Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Publishing OWA using ISA Firewalls
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Publishing OWA using IS... - 9.Aug.2006 3:38:16 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Hans,
OK, that wasn't too helpful.
What I need to know now are the REAL names on the "To" and "Public Name" tabs.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 10.Aug.2006 7:46:31 PM
|
|
|
rd03
Posts: 6
Joined: 3.Mar.2006
Status: offline
|
Hi Tom,
SorryA The names on the "To" and "Public Name" tabs are the same. In my case mail.company.com.
Thanks!
Hans
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 17.Aug.2006 5:06:10 PM
|
|
|
filou
Posts: 2
Joined: 17.Aug.2006
Status: offline
|
Hi Tom
first of all I'd like to thank you for your great effort ;)
I've studied your whole conversation with ph7 because I'm expiriencing the same problem, but I hope I can express myself better than he could :). So again:
I have published OWA through an ISA 2004 (now 2006 but still having the same problems). The ISA is placed in a dmz behind an other (HW-) Firewall. HTTPS Port is closed (but I have opened another one for that). In the Publishing Rule I've defined a Listener that listens on Port 443. The Authentication Method is SSL Certificates (only). The Other Configuration works well (I tested Port Redirection etc.). In the Internal Network is the Exchange Server and an Enterprise Root CA from which I get my Certificates. Ive Installed all the Certificates on the ISA.
...the Plan
When I browse the ISA Server i should be asked for a certificate. After specifining the right certificate I should get the the OWA FBA (provided by the IIS itself and NOT by the ISA Server).
...the Problem
When I browse the ISA Server IE asks me for a Client Certificate (a valid) and than returns me a 401 Message [Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)]
If I set it Users to "All users" it works as well as if I change the Authentication Method.
Thats really strange because it seems as if I did everything right. Very few Users are experiencing the same Problem.
Do you know what I could do? Thanks a lot for your Help!
Filou
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 21.Aug.2006 5:01:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Filou,
Because trying to get user certificate authentication to work, try something easier like forms-based authentication. Once you get that working you can tackle the user certificate method of authentication.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 25.Aug.2006 2:43:06 AM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
I removed the non-secure OWA Web Publishing Rule, but still doesn't work and get the same message "The page can not be displayed… Error code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)" when I use https://outlook.xxxxxx.com connect to OWA server from outside of my office; but, I can see the (SSL Secured Lock) appears in the bottom right hand side corner.
I start the query and check the logging, one of all those log as follow:
Log Time: 8/21/2006 2:41:24PM
Destination IP: 65.243.1.6
Destination Port: 443
Protocol: https
Action: Denied Connection
Rule: Default
Client User Name: Amonymous
Source Network: External
HTTP Methord: GET
URL: HTTP://outlook.xxxxxx.com/
--------------------------------------------
I don't know if I use ISA 2004 to publishing the OWA, do I need to remove the certificate from Exchange Front-end Server or do i need to restart the IIS in Front-end server? The certificate in the ISA 2004 is exported from Exchange Front-end Server, It means, both servers use the same certificate right now. In ISA 2004, It contains only one OWA Secure Publishing Rule and two Web Publishing Rule. These two Web Publishing rule are working fine, I can access to our company website outside of my office. The only problem is the OWA Publishing rule still does not work.
=====================================================================
In my old ISA Server 2000, I did not import any certificate on it, the certificate just remain on the Exchange Front-end Server; but, I can connect to OWA throuth ISA Server 2000 use either http://outlook.xxxxxx.com or https://outlook.xxxxxx.com. It means nothing wrong it Exchange Front-end server.
========================================================================
So, I remain only the OWA Publishing Rule in ISA 2000 for temporary; but, I have to move it to the New ISA Server 2004 as the same as the Web Publishing.
Please help!!! Please help!!!
Thank you so much,
Alan
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 28.Aug.2006 10:13:03 AM
|
|
|
filou
Posts: 2
Joined: 17.Aug.2006
Status: offline
|
Hi Tom,
Well, Ive implemented it now in a different way. It works pretty well with the ISA as a second Firewall (Bypassing the other) on being a Domain Member. I just did it based on another great HowTo of yours :D
Thanks a lot for everything
Filou
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 28.Aug.2006 3:24:26 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tech,
I don't think you were using a secure configuration in your ISA 2000 config if you didn't use SSL to SSL bridging.
With ISA 2004, bind the Web site certificate to the Web listener used to publish the OWA Web site.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 30.Aug.2006 1:57:49 AM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
I appriciated you keep going to reply; however, the problem still there. Let me clearify the existing configuration.
ISA Server 2004 Standard edition which is running on W2K3 with two NiC
Internal IP: 10.168.0.X
Subnet Mask: 255.255.0.0
Default Gateway: (Blank)
DNS: (Blank)
---------------
External IP: 65.243.1.X
Subnet Mask: 255.255.255.X
Default Gateway: 65.243.1.X
DNS: 198.6.1.195
Addition External IP: 65.243.1.x (this ip has been registered with ISP and can be solved to outlook.xxx.com
----------------------
Exchange 2000 Front-end Server which is running on W2K
IP address: 10.168.0.X
Subnet Mask: 255.255.0.0
Default Gateway: 10.168.0.X
DNS: 10.168.0.X
---------------------------------------
I do have a separate Domain Controller and act as DNS server and DHCP Server.
------------------------------------
The VeriSign certificate has been installed in the Exchange Front-end Server. I export the certificate from Exchange Front-end server and import the certificate to ISA 2004. It means, both server have the same certificate right now.
I follow the Publishing OWA Site using ISA Firewall web Publishing rules(2004) Version 1.1 documentation which is download from ISAserver.org. The configuration as follow:
Action: Allow
From: Anywhere
To: outlook.xxxxxx.com
Traffic: HTTPS
Listener Proterties: External IP: 65.243.1.x
Certificate: outlook.xxxxxx.com
Authertication Methods: OWA Form-Based
Port(HTTPS) 443
Port(HTTP) Disable
Bridging: Redirect request to SSL Port 443 (Web Server Check Mark is already checked)
Public Name: outlook.xxxxxx.com
Paths: /exchange/*
/exchweb/*
/public/*
-----------------------------------------
Right now, when I use https://outlook.xxxxxx.com access to the owa from external (outside of my office), I get the error message as follow:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
In this error page, I can see the SSL Secured(128 bit) lock icon in the bottom right hand side conner.
This Problem drives me crazy. I have try different way, but still doesn't work. I appricate for further assistants or anyone can help.
Thanks a lot,
Alan
< Message edited by tech_dnk -- 1.Sep.2006 8:55:11 PM >
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 31.Aug.2006 8:40:17 PM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
I install the certificate in Default Web Site in Exchange Front-end use IIS Manager console, then export the owa web site cerfificate to a file, including the private ke, then Import the certificate to ISA 2004 use MMC console.
is there anything wrong in the certificate installation? All those procedure are follow your Blog instruction.
In Exchange 2000 Front-end server, I configure the three OWA Web site directories as follow;
/Exchange : Selected Basic authentication in Authentication Methods
: selected Require secure channel (SSL) in Secure Communication
: did not selected Require 128-bit encryption in Secure Communication
/Exchweb : selected Anonymous access and Integrated windows authentication in Authentication Methods
did not selected Require secure channel (SSL) in Secure Communication
/Public : selected Basic authentication in Authenication Methods
: did not selected Require secure channel (SSL) in Secure Conmmunication
Does anything wrong in above configuration? I did not change anything in Exchange 2000 Front-end Server because it can be published over ISA 2000 before; however, it can not be published over ISA 2004 right now.
Please let me know anything wrong and give me detail instruction.
Thank you so much,
Alan
One more thing I should update. I have never restart the Exchane Front-end Server and ISA server 2004. Is this the problem?
< Message edited by tech_dnk -- 1.Sep.2006 1:18:18 AM >
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 1.Sep.2006 1:21:52 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Alan,
OK, now it's time to get the real information and check for typos
What is the ACTUAL name used on the TO tab?
What is the ACTUAL name used on the Public Name tab?
What is the ACTUAL common/subject name on the certificate?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 1.Sep.2006 8:48:15 PM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
I already email you those information.
Thank you so much and appriciate you help,
Alan
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 2.Sep.2006 4:36:41 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Alan,
OK, got your message.
All that stuff looks like.
What happens when you're at the ISA Firewall device and you ping the IP address of the name on the TO tab. What address do you see?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 3.Sep.2006 9:25:49 AM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
Thanks for your reply. I have email you the updated info.
Thanks again and appreciated your time,
Alan
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 3.Sep.2006 4:54:17 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Alan,
You've got me beat. It's at this point where I recommend that a consultant go on site to look for the non-ISA related things that could be causing this problem.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 5.Sep.2006 6:55:50 PM
|
|
|
tech_dnk
Posts: 11
Joined: 14.Aug.2006
Status: offline
|
Hi Tom,
Thanks for your professional advice. It means, nothing wrong in ISA 2004 Server configuration.
I still do not understand how come the OWA 2000 can be published through the existing ISA 2000, but it only does not work through ISA 2004.
Thank you so much and appriciated,
Alan
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 7.Sep.2006 3:29:54 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Alan,
Sorry about it. From here it seems that everything has been done right.
If you or someone else figures out what the problem is, please let us know so that we can get the experience of troubleshooting these kind of problems.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Publishing OWA using IS... - 26.Oct.2006 1:18:07 PM
|
|
|
sporter
Posts: 7
Joined: 26.Oct.2006
Status: offline
|
Tom,
My company is currently using the OWA 5.5/ISA2000fp1 SSL bridge to the outside world and it is working great.
We are now upgrading to Exchange 2003 and a decision was made to NLB (network load balance) the EXCH2003 OWA servers for performance
Will I be able to direct outside traffic to the new OWA servers using the ISA server as an SSL bridge when the target servers are using NLB.
I do not think so because the OWA/SSL Bridge design calls for the importing of the OWA servers private key for the bridge to work properly(and in our NLB there are two servers) and ISA2000 will only allow ONE SSL to be imported in this fashion.
ISA2004 and/or ISA2006 may have better options for me.
I can speculate all day on this one, but do not have the equipment to test it out.
I was wondering if you knew this answer already but I could not find a post on this topic.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
