Question

ISA Server - Exchange Certificates SSL - Part II

Asked by: BestWay

Hi

After many issues with this Certificates. I think i have correct all the problems, between Exchange and Certificates

Issues that i have asked in this threats.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24078184.html

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24084232.html

After changing the internal address, all is ok, i have an issue with the Ceriticate.

In the Exchange and ISA Server the Certificates are all correct, and all have Root Authority ok

When i test the publishing rule i get

Testing URL https://webmail.mydomain.com:443/Exchange/
Category: General error
Error details: 0x80092010 - The certificate is revoked.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

In the outside world when i enter the webmail page, i can see the login age from the Exchange/ISA Server. To test the communication, If enter an invalid user, or domain, the authentication work fine, and says user/password wrong, when i enter the right i gives me a page error with

* Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

I have test the ISA Server with the traffic simulator

I get this error:

Denied Traffic
  - destination URL host name could not be resolved  
Rule Name: [Enterprise] Default rule
Rule Order:  

 Additional information
From: Local Host
To: Internal
Network Rule Name: None - Route implied (Local Host traffic)
Network Relationship: Route
Protocol: HTTPS
Rule Application Filter:  

This is the log from that traffic:

##########################

384 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
385 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
386 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250  Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
387 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
388 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
389 19-02-2009 16:41:12 fffca7bc Firewall service The destination requires name resolution.
390 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires name resolution for evaluation.
391 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires DNS name resolution.
392 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
393 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
394 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
395 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
396 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
397 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
398 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
399 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
400 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
401 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
402 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule Internet Access.
403 19-02-2009 16:41:12 fffca7bc Firewall service source does not match the packet.
404 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
405 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
406 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule blocked the packet.
407 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
408 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
409 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is looking for an applicable network rule.
410 19-02-2009 16:41:12 fffca7bc Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

#####################

The 192.168.10.250 is my internal ISA Server adapter, and the 192.168.10.08 is my Exchange Server

An i have tested with my external adapter (192.168.100.253). The log is similar

Sincerely i cannot understand what is causing this. I have check all the configuration and i think all is ok

Any help will be appreciated

Jail

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-19 at 09:03:43ID24158814
Topics

MS Forefront-ISA

,

Exchange Email Server

,

Enterprise Firewalls

Participating Experts
2
Points
500
Comments
48

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ISA 2000 server ssl certificate problem
    Hello I recently had to replace the self made ssl certificate on my OWA server so in turn I updated my ISA 2000 server. The problem is when I log into the web site I still see the old ssl cert and not the new cert. My question is how do I get the new cert to show up when I g...
  2. Add ssl certificate to isa 2004
    I have added the new certificate via the certificate snap in i am trying to edit a existing rule in isa to now use the new ssl certificate but isa does not see the new certificate within the listener any ideas. a brief note i have also tried createing a new publishing rule ...
  3. ISA 2006 - SSL Certificates showing as INVALID, but …
    ISA 2006, Have imported valid, external SSL certificates into personal store of ISA server. When pointing to them in ISA Listner, it is showing the certificate as "INVALID". But, I have checked the certificate in MMC Certificates, and it is valid. I have just dow...
  4. ISA 2006 and Outlook Anywhere: certificate problem !
    Hi, I have an Exchange 2007 server , I tried to use Outlook Anywhere via ISA 2006 without success. I've been following instruction from http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.html?printversion On the exchange server (called XCHANGE): - Ena...
  5. ISA 2006 SSL
    We have an ISA 2006 server sitting in our DMZ, we have a MOSS 2k7 server, a IIS 6.0 server and IIS 7.0 server we have two internet domain names xxx.com.au xxxx.com.au. These websites are served from our iis 7.0 box. however there are a number of A records for these two I.e....

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: abdulzisPosted on 2009-02-19 at 11:12:10ID: 23684990

What have you specified in the To tab of the publishing rule?

