ISA Server - Exchange Certificates SSL

The Web listener will also have the ability so listen on a specific IP address.  When you check the External Network in the Web Listener, does it say all addresses or a specific address?
Additionally, verify that no other web listener is trying to use the same IP and port combination.

Hi page1985

Thank for your reply



No address is specified. I  have tryied to add the external IP from my ISA Server, some issue.

I have no more Listeners. This is the only one

Jail

Is the SSL certificate specified in the SSL settings in the Web Listener?

Hi

Yes is. And it shows valid certificate. I think here is all ok

Like i said if we try to enter trough https://webmail.domain.com/Exchange i get the certificate, but next nothing happens and give me timeout

Jail

Would it be possible for you to post your ISA configuration (excluding sensitive names and IP addresses, of course) as well as your IIS configuration for the virtual server and Exchange/OWA virtual directories?

Also, are you using a private certification authority or did you purchase a public certificate from a trusted CA, like GoDaddy or VeriSign?

Hi

We by a public certificate from a trusted CA. But the url in the Certificate is correct, and i have no errors with Certificate

Jail

Would it be possible for you to post your ISA configuration (excluding sensitive names and IP addresses, of course) as well as your IIS configuration for the virtual server and Exchange/OWA virtual directories?

Hi

Can you please enumerate what part of the configuration do you need? In the ISA Server Rule there are too many tabs to post, and in the IIS also.

I need to do a correction, i have Windows 2003 in the ISA Server, and Windows 2008 in the Exchange

Jail

It's difficult to say specifically what we're looking for, as the most obvious things are already mentioned.

Basically, here's the logic I'm following:
Since the Certificate and the ISA Web Listener are ruled out, we need to determine if any other rules in ISA conflict with the publishng rule.  Unfortunately, this means examining ALL rules.  Second, the best way to verify that IIS isn't the cause of the problem is to review the IIS configuration at the virtual server level, and at the Exchange and OWA virtual directory levels.

Theoretically, anything in the configuration could cause the problem, but some places to start looking first would be authentication settings in IIS, as well as permissions and execution settings in IIS.

Hi

I will try to create a doc file with several print screen from ISA Server configuration, and from the Exchange and IIS

Tonight i will add this to the question

Jail

Hi

Let me ask a question before i post all the print servers.

First the initial ISA configuration, was not made by me, so i need to check that all the initial configuration is ok.

The ISA Server is in the domain(something that i don't like and do not use), but no issues of that, and this is a sub domain from a first site. Since the first site(the root domain) is not here and i have no control on that, i will forget that for now.

Lets say that root domain is example.com and this site is new.example.com

In the external adapter is a internal IP(lest say 192.168.100.250). The router redirects the external IP to this internal IP. So for me this is ok, and i think that is no problem with this.

The Gateway on this adapter is the router from this network, and in the DNS i have for the first DNS the DNS Server from the root domain example.com and second DNS if the DNS Server from the new.example.com

Can this type of configuration have any issues with the listener, and give this error "The Web publishing rule Exchange Web Client Access failed because the Web listener selected for the rule is not valid. Verify that the Web listener specifies a valid IP address on this computer."

Thank You

Jail

Hi

Another issue that i found in the ISA configuration, is the internal IP and the External IP

This is my first work in the ISA 2006, but i see no big differences in is configuration between this and the old version

Like i said above the External adapter have a internal IP. But after take second look i see that maybe here is a problem, so i need a guide in this.

In the Networks Sets, in the External have no IPs(maybe right or not), in the Internal set, i have both IPs(from the internal, and from the External adapter), then the user have in there configuration the IP from the External adapter. They have Internet and so, no problem here.

But i think they have to use the IP from internal adapter to work with ISA rules.

Then in mi specific problem(publishing the Exchange IIs), in the listener if in the External i choose to add the IP Address, i says this IP does not belong to this Network. And ask if i want to add the IP address.

So, is this the issue that i am having with the listener? And have this error when i try to access the webmail from the outside world "The Web publishing rule Exchange Web Client Access failed because the Web listener selected for the rule is not valid. Verify that the Web listener specifies a valid IP address on this computer."

Any help on this will be appreciated

Thank you

Jail

Hi

I have change the Internal Network to use the Internal adapter. After this i can access the webmail site from the outside world, but i have some issues

The ISA enter in spoofing... i have a problem like this some years ago with the ISA 2000 or 2004

What is the best way to correct this issue

Jail

What do you mean when you say the ISA enter in spoofing?
Are you getting packets dropped because it thinks they are spoofed?  What interface are they coming in on?  Can you post logs?

Hi

Yes the packs they are spoofed

This happen when i change the internal network configuration(range address)

Sorry i cannot give you the logs today, because i lost remote connection, and the connection are always dropping. Only tomorrow i will locally in the server

The webmail is working, but since the packets are dropping i have access, then 1minute i do not have.

Jail

Hi

Ok i have access to the server and i get this errors from the alerts

"The routing table for the network adapter OUTSIDE includes IP address ranges that are not defined in the array-level network External, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Internal:192.168.39.0-192.168.0.249,192.168.0.251-192.162.0.252,192.168.0.254-192.168.0.255"

What is missing here is the internal IP from the OUTSIDE adapter (192.168.0.250) i have removed from the range.

And have another error that was from a user machine

"ISA Server detected a spoof attack from Internet Protocol (IP) address 192.168.0.58. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the firewall log."

Like i said above, the users have in there gateway the IP from the INSIDE adapter, and on the browse proxy settings the OUTSIDE adapter IP

So with this, can you find the problem?
Jail

This means your Network configuration in ISA, specifically, the IP addresses listed as belonging to the Internal and the External networks in ISA, is incorrect.
To fix this:

1. Open ISA Server Management.
2. If you have Enterprise, expand Arrays, then expand the Array with the issue.  If you have Standard, just expand your ISA Server.
3. Expand the Configuration section.
4. Select Networks.
5. Edit your Internal network and remove all items in the list.  Now select Add -> Adapter.
6. Select the adapter that receives traffic from your LAN.
7. Save and apply the settings.

Hi

Yes that was my first option when i have this kind of error, but no luck :(

I expand the internal and add this INSIDE adapter

Jail

Hi

page1985, first let me thank you for all the help that you are giving resolving this issue.

Ok let me focus on the adapters and try to understand where is the problem

Internal adapter:
192.168.0.253
no gateway
DNS(internal DNS)

External adapter
192.168.0.250
gateway(router IP)
DNS
1º DNS from the root domain
2º DNS from the internal domain

Users use the IP gateway use the IP from the internal adapter, and in the proxy use the IP from the external adapter

Is ok?

Second;

ISA Server Networks

Internal Network use the range 192.168.0.0 : 192.168.0.249 -- 192.168.0.251 : 192.168.0.254

If i use this range, the ISA Server give that errors, and try to fix the ISA itself.

So the problem here is the miss the IP 192.168.0.250 in the rage. But if we add this, we have problems with the listener

Question is, how can we fix both this issues without errors.

Meanwhile i have take a look at my old ISA Server(lab test) and see if i can figure out any difference between the two versions

Jail

Technically, you can change your internal addresses also, but I would think, in your situation, external would be eaiser.
Either way, the internal and external address ranges MUST be exclusive.

Hi

OK i can change the External IP, but since the Gateway(router) is from the 192.168.0.x subnet can this be an issue?

Jail

That will not fix your problem.
If your internal network starts with 192.168.0 and your external network starts with 192.168.0 you will have a problem, regardless of what the last number is.

Hi

Off course if is the same subnet, the problem still persist. You did not understand

I will change the external to 192.168.1.x but the router(external gateway) still is 192.168.0.x subnet

Changing the External IP will bring another issue, like redirect my external IP from the router to my internal(external adapter). And changing this i need to ask the ISP to change, because i don't have access to the router config.

Even so, i think is more easier changing the External IP, tha the subnet of the internal network

Jail

Hi

keith_alabaster thank you for the reply

Until now changing the External subnet is an issue, because of the root domain(main site in another network as the main office). Like i said this is  this a sub site(sub domain), and all the sub net that are allowed is this that i am using. I am still working to try to that main office allow another sub net. This is a government network, so is not so easy

keith_alabaster: About your answer, i have changed the internal rage to all off the subnet(192.168.0.0 to 192.168.0.255). But still have the issue with the external subnet.

And about bpa i have downloaded and installed already. I have run the tool, and have find some issues, but nothing about this.

I have try to put the same sub net in both adapter, and in the network internal, add the all network, the ISA work a couple of hours without any problem. The site was published, but next the ISA say that have an internal problem configuration, and changed the configuration.

Looking to changes made by the ISA i see this.
I have:

Internal:
192.168.0.253
Mask: 255.255.255.0
no Gateway
DNS:(internal DNS)

External:
192.168.0.250
Mask: 255.255.255.0
Gateway: 192.168.0.254(router)
DNS: 1º Internal DNS from main office
DNS  2º Internal DNS from this site

Then looking to the ISA changes, i only see that have add the 192.1680.254 to the internal adapter

One question: Is it possible to have only one adapter with configuration? I think since i am publishing a site, i cannot do this with one adapter. But like i said before i know ISA, but i am no Expert.

Thank You

Jail

Understood - I work for the British Government and know the issues. However, the fact remains that ISA will not suporrt the same same subnet on both adapters.

No - adding just the .254 address will not work correctly.

Yes - you can use ISA with only one nic and publish a server - but only proxy based such as a web server, OWA etc. You could not publish a mail server for example.

Hi

The ISA is to work as firewall and proxy.

The main here is to publish the Exchange(and of course the OWA) into a webmail.domain.com. Nothing else.

They do not ask for any other site.

Jail

Single Nic can not be used to publish the smtp services of a mail server. If ISA is to act as a firewall/proxy then a single nic is definitely not an option......

Not sure where you can go with this. You cannot have the same subnet on both adapters - it is simply not supportable for a ISA environment unless you want to just live with the issues and end up rebooting it every few minutes or hours.

Hi

I see no other choice than use 2 nics, and use different subnets.

Today i have ask for authorization to use another subnet, lets see what is the response. I have try to explain the impact not using two subnets. But with this kind of organization, i do not know.

I will leave the question open for 2 or 3 days, just to wait the response.

Thank you both for the help on this issue

Jail

welcome - but the main aspect that you want to put across is that:

a) ISA cannot operate as a firewall with only one nic - only as a proxy with content management for http/https
b) ISA cannot operate with the same subnet on both interfaces - it simply will not work correctly.

These are two fundamental elements if you want to use ISA Server.

These are two fundamental elements with ANY router or firewall appliance.  You cannot route traffic to a subnet from itself.
It's like a phone system:
You have a phone number, and your destination has a phone number.  The area code (and country code) determines whether the call is a local call or a toll call.  Likewise, so does the subnet.  Just like you cannot make a toll call by dialing locally, neither can you access a remote network by transmitting locally or vice versa.

Hi

Just one question...

The IP that users use as proxy, must be the IP from the internal, or the External Network? Not the gateway, but the proxy IP

I think is the internal, but the internal, as no gateway

Jail

Must be the internal ip address of the ISA Server - derfault port is 8080

Thie address is the same as the default gateway - because every machine will need its default gateway pointing at the ISA servcer - the firewall!!

Hi

We will change the internal subnet. So this will correct the problem

I will like to thank you both for the help on this issue

Thank you

Jail

Welcome :)