Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Publishing OWA using ISA Firewalls
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Publishing OWA using IS... - 22.Feb.2006 11:29:29 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hi, Tom - I still can't get this to work, but I have (at least) gotten some rather mysterous logging transactions off the ISA server for people to look at... if you could please check them out at
http://forums.isaserver.org/fb.aspx?m=2002008539 and share any insights into what's happening, I'd appreciate it very much.
Thanks!
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 27.Feb.2006 8:18:55 PM
|
|
|
avitelli
Posts: 8
Joined: 27.Feb.2006
Status: offline
|
Hi Tom,
I have 2 ISA 2004 servers in an NL configuration, in front of my Exchange front ends (also 2 in an NLB config). To implement SSL on this configuration, how many certs would I need? One for each front end or just one?
Thanks!
Anthony
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 14.Mar.2006 9:21:12 PM
|
|
|
BlakeD
Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
|
Tom-
I'm attempting to follow along this article (and will eventually make use of several of your related articles to this) but seem to have run into a problem. I'm at point of forcing SSL connections on the directories OWA users will access through the ISA server. Step 2 says:"Click the Directory Security tab in the Exchange Properties dialog box. Click the Edit button in Secure communications frame"; however, all the options for Secure Communcations are greyed out. I generated the certificate, and exported it per the article directions to the root of C:, and have copied that file to the root of C: on the ISA server.
Also, I was wondering if it would be determimental to enable both Integrated and Basic on the /Exchange, /Exchweb, and /Public subdirectories. The article recommends Basic since the authentication will still be encrypted by SSL, but I was wondering if it would break it to actually use both.
Thanks in advance,
Blake D.
RESOLVED: - You really do have to do it from the exchange server itself. I was connecting with my IIS-MMC on my workstation to the Exchange server and it greying out the Secure Communications options. When I logged on at the console - Bingo! Secure Communications options weren't greyed out.
--Blake D.
< Message edited by BlakeD -- 14.Mar.2006 9:53:39 PM >
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 21.Mar.2006 3:02:25 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marvin,
What is the exact configuration of your Web Publishing Rule?
On what machine did you make the configuration changes to the HOSTS file?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 21.Mar.2006 4:12:58 PM
|
|
|
marvinc
Posts: 20
Joined: 7.Oct.2004
From: Atlanta, GA
Status: offline
|
Tom,
I managed to finally get it working after making some DNS changes. The only issue I'm having now is figuring out how to resolve the following alert that appears on my cert:
The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
On a side note I'd also like to know if you know of any articles that discuss configuring the Treo or any other PDA device using Active Sync on ISA2K4 and Exchange 2k3?
Thanks again for the reply.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 26.Mar.2006 6:50:37 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marvin,
I've configured a couple of dozen ISA firewalls to support OMA/ActiveSync, including the one in my own office. Pretty easy from the ISA firewall side, and the instructions are in the book.
You need to make such you get the CA certificate installed on the Windows Mobile 2003 client.
Haven't worked with WM 5.0 -- been hearing a lot of bad scary things about it, but those might just be rumors.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 31.Mar.2006 5:53:55 PM
|
|
|
phseven
Posts: 7
Joined: 15.Sep.2005
Status: offline
|
Dear Tom,
I have gained a lot of knowledge from your articles. Thank you.
This particular article has got me to the point where I can log in with a secure ssl connection, and authenticate with a username and password. However, I am unable to get two factor authentication to work in this scenario.
I was hoping to have the client be requested to present a previously provided certificate as authentication one, and username / password as authentication two.
If I insist on Require a certificate from the iis server then internal clients get asked for a certificate, but external clients on the outside of the isa box stop working.
Can you advise.
Many thanks.
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 1.Apr.2006 8:53:37 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Neutral pH,
The ISA firewall will not pass the certificate to the Web site.
Best way to go is to configure the ISA firewall to require a user certificate and then configure the Web site to use another form authentication.
ISA 2006 supports Kerberos constrained delegation, which will fix the double auth issue.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 3.Apr.2006 2:36:40 PM
|
|
|
phseven
Posts: 7
Joined: 15.Sep.2005
Status: offline
|
Dear Tom,
Thank you for your reply.
As the certificate is not forwarded by ISA, I see why it could not work.
However I am experiencing a difficulty in getting your suggestion to work.
If you have an idea of where I might be going wrong, it would greatly appreciated.
I have set the ISA listener Authentication to SSL Certificate.
The issue is the "Require all users to Authenticate" option.
UNticked, I get an ssl connection, and an authentication request.
The ISA log shows the allowed connection.
TICKED, I get an authentication request to supply a Client certificate.
