Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ISA Server - Exchange Certificates SSL - Part II

Posted on 2009-02-19
48
Medium Priority
?
8,527 Views
Last Modified: 2013-11-16
Hi

After many issues with this Certificates. I think i have correct all the problems, between Exchange and Certificates

Issues that i have asked in this threats.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24078184.html

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24084232.html

After changing the internal address, all is ok, i have an issue with the Ceriticate.

In the Exchange and ISA Server the Certificates are all correct, and all have Root Authority ok

When i test the publishing rule i get

Testing URL https://webmail.mydomain.com:443/Exchange/
Category: General error
Error details: 0x80092010 - The certificate is revoked.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

In the outside world when i enter the webmail page, i can see the login age from the Exchange/ISA Server. To test the communication, If enter an invalid user, or domain, the authentication work fine, and says user/password wrong, when i enter the right i gives me a page error with

* Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

I have test the ISA Server with the traffic simulator

I get this error:

Denied Traffic
  - destination URL host name could not be resolved  
Rule Name: [Enterprise] Default rule
Rule Order:  

 Additional information
From: Local Host
To: Internal
Network Rule Name: None - Route implied (Local Host traffic)
Network Relationship: Route
Protocol: HTTPS
Rule Application Filter:  

This is the log from that traffic:

##########################

384 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
385 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
386 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250  Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
387 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
388 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
389 19-02-2009 16:41:12 fffca7bc Firewall service The destination requires name resolution.
390 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires name resolution for evaluation.
391 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires DNS name resolution.
392 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
393 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
394 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
395 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
396 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
397 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
398 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
399 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
400 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
401 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
402 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule Internet Access.
403 19-02-2009 16:41:12 fffca7bc Firewall service source does not match the packet.
404 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
405 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
406 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule blocked the packet.
407 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
408 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
409 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is looking for an applicable network rule.
410 19-02-2009 16:41:12 fffca7bc Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

#####################

The 192.168.10.250 is my internal ISA Server adapter, and the 192.168.10.08 is my Exchange Server

An i have tested with my external adapter (192.168.100.253). The log is similar

Sincerely i cannot understand what is causing this. I have check all the configuration and i think all is ok

Any help will be appreciated

Jail
0
Comment
Question by:Luciano Patrão
  • 24
  • 18
  • 4
46 Comments
 
LVL 9

Expert Comment

by:abdulzis
ID: 23684990
What have you specified in the To tab of the publishing rule?
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23685314
Hi abdulzi

Thank for the reply

In the Tab Publishing rule(that is Exchange Publishing Rule) i have 2 options

1º This rule applies to this published site:

I have webmail.mydomain.com (this is the same domain that i have in my Certificate)

2º Computer name, or IP address.

I have the internal name of my Exchange Server(i have tested with the IP)

and in the end i have:

Request appear to come from original client.

One question about my certificate. I see that in the certificate, detail tab and in the "key usage" i have a yellow warning. Do not know what is this.

The data is:Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

Jail

Jail
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 23689488
Do you have a certificate on your Exchange containing webmail.mydomain.com as the common name? If you ping webmail.mydomain.com, does it resolve to the internal or externalp IP of the CAS?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23692330
Hi

The Certificate from the Exchange is the same. I export from the Exchange, into ISA Server

Inside of the ISA Server if i ping the webmail.mydomain.com, i get the IP of Exchange Server.

That is because i have in the ISA Server hosts file 192.168.10.08 webmail.mydomain.com

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23734953
Hi

Can please anyone provide any assistance on this issue?

Thank You

Jail
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 23736707
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 23736714
Its quite an old article but do check if you can access the CRL of the certificate
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23774472
Hi

Sorry i did not back to the question earlier.

I have request a new Certificate. I have create a new one in the Exchange with the New-Exchangecertificate command. I have send to our services, and they have send me a new one

But i have the same problem :(

Says:

Category: General error
Error details: 0x80092010 - The certificate is revoked.

