Luciano Patrão
asked on
ISA Server - Exchange Certificates SSL - Part II
Hi
After many issues with this Certificates. I think i have correct all the problems, between Exchange and Certificates
Issues that i have asked in this threats.
https://www.experts-exchange.com/questions/24078184/Add-certificate-to-Exchange-2007.html
https://www.experts-exchange.com/questions/24084232/ISA-Server-Exchange-Certificates-SSL.html
After changing the internal address, all is ok, i have an issue with the Ceriticate.
In the Exchange and ISA Server the Certificates are all correct, and all have Root Authority ok
When i test the publishing rule i get
Testing URL https://webmail.mydomain.com:443/Exchange/
Category: General error
Error details: 0x80092010 - The certificate is revoked.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965
In the outside world when i enter the webmail page, i can see the login age from the Exchange/ISA Server. To test the communication, If enter an invalid user, or domain, the authentication work fine, and says user/password wrong, when i enter the right i gives me a page error with
* Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)
I have test the ISA Server with the traffic simulator
I get this error:
Denied Traffic
- destination URL host name could not be resolved
Rule Name: [Enterprise] Default rule
Rule Order:
Additional information
From: Local Host
To: Internal
Network Rule Name: None - Route implied (Local Host traffic)
Network Relationship: Route
Protocol: HTTPS
Rule Application Filter:
This is the log from that traffic:
##########################
384 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
385 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
386 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
387 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
388 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
389 19-02-2009 16:41:12 fffca7bc Firewall service The destination requires name resolution.
390 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires name resolution for evaluation.
391 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires DNS name resolution.
392 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
393 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
394 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
395 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
396 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
397 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
398 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
399 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
400 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
401 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
402 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule Internet Access.
403 19-02-2009 16:41:12 fffca7bc Firewall service source does not match the packet.
404 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
405 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
406 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule blocked the packet.
407 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
408 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
409 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is looking for an applicable network rule.
410 19-02-2009 16:41:12 fffca7bc Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.
#####################
The 192.168.10.250 is my internal ISA Server adapter, and the 192.168.10.08 is my Exchange Server
An i have tested with my external adapter (192.168.100.253). The log is similar
Sincerely i cannot understand what is causing this. I have check all the configuration and i think all is ok
Any help will be appreciated
Jail
After many issues with this Certificates. I think i have correct all the problems, between Exchange and Certificates
Issues that i have asked in this threats.
https://www.experts-exchange.com/questions/24078184/Add-certificate-to-Exchange-2007.html
https://www.experts-exchange.com/questions/24084232/ISA-Server-Exchange-Certificates-SSL.html
After changing the internal address, all is ok, i have an issue with the Ceriticate.
In the Exchange and ISA Server the Certificates are all correct, and all have Root Authority ok
When i test the publishing rule i get
Testing URL https://webmail.mydomain.com:443/Exchange/
Category: General error
Error details: 0x80092010 - The certificate is revoked.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965
In the outside world when i enter the webmail page, i can see the login age from the Exchange/ISA Server. To test the communication, If enter an invalid user, or domain, the authentication work fine, and says user/password wrong, when i enter the right i gives me a page error with
* Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)
I have test the ISA Server with the traffic simulator
I get this error:
Denied Traffic
- destination URL host name could not be resolved
Rule Name: [Enterprise] Default rule
Rule Order:
Additional information
From: Local Host
To: Internal
Network Rule Name: None - Route implied (Local Host traffic)
Network Relationship: Route
Protocol: HTTPS
Rule Application Filter:
This is the log from that traffic:
##########################
384 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
385 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
386 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
387 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
388 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
389 19-02-2009 16:41:12 fffca7bc Firewall service The destination requires name resolution.
390 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires name resolution for evaluation.
391 19-02-2009 16:41:12 fffca7bc Firewall service The rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites requires DNS name resolution.
392 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
393 19-02-2009 16:41:12 fffca7bc Firewall service Protocol: HTTPS
394 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
395 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server will check only rules that are associated with the protocol HTTPS.
396 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
397 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
398 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
399 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
400 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
401 19-02-2009 16:41:12 fffca7bc Firewall service destination does not match the packet.
402 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule Internet Access.
403 19-02-2009 16:41:12 fffca7bc Firewall service source does not match the packet.
404 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
405 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
406 19-02-2009 16:41:12 fffca7bc Firewall service The rule [Enterprise] Default rule blocked the packet.
