Link to home
Create AccountLog in
Avatar of awilderbeast
awilderbeastFlag for United Kingdom of Great Britain and Northern Ireland

asked on

OWA no external access, tough question!

Hi all,

been working on this for weeks now, cant believe i still haven't found a solution, heres a bunch of details about the setup and the problem:

externally connecting to https://mail.domain.org/exchange, i get diagnose connection problems

internally goes straight through no problems

i have setup a mail publishing rule enabled form based auth on that only and have removed form based from exchange

the isa server and exchange are on the same box

i have setup a entry in the hosts file on the server to go to isa servers address

isa doesnt have an external address it has a internal address on a different range and ports 443 80 and 25 are forwarded to that address range, all works fine with that no problems (canyouseeme.org sees me on 443 fine)

in the isa logs there is no external ips logged i only see our internal addresses

using my iphone to browse to https://mail.domain.org/exchange
i get asked to accept the certificate i do then i get page cannot be displayed
and using IE as above get that error message when i diagnose

oh and a telnet on 443 externally works fine too

p.s. i used my iphone to browse externally as active sync doesnt work yet either (im guessing an underlying problem with owa might solve both problems)


thanks
Alex
owa.jpg
Avatar of greenhacks
greenhacks
Flag of India image

What error you get before this screenshot?
I mean what it shows on the webpage when it fails to open the url of owa?
Avatar of awilderbeast

ASKER

on IE

Internet explorer cannot displayed the webpage

what you can try:
diagnose connection problems

earlier on on safari but not anymore safari gave me a error code 403 forbidden, the server denied the specified uniform contact the server admin (12202)

but now on safari i just cannot connect to web server message

since that error the only thing i have done is disabled form based on exchange and made isa the only form based authen

thats it

cheers
Avatar of Keith Alabaster
Will look at this tonight when home from work

Keith -  ISA MVP
thanks, any more info you need ill send your way, its been wracking my brains for about 3 weeks now!
Avatar of Kumar_Jayant123
Kumar_Jayant123

Hi,

What do you see on the ISA Monitoring session when you try to navigate to the site.

Are you using the ISA Server for the authentication or the Exchange does the authentication..

BTW which version of ISA you are using and what is in front of the ISA.

Thanks
Kumar
what does the filter ned to be on monitoring session?

the isa server and the exchange server are on the same machine
i don tknow which does the authentication, how would i find out?

isa 2004 and theres a cisco 877w that i setup connected to that, the cisco is forwarding 443 perfectly
telnetting to 443 works fine

thanks for your assistance :)
You can set up the Monitoring on the ISA Server to Monitor the SSL Sessions on the ISA Server.

As you said that the ISA and The Exchange is on the same server it might me something related with socket pooling.

Open a Command Prompt and type: Netstat -ano | Findstr "443"

This will tell you all about the connection and the Process which is using the port. Now open the task manager and see and go to processes tab. Click on View Menu and click on select columns and check the PID. Now match the output PID from the Netstat command and see which process is listening on 443.

Let me know the result of the Monitoring Session and the Netstat.

Kumar
You have started a session with an alternative expert. There is no point in me telling you to carry out alternative things as it will all become too confusing with two different approaches. I will wait until you have completed the actions already suggested and then come back to this question if I am still needed.

Keith - ISA MVP
thanks for your assistance

what criteria do i enter in the session filter to monitor what we need?

also took a screen of the ports and services in use

thanks
ports.jpg
Hi,

Looking at this it seems like 2 process are lietening on port 443.

On the IP 192.168.170.2 process ID 4 is listening which seems to be the IIS.

On the IP 192.168.1.2 Process id 6248 is listening which is Microsoft Firewall Service.

Can you confirm which is the External IP address.

While setting up the Monitoring Filter by client IP and select the client IP from which you are trying.

Thanks
Kumar
the isa external address is on 192.168.1.2


so i filter by the external ip of the device im testing it with?
Yes that's correct..
ok i did that under session

nothing came up, just blankness :S

what do i do about iis and exchange listening on the ports?

thanks
Don't change anything for the Exchange Ports.. They are in correct order.

Interesting part is there is nothing in the Monitoring. Can you run ISA BPA in repro mode and send me the CAB file if possible?

If yes i will send you the details about how to run it.

Thanks
Kumar
yeah i can if you tell me how to do it :)

cheers
ASKER CERTIFIED SOLUTION
Avatar of Kumar_Jayant123
Kumar_Jayant123

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
here it is zipped if it EE will allow the cab to be uploaded in a zip it didnt so heres the file

what sort of information is in this file that yoru looking at?

and how you open it to view?

just interested thats all :)

heres the file on my webhost

domain.co.uk/IsaPackage.cab.zip
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
which cert do you want me to change it too?

youve said to change it to what it is?

also 192.168.170.2 is the isa internal address, is that what we want to happen?

thanks
I dont want you to change any Cert. I just asked for the name of the Cert which is on the IIS Default Web Site.

Open the ISA Server console and go to the "TO" tab of the rule.

check the attached pic for details.

Kumar



isa.jpg
Certificate you have installed on Exchange Server ( CAS or front End-End) should have Common name (Subject name) is your mail public name .


Like mail.yourdomain.com and if certificate have other SAN names , you have to install ISA 2006 Sp1 to support that .

Once you installed this on Exchange and export and import to ISA Local certificate "personal folder" and assign it to listener , it will work fine .


also,did you create in a public DNS  the A record of your mail public domain. and make sure it resolvable from outside .

only you need to refer to internal server IP in publishing rule if internal site name different than external one, whats mean that , if your create A record on internal DNS , no need for that if it same to public .


 
At least go through the comments before putting in your idea..

Thanks
Kumar
following your instructions and your screenshot

my isa to properties dont look like that for the mail publishing rule, see below for my screen
also i updated my isa to service pack 3 and nothing has changed , still says service pack 2 under help and about mmc console

also i have included a screen of IIS cert under the default site

i went to iis manager > server01 > default site > rightclicked > properties > security > view cert
see screen for that too

they are wrong then yes?
IISCert.jpg
ISA.jpg
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
i followed steps for 2nd method exactly and it still doesnt work :S

this using the same url mail.mydomain.org/exchange

could i create a new certificate somehow, if this ones wrong?

thanks
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
did that using the mail.mydomain.org cert

still not working :S

but looks like its the cert though?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
your right it is working :)
must of just taken a few seconds to get working for me :)

thanks alot for your help :)

now to get active sync working!!!

i thought getting this working would get them both working, but just tried setting it up on my iphone, no luck

do you have such skills to help me find out he problem there too?

once again thanks for all your help
obviously ill open a new question
Good to know that it is working.

To get the Active Sync working you need to do just one thing on the ISA.

Open the rule again and in the Paths tab make sure that you have:

"/Microsoft-Server-ActiveSync/*"  added and that should take care of that.

Kumar
I am talking about the OWA Rule in the ISA Server that we edited.

Kumar
thats already there, doesnt work, shall i open a new question so can debug?
It will be great if you can.

Kumar