the certificate was excsrv.mydomainname.local (that in the listener) that was working when any one access it from external as https://192.168.0.2/exchange but when the IPs changed it doesn't work at all even when I change the rule and make it to work with http only.
Like the rule for excsrv2 there was a rule for excsrv2 and the certificate ws excsrv2.mydomainname.local and the external IP address for it was 192.168.0.3.
The problem occurred when I changed the external IP addresses and the configuration of the DSL modem.
What you advice me.
Thanks for your kind.
Assmaa Kenawy
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Jan.2006 2:29:50 PM
|
|
|
pdsavard
Posts: 56
Joined: 16.Sep.2003
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Mike,
Even though you have different domain names, you still must create a split DNS infrastructure to make things work. And the next time you set up a new network, remember NEVER USE the .local domain EVER!
HTH,
Tom
Question out of subjet:
Do not use .local for internal domain name? Why? I see many internal network with this kind of internal domain name. We must use what kind of name?
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Jan.2006 8:12:47 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Thank you for pointing me to your split DNS articles. However, I was wondering that you have wrote any detail tutorial about how to setup split DNS infrastructure.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Jan.2006 8:44:47 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: assmaa
Hi Mr.tshinder
Thanks for your prompt email and your very useful article.
As I said yesterday, assume the real IP of my company was 192.168.0.2 and 192.168.0.3 there were two rules in ISA server one for excsrv and the other for excsrv2, the external network card on ISA have IP address 192.168.0.1 (real IP) for the role of excsrv it accepts all incoming requests from any where to external IP 192.168.0.2 and the certificate was excsrv.mydomainname.local (that in the listener) that was working when any one access it from external as https://192.168.0.2/exchange but when the IPs changed it doesn't work at all even when I change the rule and make it to work with http only.
Like the rule for excsrv2 there was a rule for excsrv2 and the certificate ws excsrv2.mydomainname.local and the external IP address for it was 192.168.0.3.
The problem occurred when I changed the external IP addresses and the configuration of the DSL modem.
What you advice me.
Thanks for your kind.
Assmaa Kenawy
Hi Assmaa,
OK, but I really need to understand the exact configuration of your Web publishing rules, and the common/subject names on the certificates.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Jan.2006 8:46:40 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: pdsavard
quote:
ORIGINAL: tshinder
Hi Mike,
Even though you have different domain names, you still must create a split DNS infrastructure to make things work. And the next time you set up a new network, remember NEVER USE the .local domain EVER!
HTH,
Tom
Question out of subjet:
Do not use .local for internal domain name? Why? I see many internal network with this kind of internal domain name. We must use what kind of name?
Hi PD,
Of course you can use .local, but it creates many problems for administrators and users who host their own Web, Mail, FTP and other Internet accessible resources. I've completely stopped using .local and my life is easier, my users' lives are easier, and everybody is much more happy with the solutions.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 6.Feb.2006 8:12:30 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
I'm trying to setup the split DNS infrastructure to publish owa with ISA2004, so my internal and external users can access OWA regardless of their location. I've setup an Active Directory with DNS and installed Exchange 2003 on it and joined ISA2004 server to the domain. According to your "Getting Started Right with ISA2004" article, your recommendation was to point the DNS of the ISA2004 to the internal DNS Server with internet access. I would like to know that, do I need to setup another DNS Server with internet access, and point the ISA2004 DNS to this DNS Server or configure internet access for Active Directory that I mention above and point the ISA2004 DNS to Active Directory for DNS query?
So, inorder for me to implement the split DNS infrasctructure successfully, I need to setup three DNS Servers. Please let me know if this is right? Thanks Tom
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 6.Feb.2006 10:35:42 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
You only need two DNS server for a split DNS: one for your internal users and one that external users use. You can host the external DNS server at your ISP, or you can create a DNS server on a DMZ and put your external zone there. You can even put the external DNS server on the ISA firewall, but there are some tricks to making that work.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Feb.2006 5:15:24 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
I understand that I only need two DNS Servers for a split DNS, however, I'm wondering where should I point my ISA2004 Server for http DNS query. To my understanding is that I should not configure DNS Server on Active Directory to have direct access to the internet, but only forward http request to another internal DNS Server with internet access configure. So, with this setting I believe that I need a DNS Server on Active Directory for internal users, a DNS Server for external users, and another internal DNS Server with internet configure so I can point my ISA2004 Server DNS to this server. Please clarify this is the correct setting Tom and thank you very much.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Feb.2006 5:55:15 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
OH! OK, I got it.
Yes, that is best practice, that your DNS resolver (for Internet connections) should not be the DC. What you can do here is create a caching only DNS server on the ISA firewall itself and configure the DC DNS server to use that DNS server as a forwarder. That way, you prevent the AD DNS server from directly contacting Internet DNS servers and protect yourself against cache poisoning attacks. Then configure the internal interface of the ISA firewall to use the DC DNS server at its DNS server.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Feb.2006 9:26:50 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hi Jle,
OH! OK, I got it.
Yes, that is best practice, that your DNS resolver (for Internet connections) should not be the DC. What you can do here is create a caching only DNS server on the ISA firewall itself and configure the DC DNS server to use that DNS server as a forwarder. That way, you prevent the AD DNS server from directly contacting Internet DNS servers and protect yourself against cache poisoning attacks. Then configure the internal interface of the ISA firewall to use the DC DNS server at its DNS server.
HTH,
Tom
Tom,
Tom,
I'm sorry to keep bugging you about this, but I'm very confused about your suggestion above (Create cache only DNS Server on the ISA Firewall). Since the ISA Firewall is not configure for direct internet connection, because it's Internal Network Interface and External Network Interface are not fully configure.
Internal NIC:
------------
IP: 192.168.0.x
sub: 255.255.255.0
Default gateway: No
DNS: Use internal DNS Server
External NIC:
------------
IP: 63.252.x.x
Sub: 255.255.x.x
Default gateway: 63.252.x.x
DNS: No
So, what's the point for creating cache only DNS Server on the ISA Firewall? When it cannot provide internet request for my DC.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 8.Feb.2006 7:44:10 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
The DC doesn't need access to the Internet, it just needs access to the DNS listener on the ISA firewall. This allows the ISA firewall's caching only DNS server to perform recursion on behalf of the DNS server on the DC, and therefore allows the DC to resolve both internal and external names without requiring the DC to communicate with Internet DNS servers, and avoids risks related to DNS cache poisoning.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 8.Feb.2006 8:50:53 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
So, the ISA Firewall itself needs to have internet connection right?
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 12.Feb.2006 7:24:45 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
That why you need to configure the internal network DNS to use the caching only forwarder at its forwarder for Internet based queries.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
pls help i'm facing a difficult problem - 
Please I want to find the reason or how to solve that problem.Please could any one give me a step by step solution to publish the mail (i have a certificate on each mail server).thanks for your assistance
