• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

yet another OWA/ISA question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> yet another OWA/ISA question Page: [1]
Login
Message << Older Topic   Newer Topic >>
yet another OWA/ISA question - 12.Feb.2003 11:41:00 AM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
Apologies if this has been asked before.

I have OWA working through ISA using only basic authentication using Web Publishing rules. I'm using ISA FP1, the excahnge server is 2000 SP3 sitting on a DC.

I'm trying to terminate the SSL connection at the ISA server and forward as HTTP, but whenever I go to https://mail.internetdomain.com/exchange I get a DNS error. If i uncheck Require SSL on the publishing rule then I can successfully access OWA via HTTP externally.

Any hints/clues appreciated!
Post #: 1
RE: yet another OWA/ISA question - 12.Feb.2003 2:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Sometimes when you redirect divergent protocols, you'll see this kind of problem. There are a couple of ways you can deal with it. The hard way is to use link translation [Wink] The easy way is to make a registry entry:

MSKB 307347

HTH,
Tom

(in reply to Ben Richardson)
Post #: 2
RE: yet another OWA/ISA question - 12.Feb.2003 3:11:00 PM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
Thanks Tom, but doesn't seem to have made a difference unfortunately :-(

Any idea where I can start looking for the problem, or is it worth me posting more information on my setup?

Ben

(in reply to Ben Richardson)
Post #: 3
RE: yet another OWA/ISA question - 12.Feb.2003 3:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Go ahead and give some details.

Most important are:

*Nature of the certificate bound to the listener
*Did you use the procedures described in ISA Server and Beyond (I know those work)
*What is the EXACT config of your Web Publishing Rule?
*Have you tried briding SSL as SSL? (the only recommended config)

Thanks!
Tom

(in reply to Ben Richardson)
Post #: 4
RE: yet another OWA/ISA question - 12.Feb.2003 3:50:00 PM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
I have just been through the procedure in the book (again), but still no joy.

I got the SSL for my Exchange server, then successfully exported/imported it into the machine personal certificates section on ISA. I am able to select the certificate when configuring the listener for that IP.

I have followed the proc in your book, but skipping the Password bit.

My web publishing rule is;

1. Destination set = mail.internetdomain.com /exchange*, /public*, /exchweb

2. redirect request to IP of OWA, send original host header, allow delegation of basic....

3. Redirect HTTP and SSL as HTTP. Require SSL

4. Applies to any request

If I bridge SSL as SSL then I've got to require SSL on OWA server yes? I'll go try that!

Thanks Tom

(in reply to Ben Richardson)
Post #: 5
RE: yet another OWA/ISA question - 12.Feb.2003 4:03:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Some thoughts (its always very difficult to troubleshoot these problems without seeing the install becuase you know there must be hundreds of steps you need to take to make it work correctly):

1. Enforce SSL on the OWA directories

2. Make sure only Basic auth is being used on the OWA directories (as described in the book)

3. Make sure the subject name on the certs are correct (as decribed in the book)

4. Use the HOSTS file method I describe in the book for forwarding the request

If you're skipping around in the book, let me know, and I can check on the page numbers for you.

HTH,
Tom

(in reply to Ben Richardson)
Post #: 6
RE: yet another OWA/ISA question - 12.Feb.2003 5:14:00 PM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
Thanks for your suggestions;

1. Done, SSL works internally
2. Basic authentication everywhere
3. Can't find this in book!
4. Done, now when I ping mail.internetdomain.com I get IP of internal OWA server

Still get DNS error when trying to access externally, though SSL part seems to work as I get the "leaving secure site" warning when i navigate away.

I'll go rip some hair out......

(in reply to Ben Richardson)
Post #: 7
RE: yet another OWA/ISA question - 12.Feb.2003 5:22:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Look at the figure on top of page 325, that is often the key to the problem.

HTH,
Tom

(in reply to Ben Richardson)
Post #: 8
RE: yet another OWA/ISA question - 12.Feb.2003 5:34:00 PM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
ah

I purchased an SSL from a company, and in the common name field put mail.internetname.com. Should I have used my internal name instead?

Ben

(in reply to Ben Richardson)
Post #: 9
RE: yet another OWA/ISA question - 12.Feb.2003 6:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

As long as the external users also use the URL:

http://mail.internetdomain.com/exchange/

to access the site, you're OK.

Can you post some entries from your Web Proxy log? That might help solve this problem. Also, are there any errors in the Event log?

Thanks!
Tom

(in reply to Ben Richardson)
Post #: 10
RE: yet another OWA/ISA question - 13.Feb.2003 11:09:00 AM   
Ben Richardson

 

Posts: 27
Joined: 16.Aug.2002
From: UK
Status: offline
Right, (it's working)

I found an event from webproxy - when started it was unable to bind port 443 to the external NIC. I solved this by first stopping the default website (perhaps i should've mentioned I was running an intranet on the ISA server!) then restarting the web proxy. After checking the 443 on the external NIC was listening (and no error on event log) I restarted default website successfully. I suspect I'll have to do this every time ISA server restarts?

OWA now works fine using SSL, although has taken a performance hit. Is there anything I can do about this? - perhaps going back to terminating SSL at ISA?

Anyway many thanks for your help Tom, you're a gentleman.

Ben

(in reply to Ben Richardson)
Post #: 11
RE: yet another OWA/ISA question - 14.Feb.2003 5:06:00 AM   
Guest
Tom,

I've read your article on OWA and ISA. Why is it that you recommend SSL to SSL over SSL to HTTP?
If you require SSL on the OWA server, doesn't the backend connection have to be in plaintext?

My understanding was that to secure owa frontend server connection to your Internal network, you should use IPSEC and then let ISA bridge the SSL connection.

I understand the implications of running anything clear text, but i'd rather have that then have the backend traffic be unsecured.

Thanks for your input.

(in reply to Ben Richardson)
  Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> yet another OWA/ISA question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts