asked on OWA no external access, tough question!
Hi all,
been working on this for weeks now, cant believe i still haven't found a solution, heres a bunch of details about the setup and the problem:
externally connecting to https://mail.domain.org/exchange, i get diagnose connection problems
internally goes straight through no problems
i have setup a mail publishing rule enabled form based auth on that only and have removed form based from exchange
the isa server and exchange are on the same box
i have setup a entry in the hosts file on the server to go to isa servers address
isa doesnt have an external address it has a internal address on a different range and ports 443 80 and 25 are forwarded to that address range, all works fine with that no problems (canyouseeme.org sees me on 443 fine)
in the isa logs there is no external ips logged i only see our internal addresses
using my iphone to browse to https://mail.domain.org/exchange
i get asked to accept the certificate i do then i get page cannot be displayed
and using IE as above get that error message when i diagnose
oh and a telnet on 443 externally works fine too
p.s. i used my iphone to browse externally as active sync doesnt work yet either (im guessing an underlying problem with owa might solve both problems)
thanks
Alex
owa.jpg
been working on this for weeks now, cant believe i still haven't found a solution, heres a bunch of details about the setup and the problem:
externally connecting to https://mail.domain.org/exchange, i get diagnose connection problems
internally goes straight through no problems
i have setup a mail publishing rule enabled form based auth on that only and have removed form based from exchange
the isa server and exchange are on the same box
i have setup a entry in the hosts file on the server to go to isa servers address
isa doesnt have an external address it has a internal address on a different range and ports 443 80 and 25 are forwarded to that address range, all works fine with that no problems (canyouseeme.org sees me on 443 fine)
in the isa logs there is no external ips logged i only see our internal addresses
using my iphone to browse to https://mail.domain.org/exchange
i get asked to accept the certificate i do then i get page cannot be displayed
and using IE as above get that error message when i diagnose
oh and a telnet on 443 externally works fine too
p.s. i used my iphone to browse externally as active sync doesnt work yet either (im guessing an underlying problem with owa might solve both problems)
thanks
Alex
owa.jpg
Microsoft Forefront ISA ServerSSL / HTTPSMicrosoft IIS Web Server
Last Comment
awilderbeast
ASKER
on IE
Internet explorer cannot displayed the webpage
what you can try:
diagnose connection problems
earlier on on safari but not anymore safari gave me a error code 403 forbidden, the server denied the specified uniform contact the server admin (12202)
but now on safari i just cannot connect to web server message
since that error the only thing i have done is disabled form based on exchange and made isa the only form based authen
thats it
cheers
Internet explorer cannot displayed the webpage
what you can try:
diagnose connection problems
earlier on on safari but not anymore safari gave me a error code 403 forbidden, the server denied the specified uniform contact the server admin (12202)
but now on safari i just cannot connect to web server message
since that error the only thing i have done is disabled form based on exchange and made isa the only form based authen
thats it
cheers
Will look at this tonight when home from work
Keith - ISA MVP
Keith - ISA MVP
ASKER
thanks, any more info you need ill send your way, its been wracking my brains for about 3 weeks now!
Hi,
What do you see on the ISA Monitoring session when you try to navigate to the site.
Are you using the ISA Server for the authentication or the Exchange does the authentication..
BTW which version of ISA you are using and what is in front of the ISA.
Thanks
Kumar
What do you see on the ISA Monitoring session when you try to navigate to the site.
Are you using the ISA Server for the authentication or the Exchange does the authentication..
BTW which version of ISA you are using and what is in front of the ISA.
Thanks
Kumar
ASKER
what does the filter ned to be on monitoring session?
the isa server and the exchange server are on the same machine
i don tknow which does the authentication, how would i find out?
isa 2004 and theres a cisco 877w that i setup connected to that, the cisco is forwarding 443 perfectly
telnetting to 443 works fine
thanks for your assistance :)
the isa server and the exchange server are on the same machine
i don tknow which does the authentication, how would i find out?
isa 2004 and theres a cisco 877w that i setup connected to that, the cisco is forwarding 443 perfectly
telnetting to 443 works fine
thanks for your assistance :)
You can set up the Monitoring on the ISA Server to Monitor the SSL Sessions on the ISA Server.
As you said that the ISA and The Exchange is on the same server it might me something related with socket pooling.
Open a Command Prompt and type: Netstat -ano | Findstr "443"
This will tell you all about the connection and the Process which is using the port. Now open the task manager and see and go to processes tab. Click on View Menu and click on select columns and check the PID. Now match the output PID from the Netstat command and see which process is listening on 443.
Let me know the result of the Monitoring Session and the Netstat.
Kumar
As you said that the ISA and The Exchange is on the same server it might me something related with socket pooling.
Open a Command Prompt and type: Netstat -ano | Findstr "443"
This will tell you all about the connection and the Process which is using the port. Now open the task manager and see and go to processes tab. Click on View Menu and click on select columns and check the PID. Now match the output PID from the Netstat command and see which process is listening on 443.
Let me know the result of the Monitoring Session and the Netstat.
Kumar
You have started a session with an alternative expert. There is no point in me telling you to carry out alternative things as it will all become too confusing with two different approaches. I will wait until you have completed the actions already suggested and then come back to this question if I am still needed.
Keith - ISA MVP
Keith - ISA MVP
ASKER
thanks for your assistance
what criteria do i enter in the session filter to monitor what we need?
also took a screen of the ports and services in use
thanks
ports.jpg
what criteria do i enter in the session filter to monitor what we need?
also took a screen of the ports and services in use
thanks
ports.jpg
Hi,
Looking at this it seems like 2 process are lietening on port 443.
On the IP 192.168.170.2 process ID 4 is listening which seems to be the IIS.
On the IP 192.168.1.2 Process id 6248 is listening which is Microsoft Firewall Service.
Can you confirm which is the External IP address.
While setting up the Monitoring Filter by client IP and select the client IP from which you are trying.
Thanks
Kumar
Looking at this it seems like 2 process are lietening on port 443.
On the IP 192.168.170.2 process ID 4 is listening which seems to be the IIS.
On the IP 192.168.1.2 Process id 6248 is listening which is Microsoft Firewall Service.
Can you confirm which is the External IP address.
While setting up the Monitoring Filter by client IP and select the client IP from which you are trying.
Thanks
Kumar
ASKER
the isa external address is on 192.168.1.2
so i filter by the external ip of the device im testing it with?
so i filter by the external ip of the device im testing it with?
Yes that's correct..
ASKER
ok i did that under session
nothing came up, just blankness :S
what do i do about iis and exchange listening on the ports?
thanks
nothing came up, just blankness :S
what do i do about iis and exchange listening on the ports?
thanks
Don't change anything for the Exchange Ports.. They are in correct order.
Interesting part is there is nothing in the Monitoring. Can you run ISA BPA in repro mode and send me the CAB file if possible?
If yes i will send you the details about how to run it.
Thanks
Kumar
Interesting part is there is nothing in the Monitoring. Can you run ISA BPA in repro mode and send me the CAB file if possible?
If yes i will send you the details about how to run it.
Thanks
Kumar
ASKER
yeah i can if you tell me how to do it :)
cheers
cheers
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
here it is zipped if it EE will allow the cab to be uploaded in a zip it didnt so heres the file
what sort of information is in this file that yoru looking at?
and how you open it to view?
just interested thats all :)
heres the file on my webhost
domain.co.uk/IsaPackage.ca
what sort of information is in this file that yoru looking at?
and how you open it to view?
just interested thats all :)
heres the file on my webhost
domain.co.uk/IsaPackage.ca
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
which cert do you want me to change it too?
youve said to change it to what it is?
also 192.168.170.2 is the isa internal address, is that what we want to happen?
thanks
youve said to change it to what it is?
also 192.168.170.2 is the isa internal address, is that what we want to happen?
thanks
I dont want you to change any Cert. I just asked for the name of the Cert which is on the IIS Default Web Site.
Open the ISA Server console and go to the "TO" tab of the rule.
check the attached pic for details.
