Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
sharepoint/OWA access with site to site ipsec tunnel
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
sharepoint/OWA access with site to site ipsec tunnel - 13.Aug.2008 8:42:37 AM
|
|
|
david.stewen
Posts: 4
Joined: 13.Aug.2008
Status: offline
|
I have a ipsec tunnel setup between ISA 2006 and a pfsense firewall. The tunnel appears to be working correctly as I can login to servers on the remote LAN with internal ip addresses.
I am also publishing Exchange 2007 OWA as per Tom's guide. MOSS is also being published. Both sites are accessible when I access from any other internet ip's.
When I attempt to access both of the published sites from SiteB (has the pfsense firewall) I am denied access.
The log entry in ISA monitoring says:
Denied Connection
Log Type: Firewall Service
Status:
Rule:
Source: pfsense ipsec network
Destination: Local Host
Protocol: HTTPS
User:
I tried to change the configuration of the SSL listener for the www.domain.com and enable listening to requests on the pfsense ipsec network and external, but this does not allow access.
The ISA server has 5 external ip addresses and the OWA and MOSS sites are published on different ip's.
How do I enable access to the MOSS and OWA for accounts connected via the ipsec tunnel?
Thanks,
David
|
|
|
|
|
RE: sharepoint/OWA access with site to site ipsec tunnel - 13.Aug.2008 9:28:34 AM
|
|
|
david.stewen
Posts: 4
Joined: 13.Aug.2008
Status: offline
|
Yes.
The sites are getting published to external. But now that I've got the site to site vpn working I also want to publish the sites to the site to site vpn.
I this possible?
|
|
|
|
|
RE: sharepoint/OWA access with site to site ipsec tunnel - 13.Aug.2008 12:53:59 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
I have done something similar, but the site-to-site VPN was between two other devices and dind't involve ISA, not sure if this affects things.
I assume you can access the remote web service from the actual ISA server - maybe you could test with a HTTP verifier too?
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: sharepoint/OWA access with site to site ipsec tunnel - 16.Aug.2008 3:47:52 AM
|
|
|
david.stewen
Posts: 4
Joined: 13.Aug.2008
Status: offline
|
I tried changing the sharepoint publishing rule to be the first rule and I also change the network rules so that the rule that routes traffic to the remote network is down lower in the list.
Still getting the same error when I attempt to access https://www.domain.com (the sharepoint site).
If I access the site from anywhere else it works perfectly.
Any ideas on how to get this to work?
|
|
|
|
|
RE: sharepoint/OWA access with site to site ipsec tunnel - 16.Aug.2008 5:37:01 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi David,
I'm not sure I did understand what you are trying to do, but here is where I think is the problem, assuming I did get the picture, from ISA's log:
quote:
Source: pfsense ipsec network
So, it looks like you want to access the published services from hosts behind the pfsense not through the VPN tunnel, just normal=outside of the vpn tunnel(as they are already protected with SSL), by public FQDNs which resolve to ISA's external IP addresses.
So your HTTPS requests destined to the public IP addresses on ISA get NAT-ed on the pfsense side, being sourced with pfsense's public IP address, which looks like it's the VPN tunnel end IP address too.
Also it looks like you have added, maybe not you, just the VPN wizard, pfsense's public IP address to the remote site addresses definition, which makes ISA believe that HTTPS requests are coming from the remote site. I think that the local VPN endpoint IP address on ISA is different from the IP addresses used to publish your services.
If I guessed right, just remove pfsense's public IP address from the remote site network range, and it should work. In this case, the source IP address of the packets should be the External Net, not the pfsense ipsec network as your log shows. I assume you have defined on the pfsense, for the vpn site to site connection, for the local network just the subnet behind pfsense, and for the remote network, just the subnet behind ISA.
Or maybe you want to access your services through the VPN tunnel ?
Regards,
J
< Message edited by justmee -- 16.Aug.2008 6:12:43 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