407 19-02-2009 16:41:12 fffca7bc Firewall service The Firewall service is performing rule evaluation.
408 19-02-2009 16:41:12 fffca7bc Firewall Engine Packet properties: Source IP address: 192.168.10.250 Source array network: Local Host Destination IP address: 192.168.10.08 Destination array network: Internal
409 19-02-2009 16:41:12 fffca7bc Firewall service ISA Server is looking for an applicable network rule.
410 19-02-2009 16:41:12 fffca7bc Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.
#####################
The 192.168.10.250 is my internal ISA Server adapter, and the 192.168.10.08 is my Exchange Server
An i have tested with my external adapter (192.168.100.253). The log is similar
Sincerely i cannot understand what is causing this. I have check all the configuration and i think all is ok
Any help will be appreciated
Jail
What have you specified in the To tab of the publishing rule?
ASKER
Hi abdulzi
Thank for the reply
In the Tab Publishing rule(that is Exchange Publishing Rule) i have 2 options
1º This rule applies to this published site:
I have webmail.mydomain.com (this is the same domain that i have in my Certificate)
2º Computer name, or IP address.
I have the internal name of my Exchange Server(i have tested with the IP)
and in the end i have:
Request appear to come from original client.
One question about my certificate. I see that in the certificate, detail tab and in the "key usage" i have a yellow warning. Do not know what is this.
The data is:Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)
Jail
Jail
Thank for the reply
In the Tab Publishing rule(that is Exchange Publishing Rule) i have 2 options
1º This rule applies to this published site:
I have webmail.mydomain.com (this is the same domain that i have in my Certificate)
2º Computer name, or IP address.
I have the internal name of my Exchange Server(i have tested with the IP)
and in the end i have:
Request appear to come from original client.
One question about my certificate. I see that in the certificate, detail tab and in the "key usage" i have a yellow warning. Do not know what is this.
The data is:Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)
Jail
Jail
Do you have a certificate on your Exchange containing webmail.mydomain.com as the common name? If you ping webmail.mydomain.com, does it resolve to the internal or externalp IP of the CAS?
ASKER
Hi
The Certificate from the Exchange is the same. I export from the Exchange, into ISA Server
Inside of the ISA Server if i ping the webmail.mydomain.com, i get the IP of Exchange Server.
That is because i have in the ISA Server hosts file 192.168.10.08 webmail.mydomain.com
Jail
The Certificate from the Exchange is the same. I export from the Exchange, into ISA Server
Inside of the ISA Server if i ping the webmail.mydomain.com, i get the IP of Exchange Server.
That is because i have in the ISA Server hosts file 192.168.10.08 webmail.mydomain.com
Jail
ASKER
Hi
Can please anyone provide any assistance on this issue?
Thank You
Jail
Can please anyone provide any assistance on this issue?
Thank You
Jail
Please check this:
http://forums.isaserver.org/m_210012300/tm.htm
http://forums.isaserver.org/m_210012300/tm.htm
Its quite an old article but do check if you can access the CRL of the certificate
ASKER
Hi
Sorry i did not back to the question earlier.
I have request a new Certificate. I have create a new one in the Exchange with the New-Exchangecertificate command. I have send to our services, and they have send me a new one
But i have the same problem :(
Says:
Category: General error
Error details: 0x80092010 - The certificate is revoked.
I have enable the Firewall Policy:
Authentication Services: Allow HTTP from ISA Server to selected networks for downloading updated Certificate Revocation Lists (CRL)
If i disable the firewall Specify Certificate Revocation Settings > Certificate Revocation > Verify that incoming server certificates are not revoked in a reserve scenario
Only with this option enable the test rule give me: The certificate is revoked.
So what this can tell me?
Anyone can help?
Jail
Sorry i did not back to the question earlier.
I have request a new Certificate. I have create a new one in the Exchange with the New-Exchangecertificate command. I have send to our services, and they have send me a new one
But i have the same problem :(
Says:
Category: General error
Error details: 0x80092010 - The certificate is revoked.
I have enable the Firewall Policy:
Authentication Services: Allow HTTP from ISA Server to selected networks for downloading updated Certificate Revocation Lists (CRL)
If i disable the firewall Specify Certificate Revocation Settings > Certificate Revocation > Verify that incoming server certificates are not revoked in a reserve scenario
Only with this option enable the test rule give me: The certificate is revoked.
So what this can tell me?
Anyone can help?