I have enable the Firewall Policy:

Authentication Services: Allow HTTP from ISA Server to selected networks for downloading updated Certificate Revocation Lists (CRL)

If i disable the firewall Specify Certificate Revocation Settings > Certificate Revocation > Verify that incoming server certificates are not revoked in a reserve scenario

Only with this option enable the test rule give me: The certificate is revoked.

So what this can tell me?

Anyone can help?

Jail


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23788661
Hey Modus - yeah I can hit this one.

the error message you are mentioning is normally down to the DNS configuration on ISA. Sorry if i ask some questions that are in previous posts but I'm in the middle of doing a business case so am limited on time at the moment.

Can you ensure you have .net 1.1 installed on the ISA and run up the BPA?
You can get it from here  http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en


0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23791259
Hi keith

Again :)

Yes both are correct. I have run the BPA and no big problems regarding this issue.

What are you meaning with DNS configuration? Can you be more specific?

Now to by pass the Certificate problem, i am changing all the configuration(ISA and Exchange) to publish OWA without CRL. Just to test.

Is not working yet, i will try to get this to work tomorrow

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23792193
Please tell me what the 'not big problems' are that the BPA reported.
The troubleshooting Doc for SSL/certs on ISA can be found here.
http://technet.microsoft.com/en-us/library/cc302619.aspx

I'll cover the dns next. Pleae provide the output from an ipconfig /all on the ISA Server.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23794721
Hi

The errors that i have is only regarding other issues that is not CRL

1º  The Resource Allocation Failure error alert was signaled 1 times

Events that triggered the alert:
04-03-2009 12:42:53 - The Web Proxy filter failed to bind its socket to 192.168.1.250 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
 The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.

2º There are no Certificates in the Local Store( this is because i delete all the CRL to make the tests without the htts)

This is my configuration

Ethernet adapter INTERNAL:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B2-47-82
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.250
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.10.1
                                       192.168.10.2

Ethernet adapter EXTERNAL:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B2-3A-D9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.250
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 10.10.2.10
                                       10.10.2.11

After i have remove the https, from the ISA Server(and delete all the CRL), and IIS from the Exchange, in my internal Network, if i enter the external URL it works (http://webmail.mydomain.com/exchange)

I have test this with the http, and https, both work internal if i use the external domain(webmail.mydomain.com). The only thing that is not right is that ask for authentication, in th first logon, then the url is exchange.domain.local and ask the user authentication again. But after this i can see the OWA

With all this test, can help you look at the issue?

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23795381
Hi

After i add the certificate again into the ISA Server with the BPA test again i have this:

One or more certificates in the local Store a private key.

One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.

Testing the rule again i get again:

Category: General error
Error details: 0x80092010 - The certificate is revoked.

I have check the CRL and i think is ok

This certificate issues are driving me crazy :(

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23796199
Hi

Lookin at the site for SSL/certs there are on part that is:

Check that ISA Server trusts the CA that issued the certificate used to authenticate the published Web server. To do this, open Internet Explorer on the ISAServer computer, click the Tools menu, and then click Internet Options. On the Content tab, click Certificates. Check that a certificate for the CA appears on the Trusted Root Certification Authorities tab.

I have done this, but inside of the IE tools certificates, in the Trusted Root Certification Authorities tab, i dont have my CRL, only the intermediate. I try to import here in the IE tools, but after import with no errors, i still have no webmail CRL.

But if i go to the mmc certificates, and in the Trusted Root Certification Authorities folder, i have both CRL. The webmail, and the intermediate.

Is this normal?

Sorry about all this messages, but i am trying to give all the information that i can.

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23796519
Trusted Root and CRL are not the same thing - CRL is certificate revocation list
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23796566
Where di you get this cert from? It shoulld be exported from the exchange (owa) box - with the private key - then imported into ISA.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23797014
Hi

Sorry about the confusion, when i say CRL i mean, the Certificate.

And yes this Certificate was exported in the Exchange Server, with the key. I follow all the steps.

