• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: OWA https problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> RE: OWA https problem Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: OWA https problem - 4.Nov.2003 3:14:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

I only the one IP address on my external card, but if my memeory serves me correctly I had to configure the incoming listeners individually to get the certificate option to appear.

So what I would suggest, is to configure your listeners individually, you would currently have to configure 3 (as you aren't currently using your 4th IP address), if you take note of what incoming authorization, if any, you are currently using.

firstly create a listener using the IP address you use for the isa server itself, and configure it for just incoming port80, with any authentication, then do the same again for the ip address of the in house web site, again port 80 and any authentication.

Then for the owa site, configure another listener, using the IP address for owa and using port 80 and enable ssl, port 443, then select basic authentication and the required certificate.

Hope the above makes sense.

(in reply to ScottSTC)
Post #: 21
RE: OWA https problem - 5.Nov.2003 12:29:00 PM   
cele

 

Posts: 8
Joined: 27.Oct.2003
From: Florence, Italy
Status: offline
Hi all!
I worked a lot to make my OWA working correctly using HTTPS, but was sevaral months ago. The main problem I had was for certificates, because if you pass from ISA to reach your published OWA site, your ISA server need to ask (and recognize) the certificate from you internal OWA server:
isa server send his (her ;-) ) cert. to the browser, than pass the SSL req. to the IIS hosting OWA that send the cert to ISA. If isa not recognize (for example for domain names) that certifcation authority, denies request. So you probably have to make the Cert. Auth. that created the OWA cert. trusted to the ISA server.

Tricky, I know...
Bye
Cele

(in reply to ScottSTC)
Post #: 22
RE: OWA https problem - 5.Nov.2003 12:51:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
Hi

I have set my external IP's each with an individual configuration. The ip that requires the certificate has had it added. But due to a pop up on setting I have also gone thru the loop of setting only the OWA with a cert. But sadly this still does not work.

I think I am coming down on the side of the CA is not being recognised or something like that, mainly because even if I set the SSL Listeners on when I do a netstat -na i do not see any (SSL)ports listed as open and listening.

How can i check if the cert. contains the right info and the CA can be found ?. Still new to CA's

(in reply to ScottSTC)
Post #: 23
RE: OWA https problem - 5.Nov.2003 1:09:00 PM   
cele

 

Posts: 8
Joined: 27.Oct.2003
From: Florence, Italy
Status: offline
As said, I made this several months ago.
I'll try to search in my docs and configs, but maybe is not the same for you. I try to explain my config:
I have two different domains (I mean not only windows domain, but TCP/IP domains): internaldomain.it and externaldomain.it.
When you pass all headers, the internal OWA server receive a request for externaldomain.it and not for internaldomain.it. so the Cert. installed on OWA's IIS must be externaldomain.it. Then must create a cert. and import in the certification DB for the ISA server, but because is issued by the internaldomain.it Certification Authority, this must be trusted (i.e. installed in a spefici "folder" in the cert. DB) in that machine.
This i done after correctly apllying of all the rules to publish a server (ssl to ssl, headers an so on)
If your config is different, may be you need some others modification, but I hope this will explain some general rules..

(in reply to ScottSTC)
Post #: 24
RE: OWA https problem - 5.Nov.2003 1:16:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

Sorry to hear its still not working.

With regards to the certificates are you creating your own certificates?

(in reply to ScottSTC)
Post #: 25
RE: OWA https problem - 5.Nov.2003 1:21:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
Yes, I have created a CA on our Domain and I am using that as the certifcate issuer for the OWA Site.

(in reply to ScottSTC)
Post #: 26
RE: OWA https problem - 5.Nov.2003 1:27:00 PM   
cele

 

Posts: 8
Joined: 27.Oct.2003
From: Florence, Italy
Status: offline
Are the machines on the same domain?
Have you installed this certificate properly on the machines (do you see that cert. in the proper panel on IIS console)?

(in reply to ScottSTC)
Post #: 27
RE: OWA https problem - 5.Nov.2003 1:33:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

Okay, so I assume you have created a certificate for your exchange box, if so, when you created it did you give it the same name as your exchange server or the same name as your FQDN?

(in reply to ScottSTC)
Post #: 28
RE: OWA https problem - 5.Nov.2003 1:51:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
The machines are on the same domain, to create the cert i used IIS web site properties security tab to install it I used the same tab and installed from there. The Cert Shows up all right it does not appear to have anything wrong with it in IIS.

When I created the Cert I used the FQDN of the owa site.

(in reply to ScottSTC)
Post #: 29
RE: OWA https problem - 5.Nov.2003 1:55:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

How did you go about exporting the certificate from your exchange server and importing it on the ISA server?