Jail
Hey Modus - yeah I can hit this one.
the error message you are mentioning is normally down to the DNS configuration on ISA. Sorry if i ask some questions that are in previous posts but I'm in the middle of doing a business case so am limited on time at the moment.
Can you ensure you have .net 1.1 installed on the ISA and run up the BPA?
You can get it from here http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
the error message you are mentioning is normally down to the DNS configuration on ISA. Sorry if i ask some questions that are in previous posts but I'm in the middle of doing a business case so am limited on time at the moment.
Can you ensure you have .net 1.1 installed on the ISA and run up the BPA?
You can get it from here http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
ASKER
Hi keith
Again :)
Yes both are correct. I have run the BPA and no big problems regarding this issue.
What are you meaning with DNS configuration? Can you be more specific?
Now to by pass the Certificate problem, i am changing all the configuration(ISA and Exchange) to publish OWA without CRL. Just to test.
Is not working yet, i will try to get this to work tomorrow
Jail
Again :)
Yes both are correct. I have run the BPA and no big problems regarding this issue.
What are you meaning with DNS configuration? Can you be more specific?
Now to by pass the Certificate problem, i am changing all the configuration(ISA and Exchange) to publish OWA without CRL. Just to test.
Is not working yet, i will try to get this to work tomorrow
Jail
Please tell me what the 'not big problems' are that the BPA reported.
The troubleshooting Doc for SSL/certs on ISA can be found here.
http://technet.microsoft.com/en-us/library/cc302619.aspx
I'll cover the dns next. Pleae provide the output from an ipconfig /all on the ISA Server.
The troubleshooting Doc for SSL/certs on ISA can be found here.
http://technet.microsoft.com/en-us/library/cc302619.aspx
I'll cover the dns next. Pleae provide the output from an ipconfig /all on the ISA Server.
ASKER
Hi
The errors that i have is only regarding other issues that is not CRL
1º The Resource Allocation Failure error alert was signaled 1 times
Events that triggered the alert:
04-03-2009 12:42:53 - The Web Proxy filter failed to bind its socket to 192.168.1.250 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
2º There are no Certificates in the Local Store( this is because i delete all the CRL to make the tests without the htts)
This is my configuration
Ethernet adapter INTERNAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B2-47-82
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.10.2
Ethernet adapter EXTERNAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B2-3A-D9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 10.10.2.10
10.10.2.11
After i have remove the https, from the ISA Server(and delete all the CRL), and IIS from the Exchange, in my internal Network, if i enter the external URL it works (http://webmail.mydomain.com/exchange)
I have test this with the http, and https, both work internal if i use the external domain(webmail.mydomain.co m). The only thing that is not right is that ask for authentication, in th first logon, then the url is exchange.domain.local and ask the user authentication again. But after this i can see the OWA
With all this test, can help you look at the issue?
Jail
The errors that i have is only regarding other issues that is not CRL
1º The Resource Allocation Failure error alert was signaled 1 times
Events that triggered the alert:
04-03-2009 12:42:53 - The Web Proxy filter failed to bind its socket to 192.168.1.250 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
2º There are no Certificates in the Local Store( this is because i delete all the CRL to make the tests without the htts)
This is my configuration
Ethernet adapter INTERNAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B2-47-82
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.10.2
Ethernet adapter EXTERNAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B2-3A-D9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 10.10.2.10
10.10.2.11
After i have remove the https, from the ISA Server(and delete all the CRL), and IIS from the Exchange, in my internal Network, if i enter the external URL it works (http://webmail.mydomain.com/exchange)
I have test this with the http, and https, both work internal if i use the external domain(webmail.mydomain.co
With all this test, can help you look at the issue?
Jail
ASKER
Hi
After i add the certificate again into the ISA Server with the BPA test again i have this:
One or more certificates in the local Store a private key.
One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.
Testing the rule again i get again:
Category: General error
Error details: 0x80092010 - The certificate is revoked.
I have check the CRL and i think is ok
This certificate issues are driving me crazy :(
Jail
After i add the certificate again into the ISA Server with the BPA test again i have this:
One or more certificates in the local Store a private key.
One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.
Testing the rule again i get again:
Category: General error
Error details: 0x80092010 - The certificate is revoked.
