ISA owa proxy internal users

Posted on 2007-10-16
Last Modified: 2008-11-17
Ok we have set up OWA publishing with isa 2006. when an external user goes to it goes to our isa and then isa goes to the interal site lets call it webmail1. ISA has an entry in its host file to go the internal IP of the mailserver. The problem comes when internla users try to go to they are using the isa as their proxy. So since its an internal ip and isa is also pointing to the internal ip of webmail1 the users dont get the form based log in they get a pop up to log in.

The solution I would think is to enable form authentication on the mail server but then isa doesnt work when thats enabled.

Question by:quippee
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Nope - the problem is likely that your dns is returning the external IP address of ISA as the ip address needed to get to OWA whereas, when inside, you need the internal IP address of the OWA box. if you have published the OWA server to listen on both the ISA internal & external interfaces, then this is the IP address that needs to be used.

    You can test this by doing an nslookup of - what ip address does it return? internal or external from a client work station?

    You have a couple of options.

    1. If you have done the sensible thing, and used a different dns system for internal than the one you have used for external, then its easy. You simply create a new DNS zone on your internal servers that matches your external and create an A record for OWA that points to either the OWA box directly (internal IP) or uses the ISA internal nic ip (internal ip).

    2. If you have done the horrible, ie your internal dns and your external dns are both, then you are somewhat stuffed. As you will not be able to create an internal and external A record in the zone called OWA with different ip addresses - it won't like it. In this case you will likely want to use something like the hosts file to put an entry in for OWA and give the internal ip address requyired.

    Author Comment


    Ok that makes sense but seems to be a different set up that I have....

    I have an mailserver with regular owa access meaning you get a popup. then ISA is publishing owa using an extenal ip and using form authentication.

    The clients use isa as the proxy so when they hit they dont access their dns, isa does the resolution for them. and ISA as a server points to the internal ip of the mail server that has the pop log in.

    When I was setting up owa I was stated in the guide that ISA need to resolve to the internal IP address.

    So even If i use a host file it still doesnt work because ISA when responding proxy request for will take them to the internal ip.

    did that help? lol I hope so , so you can help me :)
    LVL 51

    Accepted Solution

    ISA should have no knowledge of dns whatsoever except that which it is told about by your intrernal dns servers. This is why the setup of ISA specifically states that you do not need a DNS entry on its external interface, only on the internal interface. In fact, having an entry on the external nic can actually screw you. That entry should point to your internal dns servers. In turn, the internal dns servers then lookup the info locally and if they don't knowe the answer, they use the ip addresses set in ntheir forwarders tab to go and ask the isp or whatever.

    Another reason for this is to stop any dns cache held on the isa from being 'poisoned'

    Also, proxy has no understanding of dns. The proxy service uses the dns service to perform lookups - from a sequencing point, the ISA server will look at its dns cache (cleared everytime you reboot the ISA box) then the hosts file then the local dns.

    Author Comment

    Yes, I got it to work. what I did is to delete the hostfile entry in isa that pointed to the internal IP of the mailserver . So now everything points to the outside address and its working fine. I forgot to mention that this is a single nic set up for ISA>

    What was happening before was that on the ISA server I was trying to go to and it kept taking me to the internal site so  like I said I changed the entry in DNS to point to the outside. our internal and external is the same . in the owa publishing rule when is sais TO . i have the name of the mailserver and its IP . I used to have the name of the server and

    Hope this helsp anyone and also thanks for the input Keith.

    LVL 51

    Expert Comment

    by:Keith Alabaster
    Welcome :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now