Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Publishing OWA using ISA Firewalls
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Publishing OWA using IS... - 15.Apr.2006 7:57:39 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: phseven
Dear Tom,
Thank you for your input...
I have to say, that I am not sure what you mean by "user" certificate authentication in the Listener.
Perhaps I should specify that I am using ISA 2004 and not ISA 2006.
To clarify...
Without making any changes to the IIS settings or the ISA Rule, but ONLY the listener, I get the following results...
I am hoping that these are enough to provide the magic aha! I know what's wrong.
OWA listener, preferences TAB.
Enable SSL is ticked and a certificate selected.
Under the Authentication window under this tab...
Require all users to authenticate is NOT ticked.
If I select Basic .... I get a Login screen via https
If I select SSL Certificate ... I get a select certificate window, but then no login screen, abd a 401 error.
If I select Intergrated ... I get a Login screen saying "connecting to mail.company.com".
I Login with domain\user.
After some time a second login appears saying just 'mail.company.com'.
I login here with user only (domain not mentioned) and get access !
If I login with OWA forms ... I get the login form, but followed by 403 forbidden error
So hopefully you can make something of the above
Again, your continual help is greatly appreciated.
Many thanks pH7
Hi pH7
What I'm not clear about is what type authentication do you want? Basic or user certificate authentication?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 15.Apr.2006 7:58:47 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: fsaifie
Dear Tom,
At first i would like to thank you for all your effort you have made to help thousands and thousands of people and making an IMPACT in an IT industry. you are the GURU and your book is like a BIBLE for ISA Server.
I have used many of your articles to perform several tasks in my ISA environment and succesfully done it except Outlook Web Access publishing...
I just dont know what the problem is ... i tried everything step by step from your articles, from books, from microsoft documentation but i just can't...
If i do the Server Publishing of HTTPS Server and send it to my internal OWA server, it works. But SSL brdging with Mail server publishing doesnot.
I did the Mail Server publishing with SSL bridging in test environment and it works... it is really wierd for me.
Here is the summary:
Internal mail Server name: mailsrvr.companyname.com
External Server Name: mail.companyname.com
(internal and external company name are the same but server name is different)
External Name resolved to the ISA server public Ip , which is bound to the external interface.
I have installed certificate authority, issued certificate for mail.companyname.com, export and import succesfully (with private keys), in ISA machine personal certificate store i have the certificate mail.companyname.com , which i have imported and it is same like the external name i.e mail.companyname.com )
In Mail server publishing rule, i have given the same name in public , mail.companyname.com. In ISA i have added this name to HOSTs file and resove it to internal IP address. i have tested the resolution by pinging public name (mail.companyname.com)from ISA , it resolve it to internal ip which is 10.10.10.209.
FBA is disabled on Exchange 2003. And enabled in Web listener on ISA 2004. now when i try to connect from an external client, it give me security warning for certificate that this CA is not in trusted. once i click ok to proceed, it give me this message...
Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.
I also tried by deselecting FBA and choose basic but result is the same.
I just really dont know what is the problem. As far as i am concerned, i am sure that i am doing the right steps in ISA because in test domain it works, but i dont know. Please help me on this matter. I will really appreciate this. I have read all the messages in this section to see maybe i find the solution, but still i am unable to do so. for the time being i am using server publishing rule to publish my OWA until the problem is solved.
Please reply ASAP and onceagain thank you for your support.
Faisal
Hi Faisal,
I think you got this fixed. Right?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 16.Apr.2006 10:15:05 AM
|
|
|
fsaifie
Posts: 48
Joined: 23.Jul.2004
Status: offline
|
Yes Dr.... Thanks to you...
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 20.Apr.2006 2:55:47 PM
|
|
|
phseven
Posts: 7
Joined: 15.Sep.2005
Status: offline
|
Dear Tom,
Sorry if I was not clear enough.
Your question to me is...
What I'm not clear about is what type authentication do you want?
Basic or user certificate authentication?
The answer...
....two factor authentication. (does that mean both !)
What I am after is the user to be first requested to supply a certificate.
Then to sign on using a login screen.
As I understand it..
I have certificate which is not "user" specific, but for site access and encryption.
Of course, I would like to create individual certificates per user, but I was not aiming for that at this time.
I hope this helps to clarify.
Many thanks
Ph7
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 24.Apr.2006 5:14:20 AM
|
|
|
GuyE
Posts: 6
Joined: 19.Feb.2004
Status: offline
|
Hi Tom
Thanks for the article - you do a great job of simplifying complicated setups for the rest of us. I followed your instructions and can now make my setup work if I change a few things ... but I'm not sure that I should.
1. I got tripped by my Exchange server not using the ISA server as the default gateway to the internet. It is configured with a different default gateway address that points at another boundary router. If I change "Requests appear to come from the original client" to "Requests appear to come from the ISA Server" things work. As far as I can see the only downside is the Exchange logs always showing the same client details (ISA Server) instead of the true client details. Are there any other problems with this?
