Question

OWA 2003 and ISA 2006

Asked by: kpec01

Ever had the feeling you need to find another profession :)

Well its time to ask some experts ......

I have a fairly simple setup ......

Exchange 2003 FE Server to Exchange 2003 BE Server .....

Everthing was working fine with a direct connection (Port 443 ) only to the servers.

Some bright spark (me) decided we needed an ISA 2006 (logging etc etc).

So I armed with my external SSL Ceritifcate ehich was exported from the Exchange 2003 FE Server I did the following ...

1)  Removed Forms Based Authentication from the FE Server and rebooted.

2) Installed ISA 2006 with dual NIC's (1 x DMZ (10.255.255.5) and 1 x Interna (10.0.0.5)

DNS resolution to Internal only

3) Imported SSL Certificate into the ISA 2006 and patched.

4) On ISA 2006 Setup the following rules.

a) Local host ---> External (HTTP / HTTPS)
b) Internal / Local host ---> Internal / Local host (All Outbound)

5)  Started the Publish Exchange Web client Wizard.

a) Name = OWA Mail Server
b) Version = 2003 (owa only)
c) Type = Single Site
d) Server Security = SSL
e) Internal Site Name = ExchangeFE01 and IP = 10.0.0.2
f) Accept requests for this domain and public name www.mydomain.co.uk
**The same as the SSL Certificate www.mydomain.co.uk**
g) New Web listener = Big Ears
h) Requie SSL
i) External Interface
j) www.mydomain.co Certificate selected (Green Tick)
k) HTML Form and Windows Active Directory
l) SSO = .mydomain.co.uk
m) Basic Authentication
n) All Users

Edited the Web Listenet and Selected "Require all users to authenticate" and allow HTTP
and redirect HTTP to HTTPS

Tried to connect externally and receive the following error after the ISA 2006 Forms Logon Page.

The Page Cannot be dispalyed

403 Forbidden, Uniform Locator Resource Locator (12202)

I have connected internally using the Internal Name and IP address

http://exchangefe01.mydomain.co.uk and https://10.0.0.1

But any external access fails ..... this is what is displayed in the ISA log.


Log type: Web Proxy (Reverse)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External (80.0.0.1)
Destination: (10.255.255.5:443)
Request: GET http://80.1.1.1/
Filter information: Req ID: 0e886209; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=yes, logged off=no, client type=public, user activity=yes
Protocol: https
User: mydomain.co.uk\test
 Additional information  

Any help much appriciated as I begining to lose the will to live ...... either I need to stay away from ISA boxes or this thing has it in for me.

regards

Kim









This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-10 at 10:44:12ID24722246
Tags

exchange 2003. OWA 2003

,

iSA 2006

Topic

MS Forefront-ISA

Participating Experts
2
Points
500
Comments
22

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ISA 2000 server ssl certificate problem
    Hello I recently had to replace the self made ssl certificate on my OWA server so in turn I updated my ISA 2000 server. The problem is when I log into the web site I still see the old ssl cert and not the new cert. My question is how do I get the new cert to show up when I g...
  2. ISA 2006 - SSL Certificates showing as INVALID, but …
    ISA 2006, Have imported valid, external SSL certificates into personal store of ISA server. When pointing to them in ISA Listner, it is showing the certificate as "INVALID". But, I have checked the certificate in MMC Certificates, and it is valid. I have just dow...
  3. Updating SSL Cert on OWA & ISA
    Hello.... I have been given the task of updating our SSL Cert used for OWA on exch... Currently users go thought an ISA server to get to the exch server, the problem is I dont know where the Cert lives.... is it on the exch server? or is it on the ISA? How do I tell? Also, ...
  4. ISA SSL Bridge to Exchange OWA certificate question
    Hi all, our external users currently get their email by typing http://domain.com/exchange. ISA 2004 publishes the OWA site on our internal network. Our setup is like this: Internet -------- ISA ------- OWA Exchange 2003 Front End ------ Exchange 2003 Backend ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: keith_alabasterPosted on 2009-09-10 at 11:39:31ID: 25303015

Lets take a few steps backwards here.

First, please provide an output from ipconfig /all from the ISA box - lets make sure the basics are right.

 

by: Wonko_the_SanePosted on 2009-09-10 at 11:44:42ID: 25303063

Yeah, this is not always easy...

The Outlook Web Access rule in ISA (not the weblistener) - is it configured to allow the Exchange paths in the "Paths" tab?

E.g. /public/* /exchange/* /exchweb/*

 

by: kpec01Posted on 2009-09-10 at 13:20:35ID: 25303873

The paths are set as you listed E.g. /public/* /exchange/* /exchweb/*


Windows IP Configuration

   Host Name . . . . . . . . . . . . : isa01
   Primary Dns Suffix  . . . . . . . : mydomain.co.uk
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.co.uk
                                       co.uk

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection #2
   Physical Address. . . . . . . . . : 00-0A-E4-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.5
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.222
                                       10.0.0.223

Ethernet adapter External:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection
   Physical Address. . . . . . . . . : 00-0A-E4-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.255.255.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.255.255.1
   DNS Servers . . . . . . . . . . . : 10.0.0.222
                                       10.0.0.223

I guessed that you should always point the ISA to the internal DNS servers and get them to resolve
to the ISP DNS servers using forwarders.

The ExchangeFE server has the same SSL certificate as the ISA

Regards

Kim

 

by: Wonko_the_SanePosted on 2009-09-10 at 13:23:12ID: 25303888

In ISA, on your web publishing rule, what happens when you click "Test rule"

 

by: kpec01Posted on 2009-09-10 at 13:32:21ID: 25303972

I think the world stops ;-)

Testing URL https://www.mydomain.co.uk:443/Exchange/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

Testing URL https://www.mydomain.co.uk:443/Exchweb/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

Testing URL https://www.mydomain.co.uk:443/Public/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

ISA Best practice is showing now errors. But I'm guessing I've done something stupid ;-)

Regards

Kim

 

by: Wonko_the_SanePosted on 2009-09-10 at 13:37:21ID: 25304027

This looks like ISA tries to connect to www.mydomain.co.uk for the internal server - it doesn't sound like an internal name to me though. When you ping www.mydomain.co.uk from ISA, who answers? ISA or the Frontend server?

 

by: Wonko_the_SanePosted on 2009-09-10 at 13:40:57ID: 25304084

Ah wait, I misread that... :)

OK, you said you are using the same certificate for external and internal, so I assume the cert has the name "www.mydomain.co.uk" but your internal server name will be something else, right?

Somewhat of a dirty workaround, but may help:
Tell ISA your FE's name is "www.mydomain.co.uk". Create a hosts entry for www.mydomain.co.uk with the IP of the FE server. Run the Test on the rule again.

 

by: kpec01Posted on 2009-09-10 at 13:51:08ID: 25304180

It comes back saying destination unreachable ...... as it tries to ping the external Ip address.


Ok guessing at the problem ....... and this is a hypothetical example

Our email domain is myemaildomain.co.uk which the and the Thawte SSL certificate is
registered as www.myemaildomail.co.uk

Our internal domain is myinternaldomain.co.uk and I think this could be causing the problem ......

They didn't want myinternaldomain.co.uk to go to OWA only to the Web Page.

any advice on solution / setup

Did this make sense or am I confusing the situaltion ?

regards

 

by: Wonko_the_SanePosted on 2009-09-10 at 13:54:07ID: 25304220

Yeah, see my other comment. Try that and see what happens.

Other approach: If you are able to create a certificate you can create it in the name of myinternaldomain.co.uk, give it to your FE server. Make sure name resolution works.

 

by: kpec01Posted on 2009-09-10 at 14:07:42ID: 25304371

time to put my hand in the air ....


How do you create a dns entry for www.mydomain.co.uk  ?



 

by: kpec01Posted on 2009-09-10 at 14:34:36ID: 25304741

I've put an entry in the LMHOSTS file on the ISA Server

www.mydomain.co.uk and pointed it to the FE Server.

I can ping this that resolves to the FE Server

 

by: kpec01Posted on 2009-09-10 at 14:44:19ID: 25304825

I have re-run the tests and receive the following

The test successfully completed verifying settings for this URL on the published server.


If I type www.mydomain.co.uk I receive a login box and then owa opens correctly

It fails however externally.

 

by: Wonko_the_SanePosted on 2009-09-10 at 14:51:51ID: 25304896

so the Test is OK but it's still not working? whats the error? anything in the log?

 

by: kpec01Posted on 2009-09-10 at 14:55:32ID: 25304928

Log type: Web Proxy (Reverse)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External (80.0.0.1)
Destination: (10.255.255.5:443)
Request: GET http://80.1.1.1/
Filter information: Req ID: 0e886209; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=yes, logged off=no, client type=public, user activity=yes
Protocol: https
User: mydomain.co.uk\test
 Additional information

 

by: Wonko_the_SanePosted on 2009-09-10 at 15:46:33ID: 25305294

try adding /exchange to the URL when accessing it

 

by: kpec01Posted on 2009-09-10 at 15:58:43ID: 25305353

https://80.1.1.1/exchange

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


 

by: kpec01Posted on 2009-09-10 at 16:02:30ID: 25305371

https://myemaildomain.co.uk/exchange

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

 

by: kpec01Posted on 2009-09-10 at 16:13:41ID: 25305417

ok getting close ....

Just rebooted everything ...

If I type www.myemaildomain.co.uk the isa mlogin page is displayed ..

after logging in the url changes to https://myemaildomain.co.uk

with The page cannot be displayed and Error Code: 403 Forbidden (12202)

however if I then manually add "exchange" to the end ... so it reads https://myemaildomain.co.uk/exchange

and hit enter

The OWA pages appear correctly



 

by: Wonko_the_SanePosted on 2009-09-10 at 16:35:06ID: 25305567

that i think is normal
you can create a HTML redirect page to finally forward to /exchange

do this on the FE
on ISA, include /* in the paths to forward

 

by: kpec01Posted on 2009-09-10 at 16:41:49ID: 25305611

ok tried to add /* in the paths to forward and recieve the following

The mappings /* to /* and public/* to public/* share the same prefix

 

by: kpec01Posted on 2009-09-10 at 16:44:57ID: 25305629

woot got it ...

Ext = / Int = /Exchange\

Finally what can I say .... your a star ...

Surly there has to be an easier way if you ww address is different from you internal domain ........

 

by: Wonko_the_SanePosted on 2009-09-11 at 05:49:25ID: 25308813

Well, it is pretty easy, isn't it. :)

It is normal for the internal address to be different, that's true. The clean way would be to have a certificate with the internal name on your FE, then you can avoid those tricks. If for example you run an internal PKI this is fairly easy to do. But really, it works both ways. Alternative is to do SSL only to your ISA server, and from here you can do HTTP to the FE. Of course this is less secure, but it really depends on your situation if that's a problem or not. Since you've got it working with SSL I really wouldn't change it.

The forwarding to /exchange you have do in any case I think... Mainly because that is the address on the FE, and ISA just does forwarding. And it makes sense this way, too - let's say you run Exchange 2007 you would rather forward to /owa.
I don't think creating a small HTML page with a redirection is a big deal, at least that's how I setup mine.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...