• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Undoubtedly stupid ISA+Exchange auth question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Undoubtedly stupid ISA+Exchange auth question Page: [1]
Login
Message << Older Topic   Newer Topic >>
Undoubtedly stupid ISA+Exchange auth question - 3.Dec.2004 5:14:00 PM   
paulrobichaux

 

Posts: 5
Joined: 3.Dec.2004
Status: offline
I'm probably missing something very simple but darned if I know what. Since upgrading my ISA 2000 server to ISA 2004, I've had an odd problem, and I am just now getting around to trying to fix it.

Environment:
  • ISA 2004 on Windows 2003 (isa01; not in a domain)
  • Exchange 2003 front-end/Windows 2003 (superman)
  • Exchange 2003 back-end/Windows 2003 (batman)
  • external DNS record for exchange.robichaux.net that points to public IP of ISA box
ISA 2004 config:
  • separate publishing rules for POP3S, IMAP, POP, SMTP, IMAPS. These all work fine.
  • publishing rule from outside to superman.robichaux.net for OWA, OMA, EAS
  • HOSTS file entry resolving superman.robichaux.net to correct internal IP
  • form-based authentication enabled for Exchange
Problem : external users cannot log on to OWA, OMA, or Exchange ActiveSync. They're prompted for login credentials; after 3 attempts (for OMA and EAS) or 1 (for FBA), they get a 401 Unauthorized response.
Interesting facts
1. Internal users can log on to OWA and OMA on the FE or BE, with or without SSL. This tells me that Exchange's authentication is configured right and that the certs are properly installed.
2. There are no errors in the FE or BE event logs.
3. I can't figure out where to check the ISA box for authentication results from the FBA request.

Supposition: for some reason, the credentials requested from the user are making it to the ISA box, but auth between the ISA and FE is failing.

Question: how the heck do I troubleshoot and fix this? It's really bugging me, even though it's not impacting my operations any.

I welcome all constructive suggestions.
Post #: 1
RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 12:35:00 AM   
TitusHoc

 

Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
Hey Paul,

The Answer is in your question:
˘form-based authentication enabled for Exchange÷

Disable that - ISA 2004 firewall form-based authentication allows firewall to generate the form, instead of the Exchange 2003 Web Site. Firewall generated form-based authentication extends the security provided by the delegation of basic authentication to protect the OWA Web site from attacks by unauthenticated users.

Titus

(in reply to paulrobichaux)
Post #: 2
RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 1:37:00 PM   
paulrobichaux

 

Posts: 5
Joined: 3.Dec.2004
Status: offline
I turned off FBA on the ISA box and enabled basic. Same problem: attempts to load the page fail after three separate credential popups.

(in reply to paulrobichaux)
Post #: 3
RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 2:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

Solution:

Join the ISA firewall to the domain. [Smile]

I won't bore you with all the triviality, but there is no problem joining the ISA firewall to the domain.

I've run into so many wonks and security 'wankers' who tell me in stentorial tones "corporate security officiers say not to join the firewall to the domain" and when I press them, I get a govt-oid "fop" look from them as they wrestle with a cogent answer to this question (they might as well be trying to comes up with an answer to the meaning of life) :K

However, if you don't want to do that because your sec officier won't let you [Smile] then you can use RADIUS auth with FBA (you'll need to call PSS to get that fix), or you can use plain SSL/Basic auth.

Make sure you're using SSL to SSL bridging too.

Let me know how it works out for you. Send me a note when you post to this thread again.

Thanks!
Tom

(in reply to paulrobichaux)
Post #: 4
RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 11:22:00 AM   
paulrobichaux

 

Posts: 5
Joined: 3.Dec.2004
Status: offline
quote:
Originally posted by tshinder:
Hi Paul,

Solution:

Join the ISA firewall to the domain. [Smile]

I won't bore you with all the triviality, but there is no problem joining the ISA firewall to the domain.

I've run into so many wonks and security 'wankers' who tell me in stentorial tones "corporate security officiers say not to join the firewall to the domain" and when I press them, I get a govt-oid "fop" look from them as they wrestle with a cogent answer to this question (they might as well be trying to comes up with an answer to the meaning of life) :K

Well, in my environment, I am the security officer, so I have some latitude [Smile] However, I've kept the ISA box out of the domain for a simple reason: to an attacker, it's more valuable to compromise a domain joined box than a standalone box because the domain member a) has more information about the domain and b) presents a better springboard for compromising other, higher-value hosts in the domain. In my threat model, that's not a big concern, but I like the (small) degree of extra protection.

