Nice article Tom, though it would put some extra burden on ISA but since we love FBA, I also got myself into it.
Everything is smooth n cool. The only problem is the name resolution for internal users. We have different internal and external domain names (Web site being hosted externally). I cannot add a host record owa.external.com in my internal DNS server; If I do add it would be like "owa.external.com.internal.com". It doesn't work for internal users unless we add a host record in the clients local host file (I did this part just for testing since its not practical).
Ok, After waiting for three years, atlast I have implemented split-DNS . Though I already had a different internal domain name, just adding a new forward lookup-zone for my registered domain did the job.
OWA FBA is working fine for both internal and external users now. But to properly implement it the following issues need to be solved:-
Big Issue: - If I configure an UPSTREAM SERVER in the web chaining settings, EXTERNAL clients get the error "500 internal server error" ... tricky, isn't it ? Without any upstream server everything works fine.
Tiny Issue:- If the internal clients are configured without any proxy settings, all is fine. Once u try to connect to OWA using Web Proxy client u get the error 502 Proxy Error: ISA Server denied ... ". For this it seems we have to configure Direct Access.
Since lot of ppl are having 500 internal server error, I was just wondering did they check their Upstream Proxy server settings, does it work with them?
I followed this cristal clear tutorial to its end and here is what is happening:
When I try to access the server from the web (extranet.mydomain.fr/exchange) I have the nice OWA form. Here I enter the login information (mydomain\myuser & mypassword or even firstname.lastname@example.org & mypassword) and when I click on the connect (or whatever the translation from french) button, I come back again to the same form with no error message.
I get the same result from the corporate network (split DNS, HOSTS file on ISA server and Direct Access done).
Duh... Nice not to have any errors but you'll get tired of the same form coming up again and again pretty soon
Any idea ?
Thomas, I may sound to be a pretty newby on ISA 2004 but... uh... how to you view your ISA 2004 log file entries shown the way they are at the end of your tutorial ? (usually I use NetTracker but here I would like to view it the way you do)
1 - Windows XP SP2 with no hosts and configured to send DNS queries to our internal DNS server : ping extranet & Firewall client is active -> replies come from the ISA server (fine!) ping extranet.mydomain.fr & Firewall client is active -> replies come from the ISA server (fine!) ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)
2 - Windows 2000 SP4 with no hosts and configured to send DNS queries to our internal DNS server : ping extranet & Firewall client is active -> replies come from the ISA server (fine!) ping extranet.mydomain.fr & Firewall client is active -> replies come from the Exchange Server (ARGL!) ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)
Note that our ISA 2004 uses the latest SP and that all our workstations have been upgraded with new Firewall Client.
Hi, Tom... so, I've switched gears and decided to go back to my SMTP via ISA attempt later on. :) Instead, I decided to publish OWA. And of course, I've run into a problem... which I hope you can help me diagnose.
I followed both this and your 1.1 publishing tutorial to the letter; as a result, my OWA access internally works via the ISA server and shows up with a pop-up authentication dialogue box. I can see the ISA rules being invoked and so forth when I ask for OWA internally - it's very smooth. :)
External access, however, is another thing entirely.
I went to my local library and attempted to access owa.mercerhome.org. The address resolved; the browser warned me that I was connecting to a site with a certification from an authority I hadn't decided to trust yet. After saying yes, I got the dreaded "url denied" screen.
I went home and started diagnosing what was going on... I used proxify.com's proxy page to generate traffic to owa.mercerhome.org while logging on the ISA server looking for any traffic on my external network. (It's very quiet right now, which makes it easy.)
Sure enough, when I attempted to connect I saw an anonymous attempt to connect via https... to https://owa.mercerhome.org, which is what I expected. For some very strange reason, though, the listener didn't handle the traffic; instead, it was denied by the default denial rule on the firewall.
I rechecked the entire configuration carefully; everything is as required in the tutorial, and obviously my ISP's resolving the address to the proper location. (Site certificate coming up, traffic on the firewall showing, etc.)
I'm not running a split DNS; my ISP is handling external resolution.
First all I would to say thank for your fabulous articles that you wrote "Enabling ISA Firewall Forms-based-Authentication for OWA connections for Internal and External Clients" and "Supporting ISA Firewall Network Protecting Illegal TLD: You Need a Split DNS!". I've learned alot from those articles that you wrote. I've read and re-read those articles and finally I've managed to setup a trihome ISA Firewall test lab for myself with split DNS and Exchange mail server to publish it with ISA Firewall. However, I'm currently running into some problems that I can't figure out by myself and I need your expertise help.