(in reply to ScottSTC)
Post #: 30
RE: OWA https problem - 5.Nov.2003 2:02:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
I followed this article to install and create and then set the cert on the site and ISA

http://www.tacteam.net/isaserverorg/exchangekit/2003owapub/2003owapub.htm

(in reply to ScottSTC)
Post #: 31
RE: OWA https problem - 5.Nov.2003 2:10:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

Can you confirm that if you use the mmc on the ISA server that the certificate is listed under the personal folder of the computer account?

If the certificate is in the right place, when you configure the ISA incoming listener, are you able to select the correct certificate from the drop down list?

(in reply to ScottSTC)
Post #: 32
RE: OWA https problem - 5.Nov.2003 2:17:00 PM   
cele

 

Posts: 8
Joined: 27.Oct.2003
From: Florence, Italy
Status: offline
OK. Be shure that the Cert. issued on the OWA machine have tha name of the ISA server name.
if your external people access you net as
https://www.mydomain.com/exchange, probably your owa machine looks like http://owaserver/exchange.
If you try to connect (from your internal net) as the second way above, you must receive a warning that tells you that the cert. not correpsond to the machine that send the cert. If not, maybe you need to use a cert. to install in your OWA server that is for www.mydomain.com. This if because when you pass the headers from ISA to OWA, headers contains www.mydomain.it, and the server must recognize this. than you must install the same cert on both machines. This worked for me. Be sure that your IIS on OWA is configured to respond to that header properly.

Good luck.

(in reply to ScottSTC)
Post #: 33
RE: OWA https problem - 5.Nov.2003 3:25:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
I added the cert thru MMC into the local computer, first in personal and then added the CA to the Trusted Certs Folder

(in reply to ScottSTC)
Post #: 34
RE: OWA https problem - 5.Nov.2003 3:37:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi Scott,

I am starting to run out of thing to suggest, you appear to have everything configured ok.

If you try and access owa internally using https://internal_exchange_server_name/exchange do you get any error messages?

(in reply to ScottSTC)
Post #: 35
RE: OWA https problem - 5.Nov.2003 4:20:00 PM   
ScottSTC

 

Posts: 16
Joined: 27.Oct.2003
From: London
Status: offline
Thats one of the things thats most annoying about this, if I access the machine https://internal_name/exchange then I get the request to accept the certificate, then I get the login in prompt and then once entered credentials i get in.

Ultimatley i suppose this is why i have put a request for help on here, cause it all appears to be ok and works if used in house. It just wont work from the outside world :-(

Is there anyother way I can do this with out SSL, but still keep it secure ?

(in reply to ScottSTC)
Post #: 36
RE: OWA https problem - 5.Nov.2003 4:58:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Scott,

Since configuring the certificate on the isa server, have you re-booted the isa server?

It sounds daft but I am sure I remeber someone saying that the certificate didn't take effect the server had been rebooted.

(in reply to ScottSTC)
Post #: 37
RE: OWA https problem - 6.Nov.2003 12:15:00 PM   
cele

 

Posts: 8
Joined: 27.Oct.2003
From: Florence, Italy
Status: offline
Hi!
I know how is frustrating following articles and see that after applying all still not work.
I red that article, but I followed other steps (I hate wizards), and have all in two different domains.
First, i didn't used an FQDN in the web publishing rule (my ISA is also DNS for our internet domain). If you still receive an host not found, try using IP address of your internal IIS (OWA) server. Than, if you pass original headers, may be that you specified explicitly headers in the default web site in your OWA's IIS.
As last, if you have a sniffer, watch the packets between ISA and OWA...
Good luck!
Cele

(in reply to ScottSTC)
Post #: 38
RE: OWA https problem - 6.Nov.2003 12:46:00 PM   
Guest
Pinball, Yes I had but what with all the things tried since posting on here maybe not, I will have to do it to see what happens, but sadly for me I cant do it untill monday, now :-(

Cele, Thanks for the suggestion, I have considered using a packet sniffer, and will do when i get back to the office

(in reply to ScottSTC)
  Post #: 39
RE: OWA https problem - 6.Nov.2003 2:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

You MUST do it *exactly* as explained in the article and the ISA/Exchange Kit if you don't understand how it works. I've tried to explain how things work in the kit and articles, but if you don't understand all the steps and why they are performed, don't get creative.

For example:

* dont' publish using IP addresses
* You should create the HOSTS file
* certificate must have correct FQDN in CN field
* Don't run OWA on the firewall itself
* Make sure the listener is configured correctly
* etc [Big Grin]

HTH,
Tom

(in reply to ScottSTC)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> RE: OWA https problem Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts