• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion on Part 2 of the FBA article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion on Part 2 of the FBA article Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion on Part 2 of the FBA article - 28.Sep.2005 6:51:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part two of the FBA article at http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html

Thanks!
Tom

[ September 28, 2005, 06:53 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion on Part 2 of the FBA article - 3.Oct.2005 5:27:00 PM   
bassque

 

Posts: 33
Joined: 21.Aug.2001
From: St. Louis
Status: offline
Hey all. After I do the required steps, I get the FBA. However after filling out the required information, I recieve a

"Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"

I've tried monkeying with it with little results. Thoughts?

(in reply to tshinder)
Post #: 2
RE: Discussion on Part 2 of the FBA article - 3.Oct.2005 5:32:00 PM   
bassque

 

Posts: 33
Joined: 21.Aug.2001
From: St. Louis
Status: offline
Here is the string from the URL:

"/CookieAuth.dll?GetLogonWrapper?url=%2F&reason=0"

(in reply to tshinder)
Post #: 3
RE: Discussion on Part 2 of the FBA article - 5.Oct.2005 8:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bassque,

Sounds like a name resolution problem.

HTH,
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion on Part 2 of the FBA article - 13.Oct.2005 2:50:00 AM   
adnan&ISA

 

Posts: 53
Joined: 8.Jan.2004
Status: offline
Hi all,

Nice article Tom, though it would put some extra burden on ISA but since we love FBA, I also got myself into it.

Everything is smooth n cool. The only problem is the name resolution for internal users. We have different internal and external domain names (Web site being hosted externally). I cannot add a host record owa.external.com in my internal DNS server; If I do add it would be like "owa.external.com.internal.com". It doesn't work for internal users unless we add a host record in the clients local host file (I did this part just for testing since its not practical).

Any suggestions you got?

Thanks.

(in reply to tshinder)
Post #: 5
RE: Discussion on Part 2 of the FBA article - 13.Oct.2005 5:56:00 PM   
treikov

 

Posts: 3
Joined: 11.Oct.2005
Status: offline
I have the same problem:

When attempt to authenticate in OWA from the external network (Internet) receive the error:

"Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)."

More information in:

403 Forbidden Error in OWA Publishing
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000801

Greetings,

(in reply to tshinder)
Post #: 6
RE: Discussion on Part 2 of the FBA article - 15.Oct.2005 4:29:00 AM   
adnan&ISA

 

Posts: 53
Joined: 8.Jan.2004
Status: offline
Hi All,

Ok, After waiting for three years, atlast I have implemented split-DNS [Big Grin] . Though I already had a different internal domain name, just adding a new forward lookup-zone for my registered domain did the job.

OWA FBA is working fine for both internal and external users now. But to properly implement it the following issues need to be solved:-

Big Issue: - If I configure an UPSTREAM SERVER in the web chaining settings, EXTERNAL clients get the error "500 internal server error" ... tricky, isn't it ? Without any upstream server everything works fine.

Tiny Issue:- If the internal clients are configured without any proxy settings, all is fine. Once u try to connect to OWA using Web Proxy client u get the error 502 Proxy Error: ISA Server denied ... ". For this it seems we have to configure Direct Access.

Since lot of ppl are having 500 internal server error, I was just wondering did they check their Upstream Proxy server settings, does it work with them?

Thanx

[ October 15, 2005, 04:32 AM: Message edited by: adnan&ISA ]

(in reply to tshinder)
Post #: 7
RE: Discussion on Part 2 of the FBA article - 3.Nov.2005 11:41:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adnan,

Yes, you'll need to configure the Web proxy clients for Direct Access. Did I forget to mention that? (arg!)

Tom

(in reply to tshinder)
Post #: 8
I get no error but... - 20.Dec.2005 9:20:42 AM   
drobert

 

Posts: 2
Joined: 20.Dec.2005
Status: offline
I followed this cristal clear tutorial to its end and here is what is happening:

When I try to access the server from the web (extranet.mydomain.fr/exchange) I have the nice OWA form. Here I enter the login information (mydomain\myuser & mypassword or even myuser@mydomain.fr & mypassword) and when I click on the connect (or whatever the translation from french) button, I come back again to the same form with no error message.

I get the same result from the corporate network (split DNS, HOSTS file on ISA server and Direct Access done).

Duh... Nice not to have any errors but you'll get tired of the same form coming up again and again pretty soon

Any idea ?

Thomas, I may sound to be a pretty newby on ISA 2004 but... uh... how to you view your ISA 2004 log file entries shown the way they are at the end of your tutorial ? (usually I use NetTracker but here I would like to view it the way you do)

_____________________________

David Robert

(in reply to tshinder)
Post #: 9
RE: I get no error but... - 20.Dec.2005 10:09:30 AM   
drobert

 

Posts: 2
Joined: 20.Dec.2005
Status: offline
More weird stuff:

from my corporate network I did this test:

1 - Windows XP SP2 with no hosts and configured to send DNS queries to our internal DNS server :
ping extranet & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)

2 - Windows 2000 SP4 with no hosts and configured to send DNS queries to our internal DNS server :
ping extranet & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is active -> replies come from the Exchange Server (ARGL!)
ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)

Note that our ISA 2004 uses the latest SP and that all our workstations have been upgraded with new Firewall Client.


(in reply to drobert)
Post #: 10
RE: Discussion on Part 2 of the FBA article - 13.Feb.2006 11:23:19 PM   
jmercer54

 

Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
Hi, Tom... so, I've switched gears and decided to go back to my SMTP via ISA attempt later on. :)  Instead, I decided to publish OWA.  And of course, I've run into a problem... which I hope you can help me diagnose.

I followed both this and your 1.1 publishing tutorial to the letter; as a result, my OWA access internally works via the ISA server and shows up with a pop-up authentication dialogue box.  I can see the ISA rules being invoked and so forth when I ask for OWA internally - it's very smooth. :)

External access, however, is another thing entirely.

I went to my local library and attempted to access owa.mercerhome.org.  The address resolved; the browser warned me that I was connecting to a site with a certification from an authority I hadn't decided to trust yet.  After saying yes, I got the dreaded "url denied" screen.

I went home and started diagnosing what was going on... I used proxify.com's proxy page to generate traffic to owa.mercerhome.org while logging on the ISA server looking for any traffic on my external network. (It's very quiet right now, which makes it easy.)

Sure enough, when I attempted to connect I saw an anonymous attempt to connect via https... to https://owa.mercerhome.org, which is what I expected.  For some very strange reason, though, the listener didn't handle the traffic; instead, it was denied by the default denial rule on the firewall.

I rechecked the entire configuration carefully; everything is as required in the tutorial, and obviously my ISP's resolving the address to the proper location. (Site certificate coming up, traffic on the firewall showing, etc.)

I'm not running a split DNS; my ISP is handling external resolution.

Any thoughts? Frankly, I'm stumped.

(in reply to tshinder)
Post #: 11
RE: Discussion on Part 2 of the FBA article - 23.Feb.2006 7:18:45 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hi Tom,

First all I would to say thank for your fabulous articles that you wrote "Enabling ISA Firewall Forms-based-Authentication for OWA connections for Internal and External Clients" and "Supporting ISA Firewall Network Protecting Illegal TLD: You Need a Split DNS!". I've learned alot from those articles that you wrote. I've read and re-read those articles and finally I've managed to setup a trihome ISA Firewall test lab for myself with split DNS and Exchange mail server to publish it with ISA Firewall. However, I'm currently running into some problems that I can't figure out by myself and I need your expertise help.

Here is my problem. When I try to connect to my Exchange mail server internally at https://owa.vngateways.us/exchange, I got the error message
 
" Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.253
Date: 2/23/2006 4:30:40 PM
Server: isa.vngateways.us
Source: proxy"


The error message occur only when I configure my workstation as a Webproxy client. When I configue my workstation as a SecureNAT client, I present with a popup screen asking for user name and password to login, but not with the FBA type. External clients work perfectly fine with FBA. I don't know what I did wrong, the only step that I didn't follow was to configure the HOSTS file entry on the ISA Firewall because I already have implemented the split DNS insfrastructure. I don't know if this causes the problem, please help. Thank you

(in reply to tshinder)
Post #: 12
RE: Discussion on Part 2 of the FBA article - 24.Feb.2006 2:24:10 AM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hi bassque,
 
I was wondering that you was able to figure out the log-in problem that you posted in the previous message "Here is the string from the URL:"/CookieAuth.dll?GetLogonWrapper?url=%2F&reason=0" ". If you did I hope that you can share the solution with me. Thank you very much.

(in reply to bassque)
Post #: 13
RE: Discussion on Part 2 of the FBA article - 24.Feb.2006 2:59:40 AM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello All,

Now I'm getting some improvement that I can get both internal and external FBA come up, however, when I put in the user name and the password the FBA doesn't let me login it just stay there. If you guys have any ideas please help. Thank you very much

(in reply to jle2005)
Post #: 14
RE: I get no error but... - 1.May2006 11:08:34 AM   
shajid

 

Posts: 1
Joined: 1.May2006
Status: offline
The same is happening with me also. The logon form keep comming back. Though it works fine if you remove the check mark from "Require All users to Authenticate" in the authentication tab in Preferences of the Listener. Any idea if we are required to make ISA a member of Domain for FBA, for security reasons I have installed it in a workgroup.

Regards,
M S Ali

(in reply to drobert)
Post #: 15
RE: Discussion on Part 2 of the FBA article - 4.May2006 10:30:37 PM   
dglasgow

 

Posts: 21
Joined: 9.Jun.2003
Status: offline
Tom, I would like to do this same proceedure to support OMA/Activesync for devices connected to pc's on the internal network as well as for OWA...is it a problem to assign several internal IP addresses to the internal NIC for the purpose of creating multiple internal listeners?

For example, I would like to use FBA for OWA for both internal and external clients as described in the article - this needs 1 IP. (the domain name I use is mail.domain.com)

Then, I have internal clients with pocketpc devices use the mobile.domain.com address for over the air activesync as well for direct pc sync - this is another internal IP.

I have everything working as described except I cannot get the internal activesync clients to work when connected to their pc's.

Thanks for you advice
Doug

(in reply to tshinder)
Post #: 16
RE: Discussion on Part 2 of the FBA article - 25.Apr.2007 1:37:55 PM   
jsalow

 

Posts: 16
Joined: 19.Feb.2002
From: orange county, ca
Status: offline
Tom,

Could you update this article for Exchange 2007 and ISA 2006?

I'm not seeing the same dialogs when creating a web listener.

Dialogs:
1. Client connection security - Require SLL?
2. Web listener ip - this is the ISA internal address? seems to be the only choice. Should I keep compression checked?
3. Seems to allow me to select the same certificate I use on external
4. Authentication - gives choices of http, html form, ssl client cert, no authentication - then basic, digest, integrated-

thanks


(in reply to tshinder)
Post #: 17
RE: Discussion on Part 2 of the FBA article - 3.May2007 3:35:35 AM   
wintermj

 

Posts: 3
Joined: 3.May2007
Status: offline
Hi Tom,

I followed the inbound and outbound tutorial you posted and im struggling with the outbound side of things. I have inbound working fine now and i can see logs in isa but this outbound is starting to drain my will to live...

From what i can see the exchange server is queuing the mail it just cant send. And i can see denied rules popping up in realtime query on exchange with the FWE_SPoofing_packet_Dropped error, there is no rule generating this error.

Is there any way i can actually view some decent logs to tell me where its failing? The logs ive got from both exchange and isa are complete garbage. I can see the mail being sent, but no rejection or delay from exchange. And i cant even see the mail arriaving at the isa server (2 different physical machines). The only thing i can think is isa is rejecting outgoing mail.

If anyone has any suggestions im tearing my hair out.

Many thanks
Mike

I managed to get this working by creating a connector in exchange. Both my Servers (isa and the exchange server) display the static ip i want to send mails from, when using whatismyip.org.

However when i send emails they come from a dynamic address from british telecom. There are various blacklisted dynamic ranges and the one im on happens to be it. Anyone know why mail is arriving from this point?

< Message edited by wintermj -- 3.May2007 6:37:55 AM >

(in reply to jsalow)
Post #: 18
RE: Discussion on Part 2 of the FBA article - 24.Apr.2008 4:41:55 PM   
dd71

 

Posts: 54
Joined: 24.Mar.2005
Status: offline
I'm sure I'm missing something but after you unbind the certificate from IIS to the OWA site and generate a new certificate, then do you bind the original certificate back to the OWA site? Is the external listener on ISA connecting to the FE Exchange OWA page or is that served by ISA? If it is served by ISA then is the webpage on the FE Exchange really doing anything? Does the certificate that is placed in the internal listener  get put onto a OWA website? And is the host file that you configure supposed to point to the internal FE IP address or to the BE Exchange server? Currently I have an external OWA listener that comes in to ISA and the host file directs it to the FE internal IP address.

< Message edited by dd71 -- 24.Apr.2008 4:43:57 PM >

(in reply to tshinder)
Post #: 19
RE: Discussion on Part 2 of the FBA article - 24.Apr.2008 4:58:17 PM   
dd71

 

Posts: 54
Joined: 24.Mar.2005
Status: offline
I would also like to get clarification on where authentication truly occurs. This article and the ISA Server 2004 book say that authentication occurs on the ISA server but the "Sites using ISA Firewall Web Publishing Rules" article (step 21 and 26) say the OWA site handles the authentication. If the ISA firewall does the authentication then how does this work?

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion on Part 2 of the FBA article Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts