Solved

Publishing Barracuda Message Archiver using ISA Server 2006

Posted on 2011-02-15
12
1,164 Views
Last Modified: 2012-06-21
I have a load balanced pair of ISA 2006 ENT servers in a unihomed configuration. The ISA servers are in the DMZ and my Barracuda Message archiver is in the LAN. I have several web sites published using SSL as well as Exchange services working fine.

However, I cannot get the Barracuda Message Archiver working properly when publishing it. I DO have the web interface for this appliance working flawlessly, people can login and do whatever they need to. The problem is with the Outlook plugin. I can authenticate the plugin on each outlook client but as soon as I choose to use it's features (like search the archive for email) it crashes.

The moment this crash happens the ISA server logs the following generic error:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Mail Archiver
Source: Internal (64.77.91.6)
Destination: (mailarchive.mydomain.com 192.168.100.51:443)
Request: POST http://mailarchive.mydomain.com/soap

Filter information: Req ID: 0cd9a837; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information
1.      Client agent: BmaClient (2.2.0.000)
2.      Object source: Internet (Source is the Internet. Object was added to the cache.)
3.      Cache info: 0x0
4.      Processing time: 47 ms
5.      MIME type:

The Barracuda plugin is clearly using SOAP but I am not sure if that is a problem or not since the protocol is just https.

I have bypassed the ISA Server and the problem dissapears. Hopefully someone on here has dealt with this and can point me in the right direction.
0
Comment
Question by:jshaw08
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34906892
IF the Archiver is on the LAN and the Users are on the LAN then they aren't supposed to be involving the ISA to begin with.
0
 

Author Comment

by:jshaw08
ID: 34907392
The users are on the Internet using Outlook Anywhere.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908823
Ok, you got me there.  I wouldn't think SOAP would hurt with HTTPS since it would be "inside" the encrypted HTTPS packet, but I could be wrong.  I have seen SOAP cause problem over HTTP in one case because the developers didn't do everything in a "compliant way" with the SOAP part of it.

Sorry, I would not know where to go with this,...i don't even use Outlook Anywhere for that matter.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:pwindell
ID: 34908881
Wait a mnute,..you said Unihomed ISA!!  Heck you should not even be using ISA for any of this at all.  You should be doing 100% of this with whatever the firewall is you are running.  A Single nic ISA is only for using as a Web Caching Server,...yes "Web Publishing" is possble,...but in my opinion a wast of time and nothing but needless excessive complexity.  Forget using ISA for any kind of Publishing across the broad and do all of that between the Firewall and your Exchange & Barracuda,....so the whole entire thing becomes a project between Exchange, Barracuda, and the Firewall,...leave ISA out of it.
0
 

Author Comment

by:jshaw08
ID: 34909003
I'm aware of the ramifications of running ISA Unihomed and that the ISA community despises it. However, it's configured that way for certain reason thats are not important to this problem. I believe my issue may be related to a SSL problem on the Mail Archiver. The following article describes my problem almost identically:

http://robertpallen.blogspot.com/2010/12/blog-post-unable-to-access-published.html

I am in the process of verifying this and will report back in case someone sees this and has the same problem I do,
0
 

Accepted Solution

by:
jshaw08 earned 0 total points
ID: 34916757
It appears as though the Barracuda Message Archive can not be reverse proxied. Here is a snippet from their tech support:

"I have spoken with our engineering department and their recommendation is to have passthrough traffic in and out of the Barracuda. There are SOAP requests made that may not transfer correctly with proxied traffic. Unfortunately the best scenario with the Archiver would be to have exemption rules inbound and outbound for the Archiver to be able to work externally. "
0
 

Author Comment

by:jshaw08
ID: 34916778
Accept
0
 

Author Closing Comment

by:jshaw08
ID: 34949682
I resolved this issue myself.
0
 
LVL 2

Expert Comment

by:iammrherb
ID: 35166195
I am curious on what you did to remedy this or did you just exempt the request
0
 

Author Comment

by:jshaw08
ID: 35166299
I don't understand your question, what do you mean exempt the request?

We had to make some network changes to accomodate our message archiver. The appliance can not be reverse proxied according to their tech support. I did some further packet captures and found the root cause of the issue to be with digest authentication problems and ISA Server.
0
 

Expert Comment

by:sctray
ID: 35447449
Can we get a little more detail of exactly how you resolved this?  

We have the exact same problem on our TMG/ISA.  We have a access rule setup to the Cuda and the website for archiving is accessible remotely but the outlook plug-in continues to crash.

Thanks in advance...
0
 

Author Comment

by:jshaw08
ID: 35449711
Hi sctray, We ended up sticking it in our DMZ and publishing LDAPS to the Barracuda. Not an elegant solution but it works. We were also toying with the idea of a RODC in the DMZ but felt strictly publishing LDAPS to the barracuda only would be the most secure option. If you ever figure out how to reverse proxy the thing I'd love to hear how. Support is clueless.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Managing ForeFront Endpoint with SCCM2012 4 1,207
use IIS Arr as proxy 3 243
MS Forefront UAG Support for Windows 10 1 749
Upgrade TMG 2010 to Latest roll up 5 2 236
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question