Hi Tom great article. I set it up, and its working good, however i want to be able to use SSL in the web publishing rule, but when i select redirect http requests as SSL, check require secure channel for SSL, and require 128 bit encryptrion, then i cannot get to the site. IE tells me that i will be viewing pages over a secure connection, but after that it fails, anf gives me a DNS error. I do not have any certificates configured on ISA, or the OWA server. Is this what im missing?
You need to install the certificates on the ISA Server and the Web server. Run out during your lunch break and get the ISA Server and Beyond book. If you're there in Redondo Beach, there's a book store real close. I grew up in Santa Monica, so I know the area well
Already got the book, have had it for a couple of weeks now unfortunetly i havent had time to read it, but I will have to make the time. Yes Santa Monica is a great town, especially if your single, i bet you miss it
Just curious as to why an internal client trying to reach OWA that is on an internal machine, would be asked for uthentification from ISA? I have set the webproxy clients for direct access, and i have configured the LDT and LAT for only internal ip's and domain.
I just set the incoming web request listener back to intagrated, unchecked allow delagation of authentification on the web publishing rule, and set the authentification in IIS back to basic, and restarted all the services, but when i browse my OWA site ISA thinks that it must still authenticate on the incoming web listener, and if i enter in my credentials it passes it to the OWA server, and I authenticate to this and it lets me in. However users did not want to authenticate twice, so i had to tell the incoming web listener to stop asking for authentification, but it still wants to.
What the hell. I have NO idea why ISA wants to try and authenticate any request for any published website on my internal network. My OWA site is set to Basic in IIS, ISA's incoming weblistener is set to intagrated, and the web publishing rule is set to allow any request. I dont get it. Is this a FP1 issue? Hello MS what the #@$@#%.
REMOVE the integrated auth setting. Read the heads up at the end of the article again and see what I have to say about mixing 'em up. Read the beginning of the article to see what happens with double authentcation
Ok I will re read the article. I guess the part I'm not understanding is this. Before i installed FP1 I had the incoming web request listener set to intagrated, and OWA was set to basic, and when a user typed in mail.domainname.com\exchange they only got authenticated at the ISS server hosting OWA. Now after installing FP1 if i set the internal web request listener to intagrated and OWA to basic, i then get promted by ISA for authentification, if i swtich the listener to basic, then only IIS authenticated. So i guess my question is did installing FP1 change how ISA authenticates internal web request?
Ok I looked at the article again,and after doing several tests, i now how a better understanding of what is going on. It is interesting indeed. This is what i can gather so far with all of this.
#1 If the internal website is set to basic, and the internal weblistener is set to basic as well, and in the web publishing rule you control access by users and groups, then if you are one of the users who is allowed access by the web publishing rule, then you will only be authenticated once by ISA, and ISA will pass this along to the internal site.
#2 If the internal website is set to anonymous, and the intenal weblistener is set to basic, and in the webpublishing rule you allow access to certain users/groups, then if a users who is part of the group in the web publishing tries to access the site, then ISA will ask who you are and pass you on to the site.
#3 If the internal website is set to basic, and the internal weblistener is set to basic as well, and in the webpublishing rule you allow any request, and the internwl website is set to basic, then ISA passes the request on to the internal site.
#4 If OWA is set to Basic on the internal server, and the internal weblistener is set to basic, and you apply the webpublishing rule to Domain users, then you will get to basic log on boxes. One will be for ISA, and then this will pass it on to OWA, and OWA will ask as well. I tested this out several times.
Almost,except for #4. When you enable delegation of basic authentication on the Web Publishing Rule, you will only need to authenticate once. The Incoming Web Requests listener will prompt you, and then it sends the credentials to the Web server.
Thanks for the reply. I think the reason why i was seing a log on box for OWA, even when i had enable delegation of basic authentication on the Web Publishing Rule, is becaue i run Exchange 5.5 and 5.5 has a logon page, where as Exchange 2k does not. Just thought i would throw this one out there.
From: Boston, MA
I have Feature Pack 1 installed, with OWA via SSL working. Both ISA and the OWA server have SSL certs. Web listener has Basic Auth only, with SSL cert selected.
The OWA pub rule has "Require SSL and 128bit" selected, along with "allow delegation" selected and a Universal Security Group selected for the "Applies To". The OWA server has Basic Auth and "Require SSL/128bit" selected on all appropriate virtual directories.
When a user on the Internet enters the correct URL, i.e., "https://FQDN/exchange", everything happens correctly. However, if "http" is typed, instead of "https", ISA is still prompting for Basic Authentication credentials. I captured a network trace of the interaction, and it is definitely using just port 80, normal HTTP. After entering credentials 3 times, it eventually fails with "Server requires authentication..."
My expectation is that ISA would immediately reject the "http" request to the site since SSL was selected as required in the pub rule and therefore never present a credentials box.
Is this a problem with the way ISA handles this situation, or is it a configuration problem (hopefully)?