Kumar
isa.jpg
Open the ISA Server console and go to the "TO" tab of the rule.
check the attached pic for details.
Kumar
isa.jpg
Certificate you have installed on Exchange Server ( CAS or front End-End) should have Common name (Subject name) is your mail public name .
Like mail.yourdomain.com and if certificate have other SAN names , you have to install ISA 2006 Sp1 to support that .
Once you installed this on Exchange and export and import to ISA Local certificate "personal folder" and assign it to listener , it will work fine .
also,did you create in a public DNS the A record of your mail public domain. and make sure it resolvable from outside .
only you need to refer to internal server IP in publishing rule if internal site name different than external one, whats mean that , if your create A record on internal DNS , no need for that if it same to public .
Like mail.yourdomain.com and if certificate have other SAN names , you have to install ISA 2006 Sp1 to support that .
Once you installed this on Exchange and export and import to ISA Local certificate "personal folder" and assign it to listener , it will work fine .
also,did you create in a public DNS the A record of your mail public domain. and make sure it resolvable from outside .
only you need to refer to internal server IP in publishing rule if internal site name different than external one, whats mean that , if your create A record on internal DNS , no need for that if it same to public .
At least go through the comments before putting in your idea..
Thanks
Kumar
Thanks
Kumar
ASKER
following your instructions and your screenshot
my isa to properties dont look like that for the mail publishing rule, see below for my screen
also i updated my isa to service pack 3 and nothing has changed , still says service pack 2 under help and about mmc console
also i have included a screen of IIS cert under the default site
i went to iis manager > server01 > default site > rightclicked > properties > security > view cert
see screen for that too
they are wrong then yes?
IISCert.jpg
ISA.jpg
my isa to properties dont look like that for the mail publishing rule, see below for my screen
also i updated my isa to service pack 3 and nothing has changed , still says service pack 2 under help and about mmc console
also i have included a screen of IIS cert under the default site
i went to iis manager > server01 > default site > rightclicked > properties > security > view cert
see screen for that too
they are wrong then yes?
IISCert.jpg
ISA.jpg
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
i followed steps for 2nd method exactly and it still doesnt work :S
this using the same url mail.mydomain.org/exchange
could i create a new certificate somehow, if this ones wrong?
thanks
this using the same url mail.mydomain.org/exchange
could i create a new certificate somehow, if this ones wrong?
thanks
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
did that using the mail.mydomain.org cert
still not working :S
but looks like its the cert though?
still not working :S
but looks like its the cert though?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
your right it is working :)
must of just taken a few seconds to get working for me :)
thanks alot for your help :)
now to get active sync working!!!
i thought getting this working would get them both working, but just tried setting it up on my iphone, no luck
do you have such skills to help me find out he problem there too?
once again thanks for all your help
must of just taken a few seconds to get working for me :)
thanks alot for your help :)
now to get active sync working!!!
i thought getting this working would get them both working, but just tried setting it up on my iphone, no luck
do you have such skills to help me find out he problem there too?
once again thanks for all your help
ASKER
obviously ill open a new question
Good to know that it is working.
To get the Active Sync working you need to do just one thing on the ISA.
Open the rule again and in the Paths tab make sure that you have:
"/Microsoft-Server-ActiveS
Kumar
To get the Active Sync working you need to do just one thing on the ISA.
Open the rule again and in the Paths tab make sure that you have:
"/Microsoft-Server-ActiveS
Kumar
I am talking about the OWA Rule in the ISA Server that we edited.
Kumar
Kumar
ASKER
thats already there, doesnt work, shall i open a new question so can debug?
It will be great if you can.
Kumar
Kumar
ASKER
heres the new question
https://www.experts-exchange.com/questions/24792290/ActiveSync-not-working-OWA-does-work-ISA-2004-SBS-2003.html
thanks
https://www.experts-exchange.com/questions/24792290/ActiveSync-not-working-OWA-does-work-ISA-2004-SBS-2003.html
thanks
I mean what it shows on the webpage when it fails to open the url of owa?