2. Forcing HTTPS connections to the Exchange server and allowing only Basic authentication works for both internal and external clients. I want my internal clients to use HTTP and not be prompted to authenticate so have added Windows Iintegrated to the \Exchange, \ExchWeb and \Public virtual folders (and left Basic there) so clients are "invisibly" authenticated with Windows Integrated. Both internal and external clients now work as I want them to. My thinking is that internal clients will use HTTP/Windows Integrated and the ISA Server will use HTTPS/Basic for external clients. Is this correct and are there any holes in this apart from the insecurity of internal clients using HTTP?
3. I work at a school and we subscribe to an external content filtering service to block unwanted web content. As such the Default Rule in the ISA Server's Web Chaining tab is set to "Redirect requests to a specified upstream server" with the necessary entries for the ISP's filtering server. But having this setting on breaks external OWA functionality. Why is this and how do I get around it?
Cheers
Guy
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Apr.2006 5:45:49 PM
|
|
|
gmatteson
Posts: 12
Joined: 29.Mar.2002
From: RI
Status: offline
|
Currently I have an Exchange 2003 Frontend that is being published by ISA 2004 with Forms based authentication enabled on ISA 2004. Is there a way to enable RPC over HTTP as well? I have added the /rpc/* path to the list of exchange paths. In addition is there is a way for me to redirect users to /exchange. With OWA being published by ISA users have to type in webmail.mydomain.com/exchange, whereas with just the front end, they are redirected to the sub directory.. any ideas? Thanks,
- Gabe
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Apr.2006 11:51:19 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: phseven
Dear Tom,
Sorry if I was not clear enough.
Your question to me is...
What I'm not clear about is what type authentication do you want?
Basic or user certificate authentication?
The answer...
....two factor authentication. (does that mean both !)
What I am after is the user to be first requested to supply a certificate.
Then to sign on using a login screen.
As I understand it..
I have certificate which is not "user" specific, but for site access and encryption.
Of course, I would like to create individual certificates per user, but I was not aiming for that at this time.
I hope this helps to clarify.
Many thanks
Ph7
Hi pH7,
You can do this, and use a generic user certificate that all users will use. However, in order to get two factor auth in this scenario, you'll need the second authentication prompt to come from the Web server itself.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 29.Apr.2006 1:10:39 AM
|
|
|
slim4ever
Posts: 3
Joined: 29.Apr.2006
Status: offline
|
hi folks im new here
if any body can help me in my disaster plzzzzzzzzzzzzzzzzzzzzzzzzzzzz
now i have front end and back end exchange also i have isa 2004
i am trying to publish the OWA using the artical tom wrote , i made it 4 times but without any solution , the error i have is :
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.212
Date: 4/28/2006 10:50:58 PM
Server: nozha.agi.com
Source: proxy
i can connect on the website internally only but externally i cant at all , the reason to have the OWA with ssl is to use the RPC over http , if somebody can help me plz or if there is a way to use RPC over http with out ssl it will be better as im starting to die from this subject
if somebody will answer me about the dns stuff what i made is like this :
on my external dns server i have an mx record for mail.hotelsarabia.com and a record that points to my public ip ( router ip that makes nat inside ) , on my internal dns i have an a record for mail.hotelsarabia.com that points to the exchange FE , even i tried this article : http://www.isaserver.org/pages/article_p.asp?id=1248 but with no use ,any help plz
?
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 29.Apr.2006 1:10:47 AM
|
|
|
slim4ever
Posts: 3
Joined: 29.Apr.2006
Status: offline
|
hi folks im new here
if any body can help me in my disaster plzzzzzzzzzzzzzzzzzzzzzzzzzzzz
now i have front end and back end exchange also i have isa 2004
i am trying to publish the OWA using the artical tom wrote , i made it 4 times but without any solution , the error i have is :
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.212
Date: 4/28/2006 10:50:58 PM
Server: nozha.agi.com
Source: proxy
i can connect on the website internally only but externally i cant at all , the reason to have the OWA with ssl is to use the RPC over http , if somebody can help me plz or if there is a way to use RPC over http with out ssl it will be better as im starting to die from this subject
if somebody will answer me about the dns stuff what i made is like this :
on my external dns server i have an mx record for mail.hotelsarabia.com and a record that points to my public ip ( router ip that makes nat inside ) , on my internal dns i have an a record for mail.hotelsarabia.com that points to the exchange FE , even i tried this article : http://www.isaserver.org/pages/article_p.asp?id=1248 but with no use ,any help plz
?
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 29.Apr.2006 9:25:14 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Slim,
If you have FBA enabled on the listener, you can't use RPC/HTTP. You'll need to use basic authentication.
