Solved

Publishing Barracuda Message Archiver using ISA Server 2006

Posted on 2011-02-15
12
1,136 Views
Last Modified: 2012-06-21
I have a load balanced pair of ISA 2006 ENT servers in a unihomed configuration. The ISA servers are in the DMZ and my Barracuda Message archiver is in the LAN. I have several web sites published using SSL as well as Exchange services working fine.

However, I cannot get the Barracuda Message Archiver working properly when publishing it. I DO have the web interface for this appliance working flawlessly, people can login and do whatever they need to. The problem is with the Outlook plugin. I can authenticate the plugin on each outlook client but as soon as I choose to use it's features (like search the archive for email) it crashes.

The moment this crash happens the ISA server logs the following generic error:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Mail Archiver
Source: Internal (64.77.91.6)
Destination: (mailarchive.mydomain.com 192.168.100.51:443)
Request: POST http://mailarchive.mydomain.com/soap

Filter information: Req ID: 0cd9a837; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information
1.      Client agent: BmaClient (2.2.0.000)
2.      Object source: Internet (Source is the Internet. Object was added to the cache.)
3.      Cache info: 0x0
4.      Processing time: 47 ms
5.      MIME type:

The Barracuda plugin is clearly using SOAP but I am not sure if that is a problem or not since the protocol is just https.

I have bypassed the ISA Server and the problem dissapears. Hopefully someone on here has dealt with this and can point me in the right direction.
0
Comment
Question by:jshaw08
12 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34906892
IF the Archiver is on the LAN and the Users are on the LAN then they aren't supposed to be involving the ISA to begin with.
0
 

Author Comment

by:jshaw08
ID: 34907392
The users are on the Internet using Outlook Anywhere.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908823
Ok, you got me there.  I wouldn't think SOAP would hurt with HTTPS since it would be "inside" the encrypted HTTPS packet, but I could be wrong.  I have seen SOAP cause problem over HTTP in one case because the developers didn't do everything in a "compliant way" with the SOAP part of it.

Sorry, I would not know where to go with this,...i don't even use Outlook Anywhere for that matter.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908881
Wait a mnute,..you said Unihomed ISA!!  Heck you should not even be using ISA for any of this at all.  You should be doing 100% of this with whatever the firewall is you are running.  A Single nic ISA is only for using as a Web Caching Server,...yes "Web Publishing" is possble,...but in my opinion a wast of time and nothing but needless excessive complexity.  Forget using ISA for any kind of Publishing across the broad and do all of that between the Firewall and your Exchange & Barracuda,....so the whole entire thing becomes a project between Exchange, Barracuda, and the Firewall,...leave ISA out of it.
0
 

Author Comment

by:jshaw08
ID: 34909003
I'm aware of the ramifications of running ISA Unihomed and that the ISA community despises it. However, it's configured that way for certain reason thats are not important to this problem. I believe my issue may be related to a SSL problem on the Mail Archiver. The following article describes my problem almost identically:

http://robertpallen.blogspot.com/2010/12/blog-post-unable-to-access-published.html

I am in the process of verifying this and will report back in case someone sees this and has the same problem I do,
0
 

Accepted Solution

by:
jshaw08 earned 0 total points
ID: 34916757
It appears as though the Barracuda Message Archive can not be reverse proxied. Here is a snippet from their tech support:

"I have spoken with our engineering department and their recommendation is to have passthrough traffic in and out of the Barracuda. There are SOAP requests made that may not transfer correctly with proxied traffic. Unfortunately the best scenario with the Archiver would be to have exemption rules inbound and outbound for the Archiver to be able to work externally. "
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:jshaw08
ID: 34916778
Accept
0
 

Author Closing Comment

by:jshaw08
ID: 34949682
I resolved this issue myself.
0
 
LVL 2

Expert Comment

by:iammrherb
ID: 35166195
I am curious on what you did to remedy this or did you just exempt the request
0
 

Author Comment

by:jshaw08
ID: 35166299
I don't understand your question, what do you mean exempt the request?

We had to make some network changes to accomodate our message archiver. The appliance can not be reverse proxied according to their tech support. I did some further packet captures and found the root cause of the issue to be with digest authentication problems and ISA Server.
0
 

Expert Comment

by:sctray
ID: 35447449
Can we get a little more detail of exactly how you resolved this?  

We have the exact same problem on our TMG/ISA.  We have a access rule setup to the Cuda and the website for archiving is accessible remotely but the outlook plug-in continues to crash.

Thanks in advance...
0
 

Author Comment

by:jshaw08
ID: 35449711
Hi sctray, We ended up sticking it in our DMZ and publishing LDAPS to the Barracuda. Not an elegant solution but it works. We were also toying with the idea of a RODC in the DMZ but felt strictly publishing LDAPS to the barracuda only would be the most secure option. If you ever figure out how to reverse proxy the thing I'd love to hear how. Support is clueless.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to Publish Business Portal SL Site through TMG? 3 382
Server 2012 Domain Controler 4 454
TMG Forefront 6 373
use IIS Arr as proxy 3 226
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now