" Network Access Message: The page cannot be displayed
Technical Information (for Support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 192.168.1.253 Date: 2/23/2006 4:30:40 PM Server: isa.vngateways.us Source: proxy"
The error message occur only when I configure my workstation as a Webproxy client. When I configue my workstation as a SecureNAT client, I present with a popup screen asking for user name and password to login, but not with the FBA type. External clients work perfectly fine with FBA. I don't know what I did wrong, the only step that I didn't follow was to configure the HOSTS file entry on the ISA Firewall because I already have implemented the split DNS insfrastructure. I don't know if this causes the problem, please help. Thank you
I was wondering that you was able to figure out the log-in problem that you posted in the previous message "Here is the string from the URL:"/CookieAuth.dll?GetLogonWrapper?url=%2F&reason=0" ". If you did I hope that you can share the solution with me. Thank you very much.
Now I'm getting some improvement that I can get both internal and external FBA come up, however, when I put in the user name and the password the FBA doesn't let me login it just stay there. If you guys have any ideas please help. Thank you very much
The same is happening with me also. The logon form keep comming back. Though it works fine if you remove the check mark from "Require All users to Authenticate" in the authentication tab in Preferences of the Listener. Any idea if we are required to make ISA a member of Domain for FBA, for security reasons I have installed it in a workgroup.
Tom, I would like to do this same proceedure to support OMA/Activesync for devices connected to pc's on the internal network as well as for OWA...is it a problem to assign several internal IP addresses to the internal NIC for the purpose of creating multiple internal listeners?
For example, I would like to use FBA for OWA for both internal and external clients as described in the article - this needs 1 IP. (the domain name I use is mail.domain.com)
Then, I have internal clients with pocketpc devices use the mobile.domain.com address for over the air activesync as well for direct pc sync - this is another internal IP.
I have everything working as described except I cannot get the internal activesync clients to work when connected to their pc's.
From: orange county, ca
Could you update this article for Exchange 2007 and ISA 2006?
I'm not seeing the same dialogs when creating a web listener.
Dialogs: 1. Client connection security - Require SLL? 2. Web listener ip - this is the ISA internal address? seems to be the only choice. Should I keep compression checked? 3. Seems to allow me to select the same certificate I use on external 4. Authentication - gives choices of http, html form, ssl client cert, no authentication - then basic, digest, integrated-
I followed the inbound and outbound tutorial you posted and im struggling with the outbound side of things. I have inbound working fine now and i can see logs in isa but this outbound is starting to drain my will to live...
From what i can see the exchange server is queuing the mail it just cant send. And i can see denied rules popping up in realtime query on exchange with the FWE_SPoofing_packet_Dropped error, there is no rule generating this error.
Is there any way i can actually view some decent logs to tell me where its failing? The logs ive got from both exchange and isa are complete garbage. I can see the mail being sent, but no rejection or delay from exchange. And i cant even see the mail arriaving at the isa server (2 different physical machines). The only thing i can think is isa is rejecting outgoing mail.
If anyone has any suggestions im tearing my hair out.
Many thanks Mike
I managed to get this working by creating a connector in exchange. Both my Servers (isa and the exchange server) display the static ip i want to send mails from, when using whatismyip.org.
However when i send emails they come from a dynamic address from british telecom. There are various blacklisted dynamic ranges and the one im on happens to be it. Anyone know why mail is arriving from this point?
< Message edited by wintermj -- 3.May2007 6:37:55 AM >
I'm sure I'm missing something but after you unbind the certificate from IIS to the OWA site and generate a new certificate, then do you bind the original certificate back to the OWA site? Is the external listener on ISA connecting to the FE Exchange OWA page or is that served by ISA? If it is served by ISA then is the webpage on the FE Exchange really doing anything? Does the certificate that is placed in the internal listener get put onto a OWA website? And is the host file that you configure supposed to point to the internal FE IP address or to the BE Exchange server? Currently I have an external OWA listener that comes in to ISA and the host file directs it to the FE internal IP address.
< Message edited by dd71 -- 24.Apr.2008 4:43:57 PM >
I would also like to get clarification on where authentication truly occurs. This article and the ISA Server 2004 book say that authentication occurs on the ISA server but the "Sites using ISA Firewall Web Publishing Rules" article (step 21 and 26) say the OWA site handles the authentication. If the ISA firewall does the authentication then how does this work?