However, I'm willing to compromise if it'll make things work [Smile]

quote:

However, if you don't want to do that because your sec officier won't let you [Smile] then you can use RADIUS auth with FBA (you'll need to call PSS to get that fix), or you can use plain SSL/Basic auth.



I am using SSL/basic, and even that isn't working.

(in reply to paulrobichaux)
Post #: 5
RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 12:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

I realize the theoretical concerns re: domain members being better targets and perhaps they are able to leverage the machine's domain membership if attacked, but the fact is no one has ever been able to actually demonstrate a compromise of an attacked firewall that can take advantage of these conceptual issues. It sounds good, and I even promoted that party line at one time, until something hit me along the side of the head with a "put out or get out" scenario, and I wasn't able to put out [Smile] Fact is that its like worrying about pieces from passing airplanes falling on your head. Once you get to that point of paranoia, there are problably better treatments.

Are you using FBA on the Exchange Server too? Is so, that can create a problem, because you can use FBA on the ISA firewall, or on the Exchange Server, but not both.

If disabling FBA on the Exchange Server doesn't work, send me your backup file and I'll replicated your config in my lab and see if we can come up with a quick solution.

HTH,
Tom

(in reply to paulrobichaux)
Post #: 6
RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 8:59:00 PM   
paulrobichaux

 

Posts: 5
Joined: 3.Dec.2004
Status: offline
quote:
Originally posted by tshinder:
Hi Paul,

I realize the theoretical concerns re: domain members being better targets and perhaps they are able to leverage the machine's domain membership if attacked, but the fact is no one has ever been able to actually demonstrate a compromise of an attacked firewall that can take advantage of these conceptual issues. It sounds good, and I even promoted that party line at one time, until something hit me along the side of the head with a "put out or get out" scenario, and I wasn't able to put out [Smile] Fact is that its like worrying about pieces from passing airplanes falling on your head. Once you get to that point of paranoia, there are problably better treatments.

I'm not disagreeing; most of the places I go, there are so many more egregious problems that need fixin' that having a domain-joined ISA server is way down on the list (like the time I went to a huge law firm and found a blank admin password.. but I digress [Smile]
quote:

Are you using FBA on the Exchange Server too? Is so, that can create a problem, because you can use FBA on the ISA firewall, or on the Exchange Server, but not both.

I had FBA enabled when I was using ISA 2000. I never disabled it after upgrading to ISA 2004, but I didn't use it either, so I didn't notice it was broken. Now that I do notice it, I turned it off and enabled FBA only on ISA. Still no joy.

quote:

If disabling FBA on the Exchange Server doesn't work, send me your backup file and I'll replicated your config in my lab and see if we can come up with a quick solution.

You've got mail [Smile]

(in reply to paulrobichaux)
Post #: 7
RE: Undoubtedly stupid ISA+Exchange auth question - 8.Dec.2004 12:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

I reviewed your config and it looks like you're forcing basic auth on the Web listener. That is fine if the ISA firewall is a member of the domain, but breaks things unless you want to auth users against the local user database on the ISA firewall machine itself.

You've got mail too! [Smile]

HTH,
Tom

(in reply to paulrobichaux)
Post #: 8
RE: Undoubtedly stupid ISA+Exchange auth question - 21.Jun.2005 10:34:00 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
As a postscript to this thread, I'd like to offer up our authentication filter, FlexAuth (at http://www.collectivesoftware.com) as a potential solution to some of these issues.

For example, FlexAuth supports LDAP as an authenticator, so even if you can't put your ISA into a domain, you can still use Windows groups and users in your rules. We also provide customizable forms based auth, and automatically use Basic for clients that don't support forms (such as ActiveSync, etc).

As in the posts above, it is important to configure your target Exchange server to turn off its FBA. Otherwise things get very confusing =)

Hope this helps someone in the future!

(in reply to paulrobichaux)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Undoubtedly stupid ISA+Exchange auth question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts