Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


ISA owa proxy internal users

Posted on 2007-10-16
Medium Priority
Last Modified: 2008-11-17
Ok we have set up OWA publishing with isa 2006. when an external user goes to owa.domain.com it goes to our isa and then isa goes to the interal site lets call it webmail1. ISA has an entry in its host file owa.domain.com to go the internal IP of the mailserver. The problem comes when internla users try to go to owa.domain.com they are using the isa as their proxy. So since its an internal ip and isa is also pointing to the internal ip of webmail1 the users dont get the form based log in they get a pop up to log in.

The solution I would think is to enable form authentication on the mail server but then isa doesnt work when thats enabled.

Question by:quippee
  • 3
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20095651
Nope - the problem is likely that your dns is returning the external IP address of ISA as the ip address needed to get to OWA whereas, when inside, you need the internal IP address of the OWA box. if you have published the OWA server to listen on both the ISA internal & external interfaces, then this is the IP address that needs to be used.

You can test this by doing an nslookup of owa.domain.com - what ip address does it return? internal or external from a client work station?

You have a couple of options.

1. If you have done the sensible thing, and used a different dns system for internal than the one you have used for external, then its easy. You simply create a new DNS zone on your internal servers that matches your external domain.com and create an A record for OWA that points to either the OWA box directly (internal IP) or uses the ISA internal nic ip (internal ip).

2. If you have done the horrible, ie your internal dns and your external dns are both youirdomain.com, then you are somewhat stuffed. As you will not be able to create an internal and external A record in the zone called OWA with different ip addresses - it won't like it. In this case you will likely want to use something like the hosts file to put an entry in for OWA and give the internal ip address requyired.

Author Comment

ID: 20095841

Ok that makes sense but seems to be a different set up that I have....

I have an mailserver with regular owa access meaning you get a popup. then ISA is publishing owa using an extenal ip and using form authentication.

The clients use isa as the proxy so when they hit owa.domain.com they dont access their dns, isa does the resolution for them. and ISA as a server points owa.domain.com to the internal ip of the mail server that has the pop log in.

When I was setting up owa I was stated in the guide that ISA need to resolve owa.domain.com to the internal IP address.

So even If i use a host file it still doesnt work because ISA when responding proxy request for owa.domain.com will take them to the internal ip.

did that help? lol I hope so , so you can help me :)
LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 20095909
ISA should have no knowledge of dns whatsoever except that which it is told about by your intrernal dns servers. This is why the setup of ISA specifically states that you do not need a DNS entry on its external interface, only on the internal interface. In fact, having an entry on the external nic can actually screw you. That entry should point to your internal dns servers. In turn, the internal dns servers then lookup the info locally and if they don't knowe the answer, they use the ip addresses set in ntheir forwarders tab to go and ask the isp or whatever.

Another reason for this is to stop any dns cache held on the isa from being 'poisoned'

Also, proxy has no understanding of dns. The proxy service uses the dns service to perform lookups - from a sequencing point, the ISA server will look at its dns cache (cleared everytime you reboot the ISA box) then the hosts file then the local dns.

Author Comment

ID: 20096336
Yes, I got it to work. what I did is to delete the hostfile entry in isa that pointed owa.domain.com to the internal IP of the mailserver . So now everything points to the outside address and its working fine. I forgot to mention that this is a single nic set up for ISA>

What was happening before was that on the ISA server I was trying to go to owa.domain.com and it kept taking me to the internal site so  like I said I changed the entry in DNS to point to the outside. our internal and external is the same name.....domain.com . in the owa publishing rule when is sais TO . i have the name of the mailserver and its IP . I used to have the name of the server and owa.domain.com.

Hope this helsp anyone and also thanks for the input Keith.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 20096471
Welcome :)

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question