Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Outlook Access from Anywhere
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Outlook Access from Any... - 26.Nov.2005 9:25:03 PM
|
|
|
dabella
Posts: 3
Joined: 26.Nov.2005
Status: offline
|
Hi Tom
Firstly let me tell you that your doing a very good job here :)
I read the reference article because i'm searching to do exactly that!
But i have a couple of questions as our scenary is a little different.
The difference is that we have a back to back configuration. The back firewall is the ISA one and the front is a Linksys.
The linksys is the endpoint of our internet connection and 3 VPN tunnels that connects remote offices.
So, we have: LAN --- ISA --- DMZ --- LINKSYS --- INTERNET --- REMOTE VPN NETWORKS
The ISA addition is pretty new (few hours ago). in the past we had only the linksys.
We have coworkers that are in the road and they used to connect from the remote vpn sites to exchange through outlook 2003. This was just ok with only the linksys as we had a full routed net.
Now that we put the isa server we are investigating how to enable our remote users to open their outlook through ISA.
Because the endpoint of the VPN is the linksys, i asume that clients in the remote site have full access to our HQ DMZ.
Assuming this, i suppose that if they can reach the ISA's external IP i will be in the same situation as the described in your article; with the difference that instead of being on the public internet i'm in the dmz through a VPN conn.
This makes sense or im just crazy? lol ;)
And other thing i was just thinking of... if i use HOSTS file to add the external isa ip as the exchange ip, what will happen when the same laptop is in main office's LAN? It will ask the DNS for the local ip or it will try to reach the external ip that is listed on the HOSTS file. I think it will be the last thing and this will be a problem being in the LAN.
Thanks in advance for your comments Tom
_____________________________
Best Regards,
Daniel.-
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 27.Nov.2005 4:44:09 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
Not sure exactly what the request/response path is here.
Let me see if I have this right:
1. Site to site VPN between non-ISA firewalls
2. ISA firewall behind a non-ISA firewall in a back to back configuration
3. Remote sites wants to connect to Exchange Servers through site to site VPN connection
4. You want to configure the ISA firewall to allow access to the remote sites
Is this right?
If so, this is possible, but there are name resolution issues are the remote sites, and its also matters what IP addresses are being presented to the ISA firewall for the incoming connection requests.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 27.Nov.2005 4:55:44 PM
|
|
|
dabella
Posts: 3
Joined: 26.Nov.2005
Status: offline
|
Tom, thanks for your reply.
Yes, that is what we want to do, you are right :)
I think the remote vpn clients are presented to the ISA Server with a DMZ IP.
About the name resolution issue, it will be ok if we use the HOSTS file on the laptops?
But if we do that i come back to my question about HOSTS vs DNS:
"if i use HOSTS file to add the external isa ip as the exchange ip, what will happen when the same laptop is in main office's LAN? It will ask the DNS for the local ip or it will try to reach the external ip that is listed on the HOSTS file?"
Thanks for your help!!
_____________________________
Best Regards,
Daniel.-
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 27.Nov.2005 8:21:55 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
OK, now I'm getting confused again. You're referring to VPN clients.
Where did the VPN clients come from?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 28.Nov.2005 3:25:19 PM
|
|
|
dabella
Posts: 3
Joined: 26.Nov.2005
Status: offline
|
Ok, let me explain
I'm at the Main Office.
Here we have a LAN (192.168.10.0) with all our servers and services (Exchange, FileServers, DC's, DNS, etc)
After the LAN we have a ISA Server 2004 with 2 nic's. 1 Connected to the LAN, the other connected to a DMZ (10.0.0.0)
After the DMZ we have a Linksys router. The internal interface of this router is connected to the DMZ and the public to internet.
We have 3 remote sites. These sites have an identical linksys router that is configured with a persistent VPN connection with Main's Office linksys router.
When i talk about vpn clients i talk about a main office's empoyee that travel with it's notebook to a remote site and connects it to the lan (for example 192.168.1.0). This guy is sitting on the remote site but because of the VPN and linksys basic routing he can "see" my main's office DMZ.
Now i need to connect it's outlook 2003 with main's office exchange server and i'm a little confused because i dont know what modification i need to do to the instructions on your article to make this work in this scenario, specifically with the HOSTS vs DNS issue i talk to you before.
Sorry for making this so long ;)
and thanks for your help!
_____________________________
Best Regards,
Daniel.-
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 28.Nov.2005 3:56:27 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
OK, that's where I lost it. The term "VPN client" usually means a computer that is directly connected to a VPN server. The machines on the remote side of a site to site VPN aren't VPN clients, because they don't have a VPN connection to any VPN server (at least in this scenario).
So, the main issues here are:
DNS name resolution
Configuring an ISA firewall Network from the network ID representing the segment between the ISA firewall's external interface and the front-end firewall's LAN interface
I've put this scenario into the article list. I'll try to get it done before Christmas.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 14.Dec.2005 2:33:12 AM
|
|
|
tedoff
Posts: 2
Joined: 17.Oct.2005
From: Westchester County, NY
Status: offline
|
Hi Dr. Shinder,
Back in Feb I believe BOBW wrote:
"Having an internal A record and an external A record with the same host name. Using this method as described will work fine. BUT if the user connects via the VPN, the name lookup issue gets weird . . . "
I have some clients (not all, so I know the setup is OK) who try to connect to a Secure RPC Pub Rule for Exchange, but for whatever reason can't seem to get traffic through to port 135.
I've told them to connect to the VPN which is also set up on our ISA 2004 server, and then try to connect, and it then works, but everything goes really slow. Also, when trying to set up a new MAPI profile, the process times out before the first authentication request.
What I've found is that even with a VPN connection my client PCs are using their physical adapter's DNS server, and pulling the external IP address of our Exchange box.
Is there a way to force VPN clients to not use the physical adapter's DNS and only use the DNS servers assigned from the internal network's DHCP? BTW, I know the DNS settings are passing through, since name resolution works for VPN clients when they query internal hosts, but I talked with MS, and they said in a split DNS a VPN client will accept name resolution from the physical adapter's DNS server first (since it will be "successful") and try to connect to that incorrect host's services from there.
I hope I represented the problem clearly, thanks for listening, and if there's any more info you'd like please let me know.
Regards,
Jesse Tedoff
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 14.Dec.2005 3:40:58 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jesse,
Yes, there is a way to move the RAS adapter to the top of the interface list. I'm hoping that Microsoft will make this bug fix a priority, becuase it significantly reduces the value of their VPN client.
Check this out:
Cannot Change the Binding Order for Remote Access Connections: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218&Product=winxp
When you talk to PSS agian, let them know they need to make this a priority DCR (design change request) to be included with the Vista VPN client.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 14.Dec.2005 5:45:00 PM
|
|
|
tedoff
Posts: 2
Joined: 17.Oct.2005
From: Westchester County, NY
Status: offline
|
Hi Tom,
Wow! The fix in that article worked perfectly, it's exactly what we needed. Thank you so much for your expert help, including the original article for setting up Outlook to work anywhere. I'm in your debt. In fact, I ought to send you the $245 Microsoft wants to charge me!
Grateful,
Jesse
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 15.Dec.2005 3:35:17 PM
|
|
|
lolson
Posts: 43
Joined: 23.Nov.2005
Status: offline
|
quote:
ORIGINAL: tshinder
Hi George,
RPC over HTTP is nice, but there are two major issues:
1. It requires both Outlook 2003 and Exchange 2003, so if you aren't using both, you're out of luck.
2. You have to allow uninspected SSL tunnels outbound through your network to allow users to use it. That's a security risk. In contrast, my ISA firewall inspects outbound RPC, so I'm secure on my outbound and inbound RPC.
Thanks!
Tom
Hi Tom,
Why is uninspected outbound SSL tunnels a security risk and why do you have to allow it? Can you start a discussion on RPC over HTTP?
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 10.Jan.2006 6:34:32 PM
|
|
|
engine101
Posts: 3
Joined: 10.Jan.2006
Status: offline
|
Tom,
I couldnt' have accomplished half of the stuff i've done lately without articles like this one that you've written. So thank you very much.
Now, my problem, I started off trying to implement RPC over HTTPS, went through all the steps in
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html
but then i decided i should probably just go with Secure RPC instead.
TWO QUESTIONS:
Since i did finish all the configurations in the RPC over HTTPS article, do you know if any of those configs are going to affect implementing Secure RPC Publishing? Do i need to reverse any of those configs?
Also, since i set my Exchange server up as a Global Catalogue server(per the previous article), do i still need to configure the No RFR key in the registry, wouldn't my Exchange server be able to handle authentication?
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 11.Jan.2006 4:38:30 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Engine,
1. The RPC/HTTP settings should have no effect on secure Exchange RPC publishing
2. Since the Exchange Server is a GC, you shouldn't need to use the No RFR. Try it out and if it doesn't work, let us know here.
