Discussion on Part 2 of the FBA article (Full Version)

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing



Message


tshinder -> Discussion on Part 2 of the FBA article (28.Sep.2005 6:51:00 AM)

This thread is for discussing part two of the FBA article at http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html

Thanks!
Tom

[ September 28, 2005, 06:53 AM: Message edited by: tshinder ]




bassque -> RE: Discussion on Part 2 of the FBA article (3.Oct.2005 5:27:00 PM)

Hey all. After I do the required steps, I get the FBA. However after filling out the required information, I recieve a

"Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"

I've tried monkeying with it with little results. Thoughts?




bassque -> RE: Discussion on Part 2 of the FBA article (3.Oct.2005 5:32:00 PM)

Here is the string from the URL:

"/CookieAuth.dll?GetLogonWrapper?url=%2F&reason=0"




tshinder -> RE: Discussion on Part 2 of the FBA article (5.Oct.2005 8:43:00 PM)

Hi Bassque,

Sounds like a name resolution problem.

HTH,
Tom




adnan&ISA -> RE: Discussion on Part 2 of the FBA article (13.Oct.2005 2:50:00 AM)

Hi all,

Nice article Tom, though it would put some extra burden on ISA but since we love FBA, I also got myself into it.

Everything is smooth n cool. The only problem is the name resolution for internal users. We have different internal and external domain names (Web site being hosted externally). I cannot add a host record owa.external.com in my internal DNS server; If I do add it would be like "owa.external.com.internal.com". It doesn't work for internal users unless we add a host record in the clients local host file (I did this part just for testing since its not practical).

Any suggestions you got?

Thanks.




treikov -> RE: Discussion on Part 2 of the FBA article (13.Oct.2005 5:56:00 PM)

I have the same problem:

When attempt to authenticate in OWA from the external network (Internet) receive the error:

"Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)."

More information in:

403 Forbidden Error in OWA Publishing
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000801

Greetings,




adnan&ISA -> RE: Discussion on Part 2 of the FBA article (15.Oct.2005 4:29:00 AM)

Hi All,

Ok, After waiting for three years, atlast I have implemented split-DNS [Big Grin] . Though I already had a different internal domain name, just adding a new forward lookup-zone for my registered domain did the job.

OWA FBA is working fine for both internal and external users now. But to properly implement it the following issues need to be solved:-

Big Issue: - If I configure an UPSTREAM SERVER in the web chaining settings, EXTERNAL clients get the error "500 internal server error" ... tricky, isn't it ? Without any upstream server everything works fine.

Tiny Issue:- If the internal clients are configured without any proxy settings, all is fine. Once u try to connect to OWA using Web Proxy client u get the error 502 Proxy Error: ISA Server denied ... ". For this it seems we have to configure Direct Access.

Since lot of ppl are having 500 internal server error, I was just wondering did they check their Upstream Proxy server settings, does it work with them?

Thanx

[ October 15, 2005, 04:32 AM: Message edited by: adnan&ISA ]




tshinder -> RE: Discussion on Part 2 of the FBA article (3.Nov.2005 11:41:00 AM)

Hi Adnan,

Yes, you'll need to configure the Web proxy clients for Direct Access. Did I forget to mention that? (arg!)

Tom




drobert -> I get no error but... (20.Dec.2005 9:20:42 AM)

I followed this cristal clear tutorial to its end and here is what is happening:

When I try to access the server from the web (extranet.mydomain.fr/exchange) I have the nice OWA form. Here I enter the login information (mydomain\myuser & mypassword or even myuser@mydomain.fr & mypassword) and when I click on the connect (or whatever the translation from french) button, I come back again to the same form with no error message.

I get the same result from the corporate network (split DNS, HOSTS file on ISA server and Direct Access done).

Duh... Nice not to have any errors but you'll get tired of the same form coming up again and again pretty soon [:(]

Any idea ?

Thomas, I may sound to be a pretty newby on ISA 2004 but... uh... how to you view your ISA 2004 log file entries shown the way they are at the end of your tutorial ? (usually I use NetTracker but here I would like to view it the way you do)[:)]




drobert -> RE: I get no error but... (20.Dec.2005 10:09:30 AM)

More weird stuff:

from my corporate network I did this test:

1 - Windows XP SP2 with no hosts and configured to send DNS queries to our internal DNS server :
ping extranet & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)

2 - Windows 2000 SP4 with no hosts and configured to send DNS queries to our internal DNS server :
ping extranet & Firewall client is active -> replies come from the ISA server (fine!)
ping extranet.mydomain.fr & Firewall client is active -> replies come from the Exchange Server (ARGL!)
ping extranet.mydomain.fr & Firewall client is inactive -> replies come from the ISA server (fine!)

Note that our ISA 2004 uses the latest SP and that all our workstations have been upgraded with new Firewall Client.





jmercer54 -> RE: Discussion on Part 2 of the FBA article (13.Feb.2006 11:23:19 PM)

Hi, Tom... so, I've switched gears and decided to go back to my SMTP via ISA attempt later on. :)  Instead, I decided to publish OWA.  And of course, I've run into a problem... which I hope you can help me diagnose.

I followed both this and your 1.1 publishing tutorial to the letter; as a result, my OWA access internally works via the ISA server and shows up with a pop-up authentication dialogue box.  I can see the ISA rules being invoked and so forth when I ask for OWA internally - it's very smooth. :)

External access, however, is another thing entirely.

I went to my local library and attempted to access owa.mercerhome.org.  The address resolved; the browser warned me that I was connecting to a site with a certification from an authority I hadn't decided to trust yet.  After saying yes, I got the dreaded "url denied" screen.

I went home and started diagnosing what was going on... I used proxify.com's proxy page to generate traffic to owa.mercerhome.org while logging on the ISA server looking for any traffic on my external network. (It's very quiet right now, which makes it easy.)

Sure enough, when I attempted to connect I saw an anonymous attempt to connect via https... to https://owa.mercerhome.org, which is what I expected.  For some very strange reason, though, the listener didn't handle the traffic; instead, it was denied by the default denial rule on the firewall.

I rechecked the entire configuration carefully; everything is as required in the tutorial, and obviously my ISP's resolving the address to the proper location. (Site certificate coming up, traffic on the firewall showing, etc.)

I'm not running a split DNS; my ISP is handling external resolution.

Any thoughts? Frankly, I'm stumped.




jle2005 -> RE: Discussion on Part 2 of the FBA article (23.Feb.2006 7:18:45 PM)

Hi Tom,

First all I would to say thank for your fabulous articles that you wrote "Enabling ISA Firewall Forms-based-Authentication for OWA connections for Internal and External Clients" and "Supporting ISA Firewall Network Protecting Illegal TLD: You Need a Split DNS!". I've learned alot from those articles that you wrote. I've read and re-read those articles and finally I've managed to setup a trihome ISA Firewall test lab for myself with split DNS and Exchange mail server to publish it with ISA Firewall. However, I'm currently running into some problems that I can't figure out by myself and I need your expertise help.

Here is my problem. When I try to connect to my Exchange mail server internally at https://owa.vngateways.us/exchange, I got the error message
 
" Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.253
Date: 2/23/2006 4:30:40 PM
Server: isa.vngateways.us
Source: proxy"


The error message occur only when I configure my workstation as a Webproxy client. When I configue my workstation as a SecureNAT client, I present with a popup screen asking for user name and password to login, but not with the FBA type. External clients work perfectly fine with FBA. I don't know what I did wrong, the only step that I didn't follow was to configure the HOSTS file entry on the ISA Firewall because I already have implemented the split DNS insfrastructure. I don't know if this causes the problem, please help. Thank you




jle2005 -> RE: Discussion on Part 2 of the FBA article (24.Feb.2006 2:24:10 AM)

Hi bassque,
 
I was wondering that you was able to figure out the log-in problem that you posted in the previous message "Here is the string from the URL:"/CookieAuth.dll?GetLogonWrapper?url=%2F&reason=0" ". If you did I hope that you can share the solution with me. Thank you very much.




jle2005 -> RE: Discussion on Part 2 of the FBA article (24.Feb.2006 2:59:40 AM)

Hello All,

Now I'm getting some improvement that I can get both internal and external FBA come up, however, when I put in the user name and the password the FBA doesn't let me login it just stay there. If you guys have any ideas please help. Thank you very much




shajid -> RE: I get no error but... (1.May2006 11:08:34 AM)

The same is happening with me also. The logon form keep comming back. Though it works fine if you remove the check mark from "Require All users to Authenticate" in the authentication tab in Preferences of the Listener. Any idea if we are required to make ISA a member of Domain for FBA, for security reasons I have installed it in a workgroup.