 

by: BestWayPosted on 2009-02-19 at 11:42:10ID: 23685314

Hi abdulzi

Thank for the reply

In the Tab Publishing rule(that is Exchange Publishing Rule) i have 2 options

1º This rule applies to this published site:

I have webmail.mydomain.com (this is the same domain that i have in my Certificate)

2º Computer name, or IP address.

I have the internal name of my Exchange Server(i have tested with the IP)

and in the end i have:

Request appear to come from original client.

One question about my certificate. I see that in the certificate, detail tab and in the "key usage" i have a yellow warning. Do not know what is this.

The data is:Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

Jail

Jail

 

by: abdulzisPosted on 2009-02-19 at 23:13:26ID: 23689488

Do you have a certificate on your Exchange containing webmail.mydomain.com as the common name? If you ping webmail.mydomain.com, does it resolve to the internal or externalp IP of the CAS?

 

by: BestWayPosted on 2009-02-20 at 06:47:44ID: 23692330

Hi

The Certificate from the Exchange is the same. I export from the Exchange, into ISA Server

Inside of the ISA Server if i ping the webmail.mydomain.com, i get the IP of Exchange Server.

That is because i have in the ISA Server hosts file 192.168.10.08 webmail.mydomain.com

Jail

 

by: BestWayPosted on 2009-02-25 at 07:52:54ID: 23734953

Hi

Can please anyone provide any assistance on this issue?

Thank You

Jail

 

by: abdulzisPosted on 2009-02-25 at 10:30:12ID: 23736707

 

by: abdulzisPosted on 2009-02-25 at 10:30:52ID: 23736714

Its quite an old article but do check if you can access the CRL of the certificate

 

by: BestWayPosted on 2009-03-02 at 06:59:08ID: 23774472

Hi

Sorry i did not back to the question earlier.

I have request a new Certificate. I have create a new one in the Exchange with the New-Exchangecertificate command. I have send to our services, and they have send me a new one

But i have the same problem :(

Says:

Category: General error
Error details: 0x80092010 - The certificate is revoked.

I have enable the Firewall Policy:

Authentication Services: Allow HTTP from ISA Server to selected networks for downloading updated Certificate Revocation Lists (CRL)

If i disable the firewall Specify Certificate Revocation Settings > Certificate Revocation > Verify that incoming server certificates are not revoked in a reserve scenario

Only with this option enable the test rule give me: The certificate is revoked.

So what this can tell me?

Anyone can help?

Jail


 

by: keith_alabasterPosted on 2009-03-03 at 13:09:41ID: 23788661

Hey Modus - yeah I can hit this one.

the error message you are mentioning is normally down to the DNS configuration on ISA. Sorry if i ask some questions that are in previous posts but I'm in the middle of doing a business case so am limited on time at the moment.

Can you ensure you have .net 1.1 installed on the ISA and run up the BPA?
You can get it from here  http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en


 

by: BestWayPosted on 2009-03-03 at 18:44:00ID: 23791259

Hi keith

Again :)

Yes both are correct. I have run the BPA and no big problems regarding this issue.

What are you meaning with DNS configuration? Can you be more specific?

Now to by pass the Certificate problem, i am changing all the configuration(ISA and Exchange) to publish OWA without CRL. Just to test.

Is not working yet, i will try to get this to work tomorrow

Jail

 

by: keith_alabasterPosted on 2009-03-03 at 22:48:55ID: 23792193

Please tell me what the 'not big problems' are that the BPA reported.
The troubleshooting Doc for SSL/certs on ISA can be found here.
http://technet.microsoft.com/en-us/library/cc302619.aspx

I'll cover the dns next. Pleae provide the output from an ipconfig /all on the ISA Server.

 

by: BestWayPosted on 2009-03-04 at 05:58:04ID: 23794721

Hi

The errors that i have is only regarding other issues that is not CRL

1º  The Resource Allocation Failure error alert was signaled 1 times

Events that triggered the alert:
04-03-2009 12:42:53 - The Web Proxy filter failed to bind its socket to 192.168.1.250 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
 The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.