I have check the CRL and i think is ok
This certificate issues are driving me crazy :(
Jail
ASKER
Hi
Lookin at the site for SSL/certs there are on part that is:
Check that ISA Server trusts the CA that issued the certificate used to authenticate the published Web server. To do this, open Internet Explorer on the ISAServer computer, click the Tools menu, and then click Internet Options. On the Content tab, click Certificates. Check that a certificate for the CA appears on the Trusted Root Certification Authorities tab.
I have done this, but inside of the IE tools certificates, in the Trusted Root Certification Authorities tab, i dont have my CRL, only the intermediate. I try to import here in the IE tools, but after import with no errors, i still have no webmail CRL.
But if i go to the mmc certificates, and in the Trusted Root Certification Authorities folder, i have both CRL. The webmail, and the intermediate.
Is this normal?
Sorry about all this messages, but i am trying to give all the information that i can.
Jail
Lookin at the site for SSL/certs there are on part that is:
Check that ISA Server trusts the CA that issued the certificate used to authenticate the published Web server. To do this, open Internet Explorer on the ISAServer computer, click the Tools menu, and then click Internet Options. On the Content tab, click Certificates. Check that a certificate for the CA appears on the Trusted Root Certification Authorities tab.
I have done this, but inside of the IE tools certificates, in the Trusted Root Certification Authorities tab, i dont have my CRL, only the intermediate. I try to import here in the IE tools, but after import with no errors, i still have no webmail CRL.
But if i go to the mmc certificates, and in the Trusted Root Certification Authorities folder, i have both CRL. The webmail, and the intermediate.
Is this normal?
Sorry about all this messages, but i am trying to give all the information that i can.
Jail
Trusted Root and CRL are not the same thing - CRL is certificate revocation list
Where di you get this cert from? It shoulld be exported from the exchange (owa) box - with the private key - then imported into ISA.
ASKER
Hi
Sorry about the confusion, when i say CRL i mean, the Certificate.
And yes this Certificate was exported in the Exchange Server, with the key. I follow all the steps.
Jail
Sorry about the confusion, when i say CRL i mean, the Certificate.
And yes this Certificate was exported in the Exchange Server, with the key. I follow all the steps.
Jail
ASKER
Hi
I have exported the Certificate(with the key) and the intermediate from the Exchange Server.
Then i import this into the MMC - Computer Account - Personal, Trusted Root Certification Authorities and Intermediate Certification Authorities.
In the Intermediate Certification Authorities - Certification Revocation List - i do not have any Certificate from this issue - is this correct?
In the Intermediate Certification Authorities - Certificate - I have the intermediate Certificate
Jail
I have exported the Certificate(with the key) and the intermediate from the Exchange Server.
Then i import this into the MMC - Computer Account - Personal, Trusted Root Certification Authorities and Intermediate Certification Authorities.
In the Intermediate Certification Authorities - Certification Revocation List - i do not have any Certificate from this issue - is this correct?
In the Intermediate Certification Authorities - Certificate - I have the intermediate Certificate
Jail
yes that is correct - you have nothing in the revocation list because the cert is NOT revoked.
the only thing this leaves then - assuming the basics are correct - is the publishing rule and the listener.
How have you published the service - all details please.
the only thing this leaves then - assuming the basics are correct - is the publishing rule and the listener.
How have you published the service - all details please.
ASKER
Hi
I have tried to make print screens remotely, but no luck
Tomorrow i will make print screen from all the tabs and add in to a message.
For security reasons i will erase some information
Jail
I have tried to make print screens remotely, but no luck
Tomorrow i will make print screen from all the tabs and add in to a message.
For security reasons i will erase some information
Jail
ASKER
Hi
I have the file with all the print screens from the publishing rule.
Any further questions, just ask :)
Another issue that i have notice... i have add to my hosts file(in ISA Server) the entry
192.168.10.10 webmail-mydomain.domain.co m
This internal IP is from my Exchange, but if i do a nslookup it shows the IP from the external(that is the IP from the root domain, outside of our sub-domain network)
So this is shown by the external adapter, that is the only one that is connect to that network.
Do not know if this is important.
Hope all this information maybe useful.
Jail
OWA-PUBLISHING-RULE.zip
I have the file with all the print screens from the publishing rule.
Any further questions, just ask :)
Another issue that i have notice... i have add to my hosts file(in ISA Server) the entry
192.168.10.10 webmail-mydomain.domain.co
This internal IP is from my Exchange, but if i do a nslookup it shows the IP from the external(that is the IP from the root domain, outside of our sub-domain network)
So this is shown by the external adapter, that is the only one that is connect to that network.
Do not know if this is important.