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23797142
Hi

I have exported the Certificate(with the key) and the intermediate from the Exchange Server.

Then i import this into the MMC - Computer Account - Personal, Trusted Root Certification Authorities and Intermediate Certification Authorities.

In the Intermediate Certification Authorities - Certification Revocation List - i do not have any Certificate from this issue - is this correct?

In the Intermediate Certification Authorities - Certificate - I have the intermediate Certificate

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23797321
yes that is correct - you have nothing in the revocation list because the cert is NOT revoked.
the only thing this leaves then - assuming the basics are correct - is the publishing rule and the listener.
How have you published the service - all details please.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23801097
Hi

I have tried to make print screens remotely, but no luck

Tomorrow i will make print screen from all the tabs and add in to a message.

For security reasons i will erase some information

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23804739
Hi

I have the file with all the print screens from the publishing rule.

Any further questions, just ask :)

Another issue that i have notice... i have add to my hosts file(in ISA Server) the entry

192.168.10.10 webmail-mydomain.domain.com

This internal IP is from my Exchange, but if i do a nslookup it shows the IP from the external(that is the IP from the root domain, outside of our sub-domain network)

So this is shown by the external adapter, that is the only one that is connect to that network.

Do not know if this is important.

Hope all this information maybe useful.

Jail
OWA-PUBLISHING-RULE.zip
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23807972
ISA should not use any host file. As you know ISA should use the DNS server from your internal LAN - ISA should not even know HOW to lookup an external address. This is the point I made earlier - I am beginning to doubt that some of the basics are setup correctly. I have just got in from work so will look at the screenshots etc after dinner.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23808391
Hi

Yes about DNS server, but in several Exchange sites are pointing to use the host(or split DNS) file to add the Exchange Server IP address with the external webmail.domain.com, to publish the OWA

Ok look at the file, then we can go forward with this

Thanks for all the help, until now

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23811930
The screenshots look fine - and as I would expect. As i mentioned above, i am starting to question some of the basics. I note that you say everything works from the internal LAN so the next place is to look at the external side.

I would suggest that you run the ISA realtime log monitor - ISA gui - monitoring - logging and set the filter to monitor https or http server. try the connection and see if port 443 traffic is even arriving at ISA - check that port 443 is being allowed through any external routers or firewalls. If port 443 is not even arriving at the ISA then it will not know to present a login screen.

if https/https server traffic IS arriving OK then I need to see details of what the log reports.

Keith
ISA MVP
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23812221
Hi keith

OK i check all that issues, and i will back to this question as soon as possible with the answers

Thank You

Jail

0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23827073
Hi

Just to update.

We have a CISCO ASA before the ISA Server, then a external company must test to see if there is any SSL communication to that ASA, and check is there is any SSL block by that ASA. That test is made, and the ASA is ok, but still the SSL 443 did not arrive at this ASA. So the problem may be, in the first firewall of this system. That is a firewall(i do not know what firewall is) that is from the root domain, from this sub-domain.

I will check all the firewall and logs, that are out of the ISA Server. But this is supported by external company's, and this takes some time.

When i have some feed back, i will post

Thank You

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23828743
Excellent - if the SSL traffic does not arrive at the ASA box then there is NO WAY that the SSL traffic can arrive at the ISA Server which is further down the line... Nice work and will wait to hear how it goes with the further testing.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23871659
Thanks Vee. The 'objectives' passed to Bestway would easily take a week to undertake based on the info (and convolutedness (made that word up) of his environment. I'm sure he will get back to us :)
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23876444
Hi

First sorry about the time to respond. Like i said before, this corrects was out of my hands. So i need to wait until they correct the problem.

OK i have a feed back now.

The root domain Firewall, and Cisco ASA are working with my ISA Server.

Communications with my webmail url trough port 443 are now into my ISA Server. Now is up to me to make it work :)

Let us focus on the my ISA Server.

After some issues in the ISA Server that i have correct, now I can see the OWA logon.