I select the client certificate, and then get a 401 Unauthorised error.
While this may be technically correct, I am not given an authentication page to complete.
The ISA log shows a dennied connection.
How do I get the Authentication request to appear ?
Many thanks for any input.
regards pH7
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 4.Apr.2006 3:24:01 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi pH7,
You don't need to select the authenticate checkbox. Just make sure the rule is configured for authenticated users (All Users is anonymous, which you don't want).
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 4.Apr.2006 6:26:46 PM
|
|
|
phseven
Posts: 7
Joined: 15.Sep.2005
Status: offline
|
Dear Tom,
Your help is getting me closer...
I have now deselected the Authenticate box.
If as you say "All users" is selected in the Users tab, then anonymous authentication takes place.
No request to supply a certificate is given, and no login screen is displayed.
Straight into the web page.
If I remove the "All Users" then...
I DO get a request to supply a certificate,
BUT still NO login screen is displayed, and a 401 error.
I have created a New User Group called OWA users, and associated it with a Domain User Group.
(I did have a Radius group setup, but I believe we are bypassing that option here.)
Still I get no login screen.
As always your help and input is greatly appreciated.
regards pH7
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 5.Apr.2006 6:27:41 PM
|
|
|
phseven
Posts: 7
Joined: 15.Sep.2005
Status: offline
|
Dear Tom,
Thank you for your input...
I have to say, that I am not sure what you mean by "user" certificate authentication in the Listener.
Perhaps I should specify that I am using ISA 2004 and not ISA 2006.
To clarify...
Without making any changes to the IIS settings or the ISA Rule, but ONLY the listener, I get the following results...
I am hoping that these are enough to provide the magic aha! I know what's wrong.
OWA listener, preferences TAB.
Enable SSL is ticked and a certificate selected.
Under the Authentication window under this tab...
Require all users to authenticate is NOT ticked.
If I select Basic .... I get a Login screen via https
If I select SSL Certificate ... I get a select certificate window, but then no login screen, abd a 401 error.
If I select Intergrated ... I get a Login screen saying "connecting to mail.company.com".
I Login with domain\user.
After some time a second login appears saying just 'mail.company.com'.
I login here with user only (domain not mentioned) and get access !
If I login with OWA forms ... I get the login form, but followed by 403 forbidden error
So hopefully you can make something of the above
Again, your continual help is greatly appreciated.
Many thanks pH7
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 9.Apr.2006 5:47:40 PM
|
|
|
fsaifie
Posts: 48
Joined: 23.Jul.2004
Status: offline
|
Dear Tom,
At first i would like to thank you for all your effort you have made to help thousands and thousands of people and making an IMPACT in an IT industry. you are the GURU and your book is like a BIBLE for ISA Server.
I have used many of your articles to perform several tasks in my ISA environment and succesfully done it except Outlook Web Access publishing...
I just dont know what the problem is ... i tried everything step by step from your articles, from books, from microsoft documentation but i just can't...
If i do the Server Publishing of HTTPS Server and send it to my internal OWA server, it works. But SSL brdging with Mail server publishing doesnot.
I did the Mail Server publishing with SSL bridging in test environment and it works... it is really wierd for me.
Here is the summary:
Internal mail Server name: mailsrvr.companyname.com
External Server Name: mail.companyname.com
(internal and external company name are the same but server name is different)
External Name resolved to the ISA server public Ip , which is bound to the external interface.
I have installed certificate authority, issued certificate for mail.companyname.com, export and import succesfully (with private keys), in ISA machine personal certificate store i have the certificate mail.companyname.com , which i have imported and it is same like the external name i.e mail.companyname.com )
In Mail server publishing rule, i have given the same name in public , mail.companyname.com. In ISA i have added this name to HOSTs file and resove it to internal IP address. i have tested the resolution by pinging public name (mail.companyname.com)from ISA , it resolve it to internal ip which is 10.10.10.209.
FBA is disabled on Exchange 2003. And enabled in Web listener on ISA 2004. now when i try to connect from an external client, it give me security warning for certificate that this CA is not in trusted. once i click ok to proceed, it give me this message...
Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.
I also tried by deselecting FBA and choose basic but result is the same.
I just really dont know what is the problem. As far as i am concerned, i am sure that i am doing the right steps in ISA because in test domain it works, but i dont know. Please help me on this matter. I will really appreciate this. I have read all the messages in this section to see maybe i find the solution, but still i am unable to do so. for the time being i am using server publishing rule to publish my OWA until the problem is solved.
Please reply ASAP and onceagain thank you for your support.
Faisal
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
I too am trying to follow this article to publish a FE OWA server w/ISA2K4 and cannot access the website internally or externally using the 