Hope all this information maybe useful.
Jail
OWA-PUBLISHING-RULE.zip
ISA should not use any host file. As you know ISA should use the DNS server from your internal LAN - ISA should not even know HOW to lookup an external address. This is the point I made earlier - I am beginning to doubt that some of the basics are setup correctly. I have just got in from work so will look at the screenshots etc after dinner.
ASKER
Hi
Yes about DNS server, but in several Exchange sites are pointing to use the host(or split DNS) file to add the Exchange Server IP address with the external webmail.domain.com, to publish the OWA
Ok look at the file, then we can go forward with this
Thanks for all the help, until now
Jail
Yes about DNS server, but in several Exchange sites are pointing to use the host(or split DNS) file to add the Exchange Server IP address with the external webmail.domain.com, to publish the OWA
Ok look at the file, then we can go forward with this
Thanks for all the help, until now
Jail
The screenshots look fine - and as I would expect. As i mentioned above, i am starting to question some of the basics. I note that you say everything works from the internal LAN so the next place is to look at the external side.
I would suggest that you run the ISA realtime log monitor - ISA gui - monitoring - logging and set the filter to monitor https or http server. try the connection and see if port 443 traffic is even arriving at ISA - check that port 443 is being allowed through any external routers or firewalls. If port 443 is not even arriving at the ISA then it will not know to present a login screen.
if https/https server traffic IS arriving OK then I need to see details of what the log reports.
Keith
ISA MVP
I would suggest that you run the ISA realtime log monitor - ISA gui - monitoring - logging and set the filter to monitor https or http server. try the connection and see if port 443 traffic is even arriving at ISA - check that port 443 is being allowed through any external routers or firewalls. If port 443 is not even arriving at the ISA then it will not know to present a login screen.
if https/https server traffic IS arriving OK then I need to see details of what the log reports.
Keith
ISA MVP
ASKER
Hi keith
OK i check all that issues, and i will back to this question as soon as possible with the answers
Thank You
Jail
OK i check all that issues, and i will back to this question as soon as possible with the answers
Thank You
Jail
ASKER
Hi
Just to update.
We have a CISCO ASA before the ISA Server, then a external company must test to see if there is any SSL communication to that ASA, and check is there is any SSL block by that ASA. That test is made, and the ASA is ok, but still the SSL 443 did not arrive at this ASA. So the problem may be, in the first firewall of this system. That is a firewall(i do not know what firewall is) that is from the root domain, from this sub-domain.
I will check all the firewall and logs, that are out of the ISA Server. But this is supported by external company's, and this takes some time.
When i have some feed back, i will post
Thank You
Jail
Just to update.
We have a CISCO ASA before the ISA Server, then a external company must test to see if there is any SSL communication to that ASA, and check is there is any SSL block by that ASA. That test is made, and the ASA is ok, but still the SSL 443 did not arrive at this ASA. So the problem may be, in the first firewall of this system. That is a firewall(i do not know what firewall is) that is from the root domain, from this sub-domain.
I will check all the firewall and logs, that are out of the ISA Server. But this is supported by external company's, and this takes some time.
When i have some feed back, i will post
Thank You
Jail
Excellent - if the SSL traffic does not arrive at the ASA box then there is NO WAY that the SSL traffic can arrive at the ISA Server which is further down the line... Nice work and will wait to hear how it goes with the further testing.
Thanks Vee. The 'objectives' passed to Bestway would easily take a week to undertake based on the info (and convolutedness (made that word up) of his environment. I'm sure he will get back to us :)
ASKER
Hi
First sorry about the time to respond. Like i said before, this corrects was out of my hands. So i need to wait until they correct the problem.
OK i have a feed back now.
The root domain Firewall, and Cisco ASA are working with my ISA Server.
Communications with my webmail url trough port 443 are now into my ISA Server. Now is up to me to make it work :)
Let us focus on the my ISA Server.
After some issues in the ISA Server that i have correct, now I can see the OWA logon.
I enter domain/user into the Logon page, then after 1m or 2m, I get time out. And i cannot get access to the OWA mailbox.
I have monitor this access in the ISA Server, so i will post the log.