I enter domain/user into the Logon page, then after 1m or 2m, I get time out. And i cannot get access to the OWA mailbox.

I have monitor this access in the ISA Server, so i will post the log.

The 10.10.2.20 is the Firewall from our root domain


Original Client IP      Client IP      Client Username      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Destination IP      Protocol      Transport      HTTP Method      URL      MIME Type      Object Source      Source Network      Destination Network      Source Proxy      Destination Proxy      Action      Bidirectional      Client Host Name      Rule      Filter Information      Network Interface      Raw IP Header      Raw Payload      Log Time      GMT Log Time      Source Port      Destination Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      Yes      Reverse Proxy      ISASRV            webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/exchange                              -      -      Denied Connection            -      OWA      Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:10      13-03-2009 5:23:10      0      443      1      277      399            12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.       0x0      0x80      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV            webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1                              -      -      Allowed Connection            -            Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      313      10636      450            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css                              -      -      Allowed Connection            -            Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      109      3621      387            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js                              -      -      Allowed Connection            -            Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:11      13-03-2009 5:23:11      0      443      375      6031      381            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51720      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51397      443      545968      6901      18604      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51720      443      0      1104      11368      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51721      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51722      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51721      443      0      921      4153      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:11      13-03-2009 5:23:11      51722      443      0      995      6643      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33bf; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      296      1260      385            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgntop.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33bd; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      328      23636      382            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnbottom.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c1; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      281      3726      385            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnleft.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c3; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      203      1258      383            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      GET      http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnright.gif                              -      -      Allowed Connection            -            Req ID: 0a0d33c5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:23:12      13-03-2009 5:23:12      0      443      140      1846      384            0 The operation completed successfully.       0x0      0x0      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51723      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51724      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51725      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51724      443      0      879      1712      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51723      443      0      1236      24789      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51726      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51727      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51725      443      0      919      4258      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51726      443      0      877      1710      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:23:13      13-03-2009 5:23:13      51727      443      0      918      2338      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -
0.0.0.0      10.10.2.20      anonymous      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)      No      Reverse Proxy      ISASRV      https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1      webmail.mydomain.com      192.168.1.250      https      TCP      POST      http://webmail.mydomain.com/CookieAuth.dll?Logon                              -      -      Allowed Connection            -            Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      13-03-2009 5:30:37      13-03-2009 5:30:37      0      443      78      416      754            0 The operation completed successfully.       0x0      0x200      Web Proxy Filter      
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52048      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Initiated Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52049      443      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -
10.10.2.20      10.10.2.20                              ISASRV      -            192.168.1.250      HTTPS      TCP      -      -      -            External      Local Host                  Closed Connection                        -                        13-03-2009 5:30:38      13-03-2009 5:30:38      52048      443      0      1208      807      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN            0x0      0x0      Firewall      -


Denied Connection ISASRV 13-03-2009 5:23:10
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: OWA
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/exchange 
Filter information: Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:  


Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 
Filter information: Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 313 ms
MIME type:

Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css 
Filter information: Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 109 ms
MIME type:
 
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js 
Filter information: Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 375 ms
MIME type:
 
Allowed Connection ISASRV 13-03-2009 5:30:37
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule:  
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: POST http://webmail.mydomain.com/CookieAuth.dll?Logon 
Filter information: Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 78 ms
MIME type:  

What can we see with this

Thank You

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23876455
Hi

Since the log past in here is not so clear, i will post a file txt with the log

Jail
ISA-log.txt
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23876774
first, the credentials need to be domain\user not domain/user

second OWA needs to be set to Basic Authentication on the IIS - and ISA needs to be using forms based authentication.
What version of exchange are you using?

http://technet.microsoft.com/en-us/library/bb794751.aspx  - for Exchange 2007
http://technet.microsoft.com/en-gb/library/bb794845.aspx  - For Exchange 2003
http://technet.microsoft.com/en-gb/library/bb794843.aspx  - OWA specific

Just off to work so you are on your own with this for a while.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23892240
Hi

Just to update.

The problem with the timeout is resolved.