Regards,
M S Ali




dglasgow -> RE: Discussion on Part 2 of the FBA article (4.May2006 10:30:37 PM)

Tom, I would like to do this same proceedure to support OMA/Activesync for devices connected to pc's on the internal network as well as for OWA...is it a problem to assign several internal IP addresses to the internal NIC for the purpose of creating multiple internal listeners?

For example, I would like to use FBA for OWA for both internal and external clients as described in the article - this needs 1 IP. (the domain name I use is mail.domain.com)

Then, I have internal clients with pocketpc devices use the mobile.domain.com address for over the air activesync as well for direct pc sync - this is another internal IP.

I have everything working as described except I cannot get the internal activesync clients to work when connected to their pc's.

Thanks for you advice
Doug




jsalow -> RE: Discussion on Part 2 of the FBA article (25.Apr.2007 1:37:55 PM)

Tom,

Could you update this article for Exchange 2007 and ISA 2006?

I'm not seeing the same dialogs when creating a web listener.

Dialogs:
1. Client connection security - Require SLL?
2. Web listener ip - this is the ISA internal address? seems to be the only choice. Should I keep compression checked?
3. Seems to allow me to select the same certificate I use on external
4. Authentication - gives choices of http, html form, ssl client cert, no authentication - then basic, digest, integrated-

thanks





wintermj -> RE: Discussion on Part 2 of the FBA article (3.May2007 3:35:35 AM)

Hi Tom,

I followed the inbound and outbound tutorial you posted and im struggling with the outbound side of things. I have inbound working fine now and i can see logs in isa but this outbound is starting to drain my will to live...

From what i can see the exchange server is queuing the mail it just cant send. And i can see denied rules popping up in realtime query on exchange with the FWE_SPoofing_packet_Dropped error, there is no rule generating this error.

Is there any way i can actually view some decent logs to tell me where its failing? The logs ive got from both exchange and isa are complete garbage. I can see the mail being sent, but no rejection or delay from exchange. And i cant even see the mail arriaving at the isa server (2 different physical machines). The only thing i can think is isa is rejecting outgoing mail.

If anyone has any suggestions im tearing my hair out.

Many thanks
Mike

I managed to get this working by creating a connector in exchange. Both my Servers (isa and the exchange server) display the static ip i want to send mails from, when using whatismyip.org.

However when i send emails they come from a dynamic address from british telecom. There are various blacklisted dynamic ranges and the one im on happens to be it. Anyone know why mail is arriving from this point?




dd71 -> RE: Discussion on Part 2 of the FBA article (24.Apr.2008 4:41:55 PM)

I'm sure I'm missing something but after you unbind the certificate from IIS to the OWA site and generate a new certificate, then do you bind the original certificate back to the OWA site? Is the external listener on ISA connecting to the FE Exchange OWA page or is that served by ISA? If it is served by ISA then is the webpage on the FE Exchange really doing anything? Does the certificate that is placed in the internal listener  get put onto a OWA website? And is the host file that you configure supposed to point to the internal FE IP address or to the BE Exchange server? Currently I have an external OWA listener that comes in to ISA and the host file directs it to the FE internal IP address.




dd71 -> RE: Discussion on Part 2 of the FBA article (24.Apr.2008 4:58:17 PM)

I would also like to get clarification on where authentication truly occurs. This article and the ISA Server 2004 book say that authentication occurs on the ISA server but the "Sites using ISA Firewall Web Publishing Rules" article (step 21 and 26) say the OWA site handles the authentication. If the ISA firewall does the authentication then how does this work?




Page: [1] 2   next >   >>