The 10.10.2.20 is the Firewall from our root domain
Original Client IP Client IP Client Username Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Destination IP Protocol Transport HTTP Method URL MIME Type Object Source Source Network Destination Network Source Proxy Destination Proxy Action Bidirectional Client Host Name Rule Filter Information Network Interface Raw IP Header Raw Payload Log Time GMT Log Time Source Port Destination Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) Yes Reverse Proxy ISASRV webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/exchange - - Denied Connection - OWA Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:10 13-03-2009 5:23:10 0 443 1 277 399 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. 0x0 0x80 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 - - Allowed Connection - Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 313 10636 450 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css - - Allowed Connection - Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 109 3621 387 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js - - Allowed Connection - Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 375 6031 381 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51720 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51397 443 545968 6901 18604 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51720 443 0 1104 11368 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51721 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51722 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51721 443 0 921 4153 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51722 443 0 995 6643 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif - - Allowed Connection - Req ID: 0a0d33bf; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 296 1260 385 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgntop.gif - - Allowed Connection - Req ID: 0a0d33bd; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 328 23636 382 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnbottom.gif - - Allowed Connection - Req ID: 0a0d33c1; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 281 3726 385 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnleft.gif - - Allowed Connection - Req ID: 0a0d33c3; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 203 1258 383 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnright.gif - - Allowed Connection - Req ID: 0a0d33c5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 140 1846 384 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51723 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51724 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51725 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51724 443 0 879 1712 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51723 443 0 1236 24789 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51726 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51727 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51725 443 0 919 4258 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51726 443 0 877 1710 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51727 443 0 918 2338 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP POST http://webmail.mydomain.com/CookieAuth.dll?Logon - - Allowed Connection - Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:30:37 13-03-2009 5:30:37 0 443 78 416 754 0 The operation completed successfully. 0x0 0x200 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52048 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52049 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52048 443 0 1208 807 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
Denied Connection ISASRV 13-03-2009 5:23:10
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
Rule: OWA
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/exchange
Filter information: Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1
Filter information: Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 313 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css
Filter information: Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 109 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js
Filter information: Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 375 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:30:37
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: POST http://webmail.mydomain.com/CookieAuth.dll?Logon
Filter information: Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 78 ms
MIME type:
What can we see with this
Thank You
Jail
First sorry about the time to respond. Like i said before, this corrects was out of my hands. So i need to wait until they correct the problem.
OK i have a feed back now.
The root domain Firewall, and Cisco ASA are working with my ISA Server.
Communications with my webmail url trough port 443 are now into my ISA Server. Now is up to me to make it work :)
Let us focus on the my ISA Server.
After some issues in the ISA Server that i have correct, now I can see the OWA logon.
I enter domain/user into the Logon page, then after 1m or 2m, I get time out. And i cannot get access to the OWA mailbox.
I have monitor this access in the ISA Server, so i will post the log.
The 10.10.2.20 is the Firewall from our root domain
Original Client IP Client IP Client Username Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Destination IP Protocol Transport HTTP Method URL MIME Type Object Source Source Network Destination Network Source Proxy Destination Proxy Action Bidirectional Client Host Name Rule Filter Information Network Interface Raw IP Header Raw Payload Log Time GMT Log Time Source Port Destination Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) Yes Reverse Proxy ISASRV webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/exchange - - Denied Connection - OWA Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:10 13-03-2009 5:23:10 0 443 1 277 399 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. 0x0 0x80 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 - - Allowed Connection - Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 313 10636 450 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css - - Allowed Connection - Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 109 3621 387 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js - - Allowed Connection - Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:11 13-03-2009 5:23:11 0 443 375 6031 381 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51720 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51397 443 545968 6901 18604 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51720 443 0 1104 11368 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51721 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51722 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51721 443 0 921 4153 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:11 13-03-2009 5:23:11 51722 443 0 995 6643 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif - - Allowed Connection - Req ID: 0a0d33bf; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 296 1260 385 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgntop.gif - - Allowed Connection - Req ID: 0a0d33bd; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 328 23636 382 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnbottom.gif - - Allowed Connection - Req ID: 0a0d33c1; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 281 3726 385 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnleft.gif - - Allowed Connection - Req ID: 0a0d33c3; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 203 1258 383 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=lgnright.gif - - Allowed Connection - Req ID: 0a0d33c5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:23:12 13-03-2009 5:23:12 0 443 140 1846 384 0 The operation completed successfully. 