HTH,
Tom
< Message edited by tshinder -- 30.Apr.2006 5:15:09 PM >
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 30.Apr.2006 4:21:10 PM
|
|
|
slim4ever
Posts: 3
Joined: 29.Apr.2006
Status: offline
|
thanks tshnider
ok now back to my scenario i made everything in the document i arrived to :
its working fine the owa from the exchange front and from the ISA but from outside when i enter the website it gives me a user name and password after telling me that i must accept the certifcate after that it gives you a page for 403 forbidden error ?!
you can check by going to : https://mail.hotelsarabia.com/exchange
the user is test and the pass is test also
plz check and advise me what to do :S im so confused !
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 30.Apr.2006 5:16:22 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Slim,
I made a typo in my previous answer. If you have FBA enabled on the listener, then you can't use that listener for RPC/HTTP
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 12.Jul.2006 7:12:00 AM
|
|
|
wittalee
Posts: 6
Joined: 15.May2006
Status: offline
|
Hi Tom,
I have set ISA2004EE with the NLB. I have configured mail publishing. After let the users using owa and RPC for a while, I've faced a problem and tried to solve this thing out. The user who using OWA at branch office got 400 Bad request during he/she logon OWA for a while. He/she have to logout and login OWA again to send his/her e-mail. However, the Head office users are using OWA and RPC just fine. So, do you think is this a problem of ISA2004EE with NLB configured?
Thanks
Witt
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 12.Jul.2006 4:47:49 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: wittalee
Hi Tom,
I have set ISA2004EE with the NLB. I have configured mail publishing. After let the users using owa and RPC for a while, I've faced a problem and tried to solve this thing out. The user who using OWA at branch office got 400 Bad request during he/she logon OWA for a while. He/she have to logout and login OWA again to send his/her e-mail. However, the Head office users are using OWA and RPC just fine. So, do you think is this a problem of ISA2004EE with NLB configured?
Thanks
Witt
Hi Witt,
How is the branch office connected to the main office?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
Discussion about article on Publishing OWA using ISA Fi... - 3.Aug.2006 10:13:20 PM
|
|
|
rd03
Posts: 6
Joined: 3.Mar.2006
Status: offline
|
Hi Tom,
I have configured OWA Publishing as you has described in the following article
http://www.isaserver.org/articles/2004pubowartm.html
I have the following setup:
All servers run Windows Server 2003 R2. I have one Exchange 2003 Fronted server and one Exchange 2003 Backend server. Exchange with SP2. I have one DC with an Enterprixe Root CA. I run ISA 2004 with SP2. I have configured split DNS (I have also tested HOSTS file). I have one client on the external network. The client can resolve the OWA address with DNS (I tested also HOSTS file). I have installed a cert on the Frontend server. I have exported the cert, as you described, and imported it in ISA 2004. I have configured Forms-Based Authentication. I access the OWA-Site with mail.company.com. The cert and is configured with mail.company.com. The public name in the Mail Server Publishing Rule is mail.company.com. The name of the Web mail server in the Publishing Rule is mail.company.com. It is possible to resolve the FQDN mail.company.com internal and external.
If I try to connect from the external client to the OWA site I get the following error:
The page can not be displayed
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.
Error Code: 404 Not Found. The requested item could not be located. (12028)
After I have removed the entry for mail.company.com from the HOSTS file I got the following error:
Error Code: 500 Internal Server Error. Internet Control Message Protocol (ICMP) network is unreachable. For more information about this event, see ISA Server Help. (10051)
After I have inserted the entry for mail.company.com in the HOSTS file I got the error message with the code 404 again. The ISA server has no external DNS server configured. Without the entry in the HOSTS file it can ping mail.company.com.
I have also published the web enrollment site and obtained a cert for the client.
Any idea?
Thanx
Hans
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 5.Aug.2006 8:15:06 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Hans,
Sounds like a basic IP addressing problem.
What is the IP addressing information on the ISA firewall's NICs and the FE Exchange Server?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Aug.2006 3:31:53 PM
|
|
|
rd03
Posts: 6
Joined: 3.Mar.2006
Status: offline
|
Hi Tom,
first thanks for your answer! The IP addresing information:
Client NIC: 172.16.1.100/16
ISA NIC Internet: 172.16.1.1/16
ISA NIC Internal: 10.0.0.4/24
Exchange FE NIC: 10.0.0.3/24
If I connect from the client to the OWA site I get the following log entries:
Log entry 1:
Destination IP: 172.16.1.1
Destination Port: 443
Protocoll: HTTPS
Action: Initiated Connection
Rule:
Client IP: 172.16.1.100
Client:
Source: External
Destenation: Local Host
Url:
Log entry 2:
Destination IP: 10.0.0.3
Destination Port: 443
Protocoll: https
Action: Failed Connection
Rule: OWA
Client IP: 172.16.1.100
Client: anonymous
Source: External
Destenation:
Url: http://mail.company.com:443/exchange
Log entry 3:
Destination IP: 172.16.1.1
Destination Port: 443
Protocoll: HTTPS
Action: Failed Connection
Rule:
Client IP: 172.16.1.100
Client:
Source: External
Destenation: Local Host
Url:
Thanks a lot!
Hans
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
