Configuring ISA 2004 with OWA HTTPS

I'm running OWA 2003 and trying to set it up with HTTPS. Currently users on the outside access their mail by using http://mail.abcd.com/exchange.
I have configured the certificate on the exchange, installed it on the ISA box and created a web filter that uses https and this certificate. The Exchange is not using forms based authentication, but I have it enabled at the ISA level.
Internally I can access the https site fine, but from the outside I get an Internal Server 500 error and a message The target principal name is incorrect.
I've changed the names in the ISA rules but I'm missing something.
any ideas or help would be appreciated.

DFCRJAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Long time - no speak.
What is the fqdn you have published in the certificate - effectively it should be something like smtp.external_dns_domain.com

What certificate have you generated? From an internal CA? Public Certificate?
0
DFCRJAuthor Commented:
Your right! I've been on other projects and this was something I been meaning to do.
On the fqdn I have "mail.dairycorp.com" which is the address used to access owa from the outside now.  And on the certificated I generated it from an internal CA..
I did see in the ISA logs when I tried to connect on 443 is was using anomous as the user and didnt have my username displayed.
0
DFCRJAuthor Commented:
Update, I just tried it again an now my error is this:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Using https://mail.dairycorp.com/exchange
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Keith AlabasterEnterprise ArchitectCommented:
Ok - so how have you published the mail service in ISA?
Are you bridging https from Internet to ISA then ISA to Exchange?
have you exported the Exchange certificate and imported it in to ISA?
0
DFCRJAuthor Commented:
Currently I have a web publishing rule in ISA called OWA, using HTTP and the web listener with public names list as above and paths set to exchange. And of course this works.

So, I created a new web publishing rule in ISA called OWA_HTTPS, using a new web listener, set to HTTPS and from there installed the certificated I exported from Exchange. Inside the web listener ISA allowed me to select the certificate. I set it to Forms Based on the authentication and it is not enabled on the Exchange box.
0
Keith AlabasterEnterprise ArchitectCommented:
That sounds ok - 10060 is sometimes reported as a permissions error but also can be seen as a timeout. Either way, bottom line, itrs a connection refused so you should see this in the logs.

open the ISA Gui, select monitoring - logging - click start query.
Attempt the https access from outside, what dpo you get in the log?

Can you connect through https to the owa internally successfully?
0
DFCRJAuthor Commented:
Alrighty, internally I got right in with not problems.
From the outside I got prompted about the certificate from IE, asking me to continue.
After that it immediately bombs and now has the the 500 code.
The isa logs say this :
12202 The ISA Server denied the specified Uniform Resource Locator (URL).       0x0      0x0Web Proxy Filter      https      Denied Connection      Default rule      14.92.239.14       anonymous      External                   
What should be in the Public name location? Is that where its failing?
0
Keith AlabasterEnterprise ArchitectCommented:
Basically it is saying that the traffic that arrived did not match the traffic defined in the publishuing rule - therefore the default rule caught it and you got your message.

the public name should be the domain part only (for example kalabaster.com - omit any mail, smtp, www or other server name in the front)
0
DFCRJAuthor Commented:
Alright I changed it the example and now changed from 500 error to
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL)

ISA Log has the same thing as before. But look at the request from the log, does that look right?
Source: External ( 68.213.225.70:0)
Destination: ( 209.16.242.12:443)
Request: http://mail.dairycorp.com/exchange 
0
Keith AlabasterEnterprise ArchitectCommented:
is 209.16.242.12 your internal ip address? doubt it. When you published the rule it will have asked you for the name of the server to point at - this should just be the internal netbios name, not a fully qualified domain name
Also, on the same page, you have the option for puutting in the internal ip address of the service where OWA is hosted - make sure you tick that box and put in the internal ip.
0
DFCRJAuthor Commented:
Now I'm getting the flow of it. Changed it and now the log says

Failed:
Log type: Web Proxy (Reverse)
Status: 0x80090322  
Rule: OWA HTTPS
Source: External ( 68.213.225.70:0)
Destination: ( 10.60.1.15:443)
Request: https://10.60.1.15:443/exchange 
Filter information: Req ID: 08ad1924; Compression:None
Protocol: https
User: anonymous
0
Keith AlabasterEnterprise ArchitectCommented:
You are running the publish a mail server wizard aren't you, ie not an access rule?

lol - now it is unhappy with the cert name..... in the cert details section, is there a yellow exclamation mark shown?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DFCRJAuthor Commented:
Your right, as freaking always dude :)
I fixed the name and its working baby!!!!!!
thanks for the patience and thanks the time!!!
0
DFCRJAuthor Commented:
Excellent
0
Keith AlabasterEnterprise ArchitectCommented:
and as always, you're welcome :)
0
ashkaatCommented:
Dear Keith,

Can you please give more clarification about the solution as i didn't exactly got what to modify in order to get things running. Where's this Yellow Exclamation ??

I'm having the same problem, and ISA is generating this error:

Failed Connection Attempt IISISA1 7/9/2008 2:03:32 PM
Log type: Web Proxy (Reverse)
Status: 0x80090322

Rule: OWA Publish
Source: External (78.101.134.136)
Destination: (iisexch1.mylocaldomain.local 192.168.1.5:443)
Request: GET https://192.168.1.5:443/exchange 

Filter information: Req ID: 0cfdcbca; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes

Protocol: https
User: mylocaldomain\myusername

Additional information
Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623
Firefox/2.0.0.15
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 1 MIME type:

Your prompt reply is highly appreciated.
0
rbeckerditeCommented:
I have a PIX 515e  AND and ISA 2006 in a DMZ. I am trying to publish OWA 2003 with ISA.. HTTP and HTTPS are pushed through to the ISA box but when external clients connect to the external ip they get denied by the firewall service as you see below. I am hoping the pIX is not the problem and i am just configuring ISA wrong. Though i have been through the instructions a couple times and they seem simple enough but they have not resulted in a good config. The ISA box is in a BACK firewall configuration with the Front End exchange box behind it on the internal network.  any thoughts?

Denied Connection---- 10/27/2010 3:06:04 AM
Log type: Firewall service
Status:  
Rule:  
Source: External (xx.xxx.100.35:60794)
Destination: Local Host (xxx.xx.xxx.36:443)
Protocol: HTTPS
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: xxx.xxx.100.35
Client agent:
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.