0x0 0x0 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51723 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51724 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51725 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51724 443 0 879 1712 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51723 443 0 1236 24789 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51726 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51727 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51725 443 0 919 4258 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51726 443 0 877 1710 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:23:13 13-03-2009 5:23:13 51727 443 0 918 2338 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
0.0.0.0 10.10.2.20 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) No Reverse Proxy ISASRV https://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1 webmail.mydomain.com 192.168.1.250 https TCP POST http://webmail.mydomain.com/CookieAuth.dll?Logon - - Allowed Connection - Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes - - - 13-03-2009 5:30:37 13-03-2009 5:30:37 0 443 78 416 754 0 The operation completed successfully. 0x0 0x200 Web Proxy Filter
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52048 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Initiated Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52049 443 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall -
10.10.2.20 10.10.2.20 ISASRV - 192.168.1.250 HTTPS TCP - - - External Local Host Closed Connection - 13-03-2009 5:30:38 13-03-2009 5:30:38 52048 443 0 1208 807 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
Denied Connection ISASRV 13-03-2009 5:23:10
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
Rule: OWA
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/exchange
Filter information: Req ID: 0a0d339b; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1
Filter information: Req ID: 0a0d33b7; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 313 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=logon_style.css
Filter information: Req ID: 0a0d33b9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 109 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:23:11
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: GET http://webmail.mydomain.com/CookieAuth.dll?GetPic?formdir=1&image=flogon.js
Filter information: Req ID: 0a0d33bb; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 375 ms
MIME type:
Allowed Connection ISASRV 13-03-2009 5:30:37
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Rule:
Source: (10.10.2.20)
Destination: (192.168.1.250:443)
Request: POST http://webmail.mydomain.com/CookieAuth.dll?Logon
Filter information: Req ID: 0a0d342e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 78 ms
MIME type:
What can we see with this
Thank You
Jail
ASKER
first, the credentials need to be domain\user not domain/user
second OWA needs to be set to Basic Authentication on the IIS - and ISA needs to be using forms based authentication.
What version of exchange are you using?
http://technet.microsoft.com/en-us/library/bb794751.aspx - for Exchange 2007
http://technet.microsoft.com/en-gb/library/bb794845.aspx - For Exchange 2003
http://technet.microsoft.com/en-gb/library/bb794843.aspx - OWA specific
Just off to work so you are on your own with this for a while.
second OWA needs to be set to Basic Authentication on the IIS - and ISA needs to be using forms based authentication.
What version of exchange are you using?
http://technet.microsoft.com/en-us/library/bb794751.aspx - for Exchange 2007
http://technet.microsoft.com/en-gb/library/bb794845.aspx - For Exchange 2003
http://technet.microsoft.com/en-gb/library/bb794843.aspx - OWA specific
Just off to work so you are on your own with this for a while.
ASKER
Hi
Just to update.
The problem with the timeout is resolved.
But now some how the certificate get revoked. I have check, and double check the cert. I have remove the cert from the ISA, and export from the Exchange Server, and import again into ISA Server.
But i still have the same error:
Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)
I thin all is ok with the certificate.
Any ideas?
Jail
Just to update.
The problem with the timeout is resolved.
But now some how the certificate get revoked. I have check, and double check the cert. I have remove the cert from the ISA, and export from the Exchange Server, and import again into ISA Server.
But i still have the same error:
Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)
I thin all is ok with the certificate.
Any ideas?
Jail
You can prove this by accessing the internal exchange server through https - the OWA directly. If the certificate has been revoked (remember that the Exchange server certificate and the ISA server certificate are supposed to be the same certificate) - then the owa should give the same message from internal access as well.
ASKER
Hi
Nope, internally i can connect with no problem.
And yes both servers have the same certificate.
So where the hell is the problem? :(
Jail
Nope, internally i can connect with no problem.
And yes both servers have the same certificate.
So where the hell is the problem? :(
Jail
Look at the specifics of the certificates - make sure every detail is the same. You 'MAY' find some differences - if you do, see what system is the authenticator for that specific certificate. For example, if you are using a wildcard cert, you may find that the parent or the issuer has revoked the certificate - god knows why - on their Root CA. they may not even be aware of it.....but that is where the certificate will be checked against.
ASKER
Hi
After run the BPA in the ISA Server i get 3 new errors. And the certain that the certificate is the issue. After 10.000 issues with this problem, i think this the final issue, and last problem.
1º
Events that triggered the alert:
15-03-2009 17:17:46 - The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable
to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).
2º
One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.