But now some how the certificate get revoked. I have check, and double check the cert. I have remove the cert from the ISA, and export from the Exchange Server, and import again into ISA Server.

But i still have the same error:

Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

I thin all is ok with the certificate.

Any ideas?

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23893242
You can prove this by accessing the internal exchange server through https - the OWA directly. If the certificate has been revoked (remember that the Exchange server certificate and the ISA server certificate are supposed to be the same certificate) - then the owa should give the same message from internal access as well.

0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23893347
Hi

Nope, internally i can connect with no problem.

And yes both servers have the same certificate.

So where the hell is the problem? :(

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23893493
Look at the specifics of the certificates - make sure every detail is the same. You 'MAY' find some differences - if you do, see what system is the authenticator for that specific certificate. For example, if you are using a wildcard cert, you may find that the parent or the issuer has revoked the certificate - god knows why - on their Root CA. they may not even be aware of it.....but that is where the certificate will be checked against.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23896470
Hi

After run the BPA in the ISA Server i get 3 new errors. And the certain that the certificate is the issue. After 10.000 issues with this problem, i think this the final issue, and last problem.


Events that triggered the alert:
15-03-2009 17:17:46 - The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable
to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).


One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.


Events that triggered the alert:
15-03-2009 16:42:06 - The Web Proxy filter failed to bind its socket to 192.168.100.250 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
 The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.

And i will ckeck the Certificate with the root domain Network Administrator, that was who create the Cert after my request. And check with them if this Certificate is not revoked at the root domain(in the SAN or wildcart Certificate)

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23901551
1. Open the ISA gui - select firewall policy
edit the SYSTEM policy and enable the CRL policy and make sure all networks are added

2. We have spoken about this - you said that the keys you have imported definitely had private keys - so do you have other certificates? It may be one of those that the BPA is referring to.

3. You can only have one port 443 listener on each external ip address that you have on the ISA external nic.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23936583
Hi

Just to update this question, and this question/problem is taking to long :(

1- This is enable already

2- I have no other certificates in this server. Only this one.

3 - I only have one listener in this server(the OWA)

I have request more information from the root domain offices, about the certificate. If they are revoke this certificate in they SAN or wildcard certificates.  The request was about a week ago, i am still waiting for the answer.

Once again I will like to thank you keith_alabaster for all the help and time spend with this question.

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23937306
No probs - just frustrating that your own organisation is not helping you - :(
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23986232
Hi

Just to update the question.

After a week they have respond today, but they did not give any information. The stupid´s say they have tested the webmail, and the logon page is visible, so the webmail is working
 
I reply saying that the problem is after we logon.

I am tired of this problem, and the lack of support, or information by the main office.

I have abandon the project for now. I will not go to this project until they give further information, or more help and support.

If a have no feed back in a few days, i will close the question.

Once again thank you for the help and patience for me and this problem

Jail
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 23987839
So sorry I cannot help much more here. Provide a test user credentials to the main office - ask them to logon with it so that they see the certificate revoked mesage.

Secondly, SSL is enabled to the ISA Server and we know now that this is OK to this stage. set the bridging to use http from ISA to Exchange rather than https - does it work then?

Cheers
Keith
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 23995250
Hi Keith

Ok with your solution/option the webmail works without any problem.

Since the communications between Internet and ISA Server is encrypted(with the Cert from the main office), the communications between the ISA Server and Exchange is not encrypted.

But since the support to this problem is not the correct, i will propose this.

If they want e levels of encryption then the root domain must give a proper support, and information. If not, then this will only work with one level of encryption, and we do not need more help or support from the main office.

Once again all the thanks that i can say is not enought for all the time and patience for this problem

After the decision tomorrow i will close this question

Jail
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23995283
:) thanks
0
 
LVL 24

Author Closing Comment

by:Luciano Patrão
ID: 31548846
Once again i like to thanks Keith for is time and patience.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24022946
Welcome :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24022967
Welcome :)
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses
Course of the Month14 days, 17 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question