BTW -- While I continue to love using secure Exchange RPC publishing and take advantage of it at every opportunity, you do need to be careful about password policy. Unlike RPC/HTTP, where the username and password are sent after the SSL encrypted tunnel is established, that's not the case for secure Exchange RPC publishing. The NTLM has is sent in the clear. While this is secure in general, you have to remember that Rainbow crack/tables are getting better and better. I might be too paranoid, but because of this, I require complex passwords and password lengths of at least 21 characters. Its actually pretty easy to come up with complex passwords, since you can use birthdates, email addresses, home addresses, phone numbers, obscure sports figures names, anything! Just chain them together and put a period or @ between the elements :)
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 1.Mar.2006 11:02:42 AM
|
|
|
RArmstrong
Posts: 1
Joined: 1.Mar.2006
Status: offline
|
Hi Tom,
I found this guide exteremely useful when implemeneting RPC over https, many thanks.
I have three queries rather than issues that i hope you can assist with.
Btw setup is completed and appears to be functioning.
1) Two users reported that they did not have to reconfigure there OL2003 clients in order to get connectivity - i.e Exchange over RPC Url was not added!!
Does this sound possible? i have configured an identical A record to match the internal netbios name of the exchange server.
2) Is it likely that users will experience any firewall issues at client sites with connectivity for RPC over https? i.e As long as outbound https / http is available there should be no issues with access?
3) When configuring remote users who are currently using POP3 to access mail is it possible to configure the initial client settings using VPN and then add RPC configuration (If needed at all!)
Many thanks in advance,
Regards
Russell
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 5.Mar.2006 5:52:32 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Russell,
1) Two users reported that they did not have to reconfigure there OL2003 clients in order to get connectivity - i.e Exchange over RPC Url was not added!!
Does this sound possible? i have configured an identical A record to match the internal netbios name of the exchange server.
TOM: Sure, if you have created a secure Exchange RPC server publishing rule
2) Is it likely that users will experience any firewall issues at client sites with connectivity for RPC over https? i.e As long as outbound https / http is available there should be no issues with access?
TOM: As long as the remote site allows HTTPS TCP 443, you're good.
3) When configuring remote users who are currently using POP3 to access mail is it possible to configure the initial client settings using VPN and then add RPC configuration (If needed at all!)
TOM: Not sure why you would want to use VPN
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 24.Jun.2006 8:58:33 PM
|
|
|
blhartsell
Posts: 2
Joined: 24.Jun.2006
Status: offline
|
Tom,
I have had outlook anywhere working for a very long time thanks to your articles. Recently we changed our internet service and thus our
IP address. I am now getting the following error from the remote outlook 2003 client "Unable to open your default e-mail folders. The Microsoft
Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Serve computer is down for maintenance." This is of course not the case. The exposed servers url is resolving to the new IP so the only thing I can think is that the client when it initially connected with the URL also writes the URLs IP address somewhere. So now that the IP has changed something is wrong even though the URL is valid and working and the server is up and running and all the local connections never missed a beat.
Please advise,
Brandon
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 24.Jun.2006 10:13:05 PM
|
|
|
blhartsell
Posts: 2
Joined: 24.Jun.2006
Status: offline
|
Ok I figured it out. The external listener had the the old IP address.
|
|
|
|
|
RE: Discussion about article on Outlook Access from Any... - 17.Aug.2006 1:44:51 AM
|
|
|
jeffrozar
Posts: 18
Joined: 18.Apr.2006
Status: offline
|
My network has:
ADSL Router w/static IP (exch.domain.com 1.2.3.4)
|
| (TCP 135 is sent to external ISA 2k4 NIC)
|
|
External NIC (192.168.1.8)
|
ISA Server (stand-alone, not joined to the domain)
|
Internal NIC (10.0.0.8)
|
|
(DC2k3.internal.domain.com 10.0.0.2; Exc2k3.internal.domain.com 10.0.0.5)
Ok, so I read the articles, and I understand the Outlook 2k3 client should connect to the Exchange RPC Server rule, but in setting up Outlook in a hotel, how does the client resolve or "get to" the address of the static IP? I mean, the hosts file on the client should contain the 192.168.1.8 address for Exc2k3.internal.domain.com, but how is Outlook configured to get to the 1.2.3.4 address? I must be missing something simple.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