3º
Events that triggered the alert:
15-03-2009 16:42:06 - The Web Proxy filter failed to bind its socket to 192.168.100.250 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
And i will ckeck the Certificate with the root domain Network Administrator, that was who create the Cert after my request. And check with them if this Certificate is not revoked at the root domain(in the SAN or wildcart Certificate)
Jail
After run the BPA in the ISA Server i get 3 new errors. And the certain that the certificate is the issue. After 10.000 issues with this problem, i think this the final issue, and last problem.
1º
Events that triggered the alert:
15-03-2009 17:17:46 - The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable
to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).
2º
One or more certificates in the local computer store do not have a private key. If you want to implement secure Web publishing and ISA Server does not display a certificate, verify that local computer store contains at least one certificate that has a corresponding private key.
3º
Events that triggered the alert:
15-03-2009 16:42:06 - The Web Proxy filter failed to bind its socket to 192.168.100.250 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
And i will ckeck the Certificate with the root domain Network Administrator, that was who create the Cert after my request. And check with them if this Certificate is not revoked at the root domain(in the SAN or wildcart Certificate)
Jail
1. Open the ISA gui - select firewall policy
edit the SYSTEM policy and enable the CRL policy and make sure all networks are added
2. We have spoken about this - you said that the keys you have imported definitely had private keys - so do you have other certificates? It may be one of those that the BPA is referring to.
3. You can only have one port 443 listener on each external ip address that you have on the ISA external nic.
edit the SYSTEM policy and enable the CRL policy and make sure all networks are added
2. We have spoken about this - you said that the keys you have imported definitely had private keys - so do you have other certificates? It may be one of those that the BPA is referring to.
3. You can only have one port 443 listener on each external ip address that you have on the ISA external nic.
ASKER
Hi
Just to update this question, and this question/problem is taking to long :(
1- This is enable already
2- I have no other certificates in this server. Only this one.
3 - I only have one listener in this server(the OWA)
I have request more information from the root domain offices, about the certificate. If they are revoke this certificate in they SAN or wildcard certificates. The request was about a week ago, i am still waiting for the answer.
Once again I will like to thank you keith_alabaster for all the help and time spend with this question.
Jail
Just to update this question, and this question/problem is taking to long :(
1- This is enable already
2- I have no other certificates in this server. Only this one.
3 - I only have one listener in this server(the OWA)
I have request more information from the root domain offices, about the certificate. If they are revoke this certificate in they SAN or wildcard certificates. The request was about a week ago, i am still waiting for the answer.
Once again I will like to thank you keith_alabaster for all the help and time spend with this question.
Jail
No probs - just frustrating that your own organisation is not helping you - :(
ASKER
Hi
Just to update the question.
After a week they have respond today, but they did not give any information. The stupid´s say they have tested the webmail, and the logon page is visible, so the webmail is working
I reply saying that the problem is after we logon.
I am tired of this problem, and the lack of support, or information by the main office.
I have abandon the project for now. I will not go to this project until they give further information, or more help and support.
If a have no feed back in a few days, i will close the question.
Once again thank you for the help and patience for me and this problem
Jail
Just to update the question.
After a week they have respond today, but they did not give any information. The stupid´s say they have tested the webmail, and the logon page is visible, so the webmail is working
I reply saying that the problem is after we logon.
I am tired of this problem, and the lack of support, or information by the main office.
I have abandon the project for now. I will not go to this project until they give further information, or more help and support.
If a have no feed back in a few days, i will close the question.
Once again thank you for the help and patience for me and this problem
Jail
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Keith
Ok with your solution/option the webmail works without any problem.
Since the communications between Internet and ISA Server is encrypted(with the Cert from the main office), the communications between the ISA Server and Exchange is not encrypted.
But since the support to this problem is not the correct, i will propose this.
If they want e levels of encryption then the root domain must give a proper support, and information. If not, then this will only work with one level of encryption, and we do not need more help or support from the main office.
Once again all the thanks that i can say is not enought for all the time and patience for this problem
After the decision tomorrow i will close this question
Jail
Ok with your solution/option the webmail works without any problem.
Since the communications between Internet and ISA Server is encrypted(with the Cert from the main office), the communications between the ISA Server and Exchange is not encrypted.
But since the support to this problem is not the correct, i will propose this.
If they want e levels of encryption then the root domain must give a proper support, and information. If not, then this will only work with one level of encryption, and we do not need more help or support from the main office.
Once again all the thanks that i can say is not enought for all the time and patience for this problem
After the decision tomorrow i will close this question
Jail
:) thanks
ASKER
Once again i like to thanks Keith for is time and patience.
Welcome :)
Welcome :)