Yeah, this is not always easy...
The Outlook Web Access rule in ISA (not the weblistener) - is it configured to allow the Exchange paths in the "Paths" tab?
E.g. /public/* /exchange/* /exchweb/*
Main Topics
Browse All TopicsEver had the feeling you need to find another profession :)
Well its time to ask some experts ......
I have a fairly simple setup ......
Exchange 2003 FE Server to Exchange 2003 BE Server .....
Everthing was working fine with a direct connection (Port 443 ) only to the servers.
Some bright spark (me) decided we needed an ISA 2006 (logging etc etc).
So I armed with my external SSL Ceritifcate ehich was exported from the Exchange 2003 FE Server I did the following ...
1) Removed Forms Based Authentication from the FE Server and rebooted.
2) Installed ISA 2006 with dual NIC's (1 x DMZ (10.255.255.5) and 1 x Interna (10.0.0.5)
DNS resolution to Internal only
3) Imported SSL Certificate into the ISA 2006 and patched.
4) On ISA 2006 Setup the following rules.
a) Local host ---> External (HTTP / HTTPS)
b) Internal / Local host ---> Internal / Local host (All Outbound)
5) Started the Publish Exchange Web client Wizard.
a) Name = OWA Mail Server
b) Version = 2003 (owa only)
c) Type = Single Site
d) Server Security = SSL
e) Internal Site Name = ExchangeFE01 and IP = 10.0.0.2
f) Accept requests for this domain and public name www.mydomain.co.uk
**The same as the SSL Certificate www.mydomain.co.uk**
g) New Web listener = Big Ears
h) Requie SSL
i) External Interface
j) www.mydomain.co Certificate selected (Green Tick)
k) HTML Form and Windows Active Directory
l) SSO = .mydomain.co.uk
m) Basic Authentication
n) All Users
Edited the Web Listenet and Selected "Require all users to authenticate" and allow HTTP
and redirect HTTP to HTTPS
Tried to connect externally and receive the following error after the ISA 2006 Forms Logon Page.
The Page Cannot be dispalyed
403 Forbidden, Uniform Locator Resource Locator (12202)
I have connected internally using the Internal Name and IP address
http://exchangefe01.mydoma
But any external access fails ..... this is what is displayed in the ISA log.
Log type: Web Proxy (Reverse)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: External (80.0.0.1)
Destination: (10.255.255.5:443)
Request: GET http://80.1.1.1/
Filter information: Req ID: 0e886209; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=yes, logged off=no, client type=public, user activity=yes
Protocol: https
User: mydomain.co.uk\test
Additional information
Any help much appriciated as I begining to lose the will to live ...... either I need to stay away from ISA boxes or this thing has it in for me.
regards
Kim
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The paths are set as you listed E.g. /public/* /exchange/* /exchweb/*
Windows IP Configuration
Host Name . . . . . . . . . . . . : isa01
Primary Dns Suffix . . . . . . . : mydomain.co.uk
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.co.uk
co.uk
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection #2
Physical Address. . . . . . . . . : 00-0A-E4-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.5
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.0.222
10.0.0.223
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection
Physical Address. . . . . . . . . : 00-0A-E4-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.255.255.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.255.255.1
DNS Servers . . . . . . . . . . . : 10.0.0.222
10.0.0.223
I guessed that you should always point the ISA to the internal DNS servers and get them to resolve
to the ISP DNS servers using forwarders.
The ExchangeFE server has the same SSL certificate as the ISA
Regards
Kim
I think the world stops ;-)
Testing URL https://www.mydomain.co.uk
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fw
Testing URL https://www.mydomain.co.uk
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fw
Testing URL https://www.mydomain.co.uk
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fw
ISA Best practice is showing now errors. But I'm guessing I've done something stupid ;-)
Regards
Kim
This looks like ISA tries to connect to www.mydomain.co.uk for the internal server - it doesn't sound like an internal name to me though. When you ping www.mydomain.co.uk from ISA, who answers? ISA or the Frontend server?
Ah wait, I misread that... :)
OK, you said you are using the same certificate for external and internal, so I assume the cert has the name "www.mydomain.co.uk" but your internal server name will be something else, right?
Somewhat of a dirty workaround, but may help:
Tell ISA your FE's name is "www.mydomain.co.uk". Create a hosts entry for www.mydomain.co.uk with the IP of the FE server. Run the Test on the rule again.
It comes back saying destination unreachable ...... as it tries to ping the external Ip address.
Ok guessing at the problem ....... and this is a hypothetical example
Our email domain is myemaildomain.co.uk which the and the Thawte SSL certificate is
registered as www.myemaildomail.co.uk
Our internal domain is myinternaldomain.co.uk and I think this could be causing the problem ......
They didn't want myinternaldomain.co.uk to go to OWA only to the Web Page.
any advice on solution / setup
Did this make sense or am I confusing the situaltion ?
regards
time to put my hand in the air ....
How do you create a dns entry for www.mydomain.co.uk ?
I've put an entry in the LMHOSTS file on the ISA Server
www.mydomain.co.uk and pointed it to the FE Server.
I can ping this that resolves to the FE Server
I have re-run the tests and receive the following
The test successfully completed verifying settings for this URL on the published server.
If I type www.mydomain.co.uk I receive a login box and then owa opens correctly
It fails however externally.
Log type: Web Proxy (Reverse)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: External (80.0.0.1)
Destination: (10.255.255.5:443)
Request: GET http://80.1.1.1/
Filter information: Req ID: 0e886209; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=yes, logged off=no, client type=public, user activity=yes
Protocol: https
User: mydomain.co.uk\test
Additional information
https://80.1.1.1/exchange
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
https://myemaildomain.co.u
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
ok getting close ....
Just rebooted everything ...
If I type www.myemaildomain.co.uk the isa mlogin page is displayed ..
after logging in the url changes to https://myemaildomain.co.u
with The page cannot be displayed and Error Code: 403 Forbidden (12202)
however if I then manually add "exchange" to the end ... so it reads https://myemaildomain.co.u
and hit enter
The OWA pages appear correctly
Well, it is pretty easy, isn't it. :)
It is normal for the internal address to be different, that's true. The clean way would be to have a certificate with the internal name on your FE, then you can avoid those tricks. If for example you run an internal PKI this is fairly easy to do. But really, it works both ways. Alternative is to do SSL only to your ISA server, and from here you can do HTTP to the FE. Of course this is less secure, but it really depends on your situation if that's a problem or not. Since you've got it working with SSL I really wouldn't change it.
The forwarding to /exchange you have do in any case I think... Mainly because that is the address on the FE, and ISA just does forwarding. And it makes sense this way, too - let's say you run Exchange 2007 you would rather forward to /owa.
I don't think creating a small HTML page with a redirection is a big deal, at least that's how I setup mine.
Business Accounts
Answer for Membership
by: keith_alabasterPosted on 2009-09-10 at 11:39:31ID: 25303015
Lets take a few steps backwards here.
First, please provide an output from ipconfig /all from the ISA box - lets make sure the basics are right.