2º There are no Certificates in the Local Store( this is because i delete all the CRL to make the tests without the htts)

This is my configuration

Ethernet adapter INTERNAL:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B2-47-82
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.250
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.10.1
                                       192.168.10.2

Ethernet adapter EXTERNAL:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B2-3A-D9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.250
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 10.10.2.10
                                       10.10.2.11

After i have remove the https, from the ISA Server(and delete all the CRL), and IIS from the Exchange, in my internal Network, if i enter the external URL it works (http://webmail.mydomain.com/exchange)

I have test this with the http, and https, both work internal if i use the external domain(webmail.mydomain.com). The only thing that is not right is that ask for authentication, in th first logon, then the url is exchange.domain.local and ask the user authentication again. But after this i can see the OWA

With all this test, can help you look at the issue?

Jail

 

by: BestWayPosted on 2009-03-04 at 07:06:40ID: 23795381

Hi

After i add the certificate again into the ISA Server with the BPA test again i have this:

One or more certificates in the local Store a private key.

One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.

Testing the rule again i get again:

Category: General error
Error details: 0x80092010 - The certificate is revoked.

I have check the CRL and i think is ok

This certificate issues are driving me crazy :(

Jail

 

by: BestWayPosted on 2009-03-04 at 08:17:33ID: 23796199

Hi

Lookin at the site for SSL/certs there are on part that is:

Check that ISA Server trusts the CA that issued the certificate used to authenticate the published Web server. To do this, open Internet Explorer on the ISAServer computer, click the Tools menu, and then click Internet Options. On the Content tab, click Certificates. Check that a certificate for the CA appears on the Trusted Root Certification Authorities tab.

I have done this, but inside of the IE tools certificates, in the Trusted Root Certification Authorities tab, i dont have my CRL, only the intermediate. I try to import here in the IE tools, but after import with no errors, i still have no webmail CRL.

But if i go to the mmc certificates, and in the Trusted Root Certification Authorities folder, i have both CRL. The webmail, and the intermediate.

Is this normal?

Sorry about all this messages, but i am trying to give all the information that i can.

Jail

 

by: keith_alabasterPosted on 2009-03-04 at 08:42:00ID: 23796519

Trusted Root and CRL are not the same thing - CRL is certificate revocation list

 

by: keith_alabasterPosted on 2009-03-04 at 08:45:43ID: 23796566

Where di you get this cert from? It shoulld be exported from the exchange (owa) box - with the private key - then imported into ISA.

 

by: BestWayPosted on 2009-03-04 at 09:27:09ID: 23797014

Hi

Sorry about the confusion, when i say CRL i mean, the Certificate.

And yes this Certificate was exported in the Exchange Server, with the key. I follow all the steps.

Jail

 

by: BestWayPosted on 2009-03-04 at 09:39:19ID: 23797142

Hi

I have exported the Certificate(with the key) and the intermediate from the Exchange Server.

Then i import this into the MMC - Computer Account - Personal, Trusted Root Certification Authorities and Intermediate Certification Authorities.

In the Intermediate Certification Authorities - Certification Revocation List - i do not have any Certificate from this issue - is this correct?

In the Intermediate Certification Authorities - Certificate - I have the intermediate Certificate

Jail

 

by: keith_alabasterPosted on 2009-03-04 at 09:55:13ID: 23797321

yes that is correct - you have nothing in the revocation list because the cert is NOT revoked.
the only thing this leaves then - assuming the basics are correct - is the publishing rule and the listener.
How have you published the service - all details please.

 

by: BestWayPosted on 2009-03-04 at 15:35:19ID: 23801097

Hi

I have tried to make print screens remotely, but no luck

Tomorrow i will make print screen from all the tabs and add in to a message.

For security reasons i will erase some information

Jail

 

by: BestWayPosted on 2009-03-05 at 04:23:41ID: 23804739

Hi

I have the file with all the print screens from the publishing rule.

Any further questions, just ask :)

Another issue that i have notice... i have add to my hosts file(in ISA Server) the entry

192.168.10.10 webmail-mydomain.domain.com

This internal IP is from my Exchange, but if i do a nslookup it shows the IP from the external(that is the IP from the root domain, outside of our sub-domain network)

So this is shown by the external adapter, that is the only one that is connect to that network.

Do not know if this is important.

Hope all this information maybe useful.

Jail

 

by: keith_alabasterPosted on 2009-03-05 at 09:29:56ID: 23807972

ISA should not use any host file. As you know ISA should use the DNS server from your internal LAN - ISA should not even know HOW to lookup an external address. This is the point I made earlier - I am beginning to doubt that some of the basics are setup correctly. I have just got in from work so will look at the screenshots etc after dinner.

 

by: BestWayPosted on 2009-03-05 at 10:07:26ID: 23808391

Hi

Yes about DNS server, but in several Exchange sites are pointing to use the host(or split DNS) file to add the Exchange Server IP address with the external webmail.domain.com, to publish the OWA

Ok look at the file, then we can go forward with this

Thanks for all the help, until now

Jail

 

by: keith_alabasterPosted on 2009-03-05 at 14:49:20ID: 23811930

The screenshots look fine - and as I would expect. As i mentioned above, i am starting to question some of the basics. I note that you say everything works from the internal LAN so the next place is to look at the external side.

I would suggest that you run the ISA realtime log monitor - ISA gui - monitoring - logging and set the filter to monitor https or http server. try the connection and see if port 443 traffic is even arriving at ISA - check that port 443 is being allowed through any external routers or firewalls. If port 443 is not even arriving at the ISA then it will not know to present a login screen.

if https/https server traffic IS arriving OK then I need to see details of what the log reports.

Keith
ISA MVP

 

by: BestWayPosted on 2009-03-05 at 15:16:14ID: 23812221

Hi keith

OK i check all that issues, and i will back to this question as soon as possible with the answers

Thank You

Jail

 

by: BestWayPosted on 2009-03-07 at 15:04:54ID: 23827073

Hi

Just to update.

We have a CISCO ASA before the ISA Server, then a external company must test to see if there is any SSL communication to that ASA, and check is there is any SSL block by that ASA. That test is made, and the ASA is ok, but still the SSL 443 did not arrive at this ASA. So the problem may be, in the first firewall of this system. That is a firewall(i do not know what firewall is) that is from the root domain, from this sub-domain.

I will check all the firewall and logs, that are out of the ISA Server. But this is supported by external company's, and this takes some time.

When i have some feed back, i will post

Thank You

Jail

 

by: keith_alabasterPosted on 2009-03-08 at 03:45:44ID: 23828743

Excellent - if the SSL traffic does not arrive at the ASA box then there is NO WAY that the SSL traffic can arrive at the ISA Server which is further down the line... Nice work and will wait to hear how it goes with the further testing.

 

by: keith_alabasterPosted on 2009-03-12 at 11:12:03ID: 23871659

Thanks Vee. The 'objectives' passed to Bestway would easily take a week to undertake based on the info (and convolutedness (made that word up) of his environment. I'm sure he will get back to us :)

 

by: BestWayPosted on 2009-03-12 at 23:05:49ID: 23876444

Hi

First sorry about the time to respond. Like i said before, this corrects was out of my hands. So i need to wait until they correct the problem.

OK i have a feed back now.

The root domain Firewall, and Cisco ASA are working with my ISA Server.

Communications with my webmail url trough port 443 are now into my ISA Server. Now is up to me to make it work :)

Let us focus on the my ISA Server.

After some issues in the ISA Server that i have correct, now I can see the OWA logon.

I enter domain/user into the Logon page, then after 1m or 2m, I get time out. And i cannot get access to the OWA mailbox.

I have monitor this access in the ISA Server, so i will post the log.

The 10.10.2.20 is the Firewall from our root domain


Original Client IP      Client IP      Client Username      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Destination IP      Protocol      Transport      HTTP Method      URL      MIME Type      Object Source      Source Network      Destination Network      Source Proxy      Destination Proxy      Action      Bidirectional      Client Host Name      Rule      Filter Information      Network Interface      Raw IP Header      Raw Payload      Log Time      GMT Log Time      Source Port      Destination Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      Yes      Reverse Proxy      ISASRV            webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/exchange                              -      -      Denied Connection            -      OWA      Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:10      13-03-2009 5:23:10      0      443      1      277      399            12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.       0x0      0x80      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV            webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1                              -      -      Allowed Connection            -            Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      313      10636      450            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css                              -      -      Allowed Connection            -            Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      109      3621      387            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js                              -      -      Allowed Connection            -            Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      375      6031      381            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51720      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51397      443      545968      6901      18604      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51720      443      0      1104      11368      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51721      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51722      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51721      443      0      921      4153      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51722      443      0      995      6643      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33bf; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      296      1260      385            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgntop.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33bd; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      328      23636      382            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnbottom.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c1; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      281      3726      385            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnleft.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c3; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      203      1258      383            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnright.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      140      1846      384            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51723      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51724      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51725      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51724      443      0      879      1712      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51723      443      0      1236      24789      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51726      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51727      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51725      443      0      919      4258      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51726      443      0      877      1710      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51727      443      0      918      2338      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      POST      http://webmail.mydomain.com/CookieAuth.dll?Logon                              -      -      Allowed Connection            -            Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:30:37      13-03-2009 5:30:37      0      443      78      416      754            0 The operation completed successfully.       0x0      0x200      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52048      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52049      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52048      443      0      1208      807      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -


Denied Connection ISASRV 13-03-2009 5:23:10
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: OWA
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/exchange
Filter information: Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:  


Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1
Filter information: Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 313 ms
MIME type:

Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css
Filter information: Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 109 ms
MIME type:
 
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js
Filter information: Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 375 ms
MIME type:
 
Allowed Connection ISASRV 13-03-2009 5:30:37
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: POST http://webmail.mydomain.com/CookieAuth.dll?Logon
Filter information: Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 78 ms
MIME type:  

What can we see with this

Thank You

Jail

 

by: BestWayPosted on 2009-03-12 at 23:09:21ID: 23876455

Hi

Since the log past in here is not so clear, i will post a file txt with the log

Jail

 

by: keith_alabasterPosted on 2009-03-13 at 00:25:24ID: 23876774

first, the credentials need to be domain\user not domain/user

second OWA needs to be set to Basic Authentication on the IIS - and ISA needs to be using forms based authentication.
What version of exchange are you using?

http://technet.microsoft.com/en-us/library/bb794751.aspx  - for Exchange 2007
http://technet.microsoft.com/en-gb/library/bb794845.aspx  - For Exchange 2003
http://technet.microsoft.com/en-gb/library/bb794843.aspx  - OWA specific

Just off to work so you are on your own with this for a while.

 

by: BestWayPosted on 2009-03-15 at 10:22:33ID: 23892240

Hi

Just to update.

The problem with the timeout is resolved.

But now some how the certificate get revoked. I have check, and double check the cert. I have remove the cert from the ISA, and export from the Exchange Server, and import again into ISA Server.

But i still have the same error:

Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

I thin all is ok with the certificate.

Any ideas?

Jail

 

by: keith_alabasterPosted on 2009-03-15 at 14:27:04ID: 23893242

You can prove this by accessing the internal exchange server through https - the OWA directly. If the certificate has been revoked (remember that the Exchange server certificate and the ISA server certificate are supposed to be the same certificate) - then the owa should give the same message from internal access as well.

 

by: BestWayPosted on 2009-03-15 at 14:49:36ID: 23893347

Hi

Nope, internally i can connect with no problem.

And yes both servers have the same certificate.

So where the hell is the problem? :(

Jail

 

by: keith_alabasterPosted on 2009-03-15 at 15:17:37ID: 23893493

Look at the specifics of the certificates - make sure every detail is the same. You 'MAY' find some differences - if you do, see what system is the authenticator for that specific certificate. For example, if you are using a wildcard cert, you may find that the parent or the issuer has revoked the certificate - god knows why - on their Root CA. they may not even be aware of it.....but that is where the certificate will be checked against.

 

by: BestWayPosted on 2009-03-16 at 04:31:16ID: 23896470

Hi

After run the BPA in the ISA Server i get 3 new errors. And the certain that the certificate is the issue. After 10.000 issues with this problem, i think this the final issue, and last problem.


Events that triggered the alert:
15-03-2009 17:17:46 - The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable
to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).


One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.


Events that triggered the alert:
15-03-2009 16:42:06 - The Web Proxy filter failed to bind its socket to 192.168.100.250 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
 The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.

And i will ckeck the Certificate with the root domain Network Administrator, that was who create the Cert after my request. And check with them if this Certificate is not revoked at the root domain(in the SAN or wildcart Certificate)

Jail

 

by: keith_alabasterPosted on 2009-03-16 at 12:40:58ID: 23901551

1. Open the ISA gui - select firewall policy
edit the SYSTEM policy and enable the CRL policy and make sure all networks are added

2. We have spoken about this - you said that the keys you have imported definitely had private keys - so do you have other certificates? It may be one of those that the BPA is referring to.

3. You can only have one port 443 listener on each external ip address that you have on the ISA external nic.

 

by: BestWayPosted on 2009-03-19 at 20:02:36ID: 23936583

Hi

Just to update this question, and this question/problem is taking to long :(

1- This is enable already

2- I have no other certificates in this server. Only this one.

3 - I only have one listener in this server(the OWA)

I have request more information from the root domain offices, about the certificate. If they are revoke this certificate in they SAN or wildcard certificates.  The request was about a week ago, i am still waiting for the answer.

Once again I will like to thank you keith_alabaster for all the help and time spend with this question.

Jail

 

by: keith_alabasterPosted on 2009-03-20 at 00:04:53ID: 23937306

No probs - just frustrating that your own organisation is not helping you - :(

 

by: BestWayPosted on 2009-03-25 at 17:28:33ID: 23986232

Hi

Just to update the question.

After a week they have respond today, but they did not give any information. The stupid´s say they have tested the webmail, and the logon page is visible, so the webmail is working
 
I reply saying that the problem is after we logon.

I am tired of this problem, and the lack of support, or information by the main office.

I have abandon the project for now. I will not go to this project until they give further information, or more help and support.

If a have no feed back in a few days, i will close the question.

Once again thank you for the help and patience for me and this problem

Jail

 

by: keith_alabasterPosted on 2009-03-25 at 23:53:52ID: 23987839

So sorry I cannot help much more here. Provide a test user credentials to the main office - ask them to logon with it so that they see the certificate revoked mesage.

Secondly, SSL is enabled to the ISA Server and we know now that this is OK to this stage. set the bridging to use http from ISA to Exchange rather than https - does it work then?

Cheers
Keith

 

by: BestWayPosted on 2009-03-26 at 14:01:21ID: 23995250

Hi Keith

Ok with your solution/option the webmail works without any problem.

Since the communications between Internet and ISA Server is encrypted(with the Cert from the main office), the communications between the ISA Server and Exchange is not encrypted.

But since the support to this problem is not the correct, i will propose this.

If they want e levels of encryption then the root domain must give a proper support, and information. If not, then this will only work with one level of encryption, and we do not need more help or support from the main office.

Once again all the thanks that i can say is not enought for all the time and patience for this problem

After the decision tomorrow i will close this question

Jail

 

by: keith_alabasterPosted on 2009-03-26 at 14:03:59ID: 23995283

:) thanks

 

by: BestWayPosted on 2009-03-30 at 13:21:55ID: 31548846

Once again i like to thanks Keith for is time and patience.

 

by: keith_alabasterPosted on 2009-03-30 at 13:24:57ID: 24022946

Welcome :)

 

by: keith_alabasterPosted on 2009-03-30 at 13:26:59ID: 24022967

Welcome :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...