?
Solved

Configuring ISA 2004 with OWA HTTPS

Posted on 2008-01-25
17
Medium Priority
?
2,328 Views
Last Modified: 2010-05-18
I'm running OWA 2003 and trying to set it up with HTTPS. Currently users on the outside access their mail by using http://mail.abcd.com/exchange.
I have configured the certificate on the exchange, installed it on the ISA box and created a web filter that uses https and this certificate. The Exchange is not using forms based authentication, but I have it enabled at the ISA level.
Internally I can access the https site fine, but from the outside I get an Internal Server 500 error and a message The target principal name is incorrect.
I've changed the names in the ISA rules but I'm missing something.
any ideas or help would be appreciated.

0
Comment
Question by:DFCRJ
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20749114
Long time - no speak.
What is the fqdn you have published in the certificate - effectively it should be something like smtp.external_dns_domain.com

What certificate have you generated? From an internal CA? Public Certificate?
0
 

Author Comment

by:DFCRJ
ID: 20749979
Your right! I've been on other projects and this was something I been meaning to do.
On the fqdn I have "mail.dairycorp.com" which is the address used to access owa from the outside now.  And on the certificated I generated it from an internal CA..
I did see in the ISA logs when I tried to connect on 443 is was using anomous as the user and didnt have my username displayed.
0
 

Author Comment

by:DFCRJ
ID: 20749987
Update, I just tried it again an now my error is this:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Using https://mail.dairycorp.com/exchange
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20749991
Ok - so how have you published the mail service in ISA?
Are you bridging https from Internet to ISA then ISA to Exchange?
have you exported the Exchange certificate and imported it in to ISA?
0
 

Author Comment

by:DFCRJ
ID: 20751197
Currently I have a web publishing rule in ISA called OWA, using HTTP and the web listener with public names list as above and paths set to exchange. And of course this works.

So, I created a new web publishing rule in ISA called OWA_HTTPS, using a new web listener, set to HTTPS and from there installed the certificated I exported from Exchange. Inside the web listener ISA allowed me to select the certificate. I set it to Forms Based on the authentication and it is not enabled on the Exchange box.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20751261
That sounds ok - 10060 is sometimes reported as a permissions error but also can be seen as a timeout. Either way, bottom line, itrs a connection refused so you should see this in the logs.

open the ISA Gui, select monitoring - logging - click start query.
Attempt the https access from outside, what dpo you get in the log?

Can you connect through https to the owa internally successfully?
0
 

Author Comment

by:DFCRJ
ID: 20751355
Alrighty, internally I got right in with not problems.
From the outside I got prompted about the certificate from IE, asking me to continue.
After that it immediately bombs and now has the the 500 code.
The isa logs say this :
12202 The ISA Server denied the specified Uniform Resource Locator (URL).       0x0      0x0Web Proxy Filter      https      Denied Connection      Default rule      14.92.239.14       anonymous      External                   
What should be in the Public name location? Is that where its failing?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20751382
Basically it is saying that the traffic that arrived did not match the traffic defined in the publishuing rule - therefore the default rule caught it and you got your message.

the public name should be the domain part only (for example kalabaster.com - omit any mail, smtp, www or other server name in the front)
0
 

Author Comment

by:DFCRJ
ID: 20751413
Alright I changed it the example and now changed from 500 error to
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL)

ISA Log has the same thing as before. But look at the request from the log, does that look right?
Source: External ( 68.213.225.70:0)
Destination: ( 209.16.242.12:443)
Request: http://mail.dairycorp.com/exchange 
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20751430
is 209.16.242.12 your internal ip address? doubt it. When you published the rule it will have asked you for the name of the server to point at - this should just be the internal netbios name, not a fully qualified domain name
Also, on the same page, you have the option for puutting in the internal ip address of the service where OWA is hosted - make sure you tick that box and put in the internal ip.
0
 

Author Comment

by:DFCRJ
ID: 20751462
Now I'm getting the flow of it. Changed it and now the log says

Failed:
Log type: Web Proxy (Reverse)
Status: 0x80090322  
Rule: OWA HTTPS
Source: External ( 68.213.225.70:0)
Destination: ( 10.60.1.15:443)
Request: https://10.60.1.15:443/exchange 
Filter information: Req ID: 08ad1924; Compression:None
Protocol: https
User: anonymous
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 20751522
You are running the publish a mail server wizard aren't you, ie not an access rule?

lol - now it is unhappy with the cert name..... in the cert details section, is there a yellow exclamation mark shown?
0
 

Author Comment

by:DFCRJ
ID: 20751670
Your right, as freaking always dude :)
I fixed the name and its working baby!!!!!!
thanks for the patience and thanks the time!!!
0
 

Author Closing Comment

by:DFCRJ
ID: 31424949
Excellent
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20751736
and as always, you're welcome :)
0
 
LVL 3

Expert Comment

by:ashkaat
ID: 21962257
Dear Keith,

Can you please give more clarification about the solution as i didn't exactly got what to modify in order to get things running. Where's this Yellow Exclamation ??

I'm having the same problem, and ISA is generating this error:

Failed Connection Attempt IISISA1 7/9/2008 2:03:32 PM
Log type: Web Proxy (Reverse)
Status: 0x80090322

Rule: OWA Publish
Source: External (78.101.134.136)
Destination: (iisexch1.mylocaldomain.local 192.168.1.5:443)
Request: GET https://192.168.1.5:443/exchange 

Filter information: Req ID: 0cfdcbca; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes

Protocol: https
User: mylocaldomain\myusername

Additional information
Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623
Firefox/2.0.0.15
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 1 MIME type:

Your prompt reply is highly appreciated.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 33999249
I have a PIX 515e  AND and ISA 2006 in a DMZ. I am trying to publish OWA 2003 with ISA.. HTTP and HTTPS are pushed through to the ISA box but when external clients connect to the external ip they get denied by the firewall service as you see below. I am hoping the pIX is not the problem and i am just configuring ISA wrong. Though i have been through the instructions a couple times and they seem simple enough but they have not resulted in a good config. The ISA box is in a BACK firewall configuration with the Front End exchange box behind it on the internal network.  any thoughts?

Denied Connection---- 10/27/2010 3:06:04 AM
Log type: Firewall service
Status:  
Rule:  
Source: External (xx.xxx.100.35:60794)
Destination: Local Host (xxx.xx.xxx.36:443)
Protocol: HTTPS
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: xxx.xxx.100.35
Client agent:
 
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question