Improve company productivity with a Business Account.Sign Up

x
?
Solved

Publishing Barracuda Message Archiver using ISA Server 2006

Posted on 2011-02-15
12
Medium Priority
?
1,179 Views
Last Modified: 2012-06-21
I have a load balanced pair of ISA 2006 ENT servers in a unihomed configuration. The ISA servers are in the DMZ and my Barracuda Message archiver is in the LAN. I have several web sites published using SSL as well as Exchange services working fine.

However, I cannot get the Barracuda Message Archiver working properly when publishing it. I DO have the web interface for this appliance working flawlessly, people can login and do whatever they need to. The problem is with the Outlook plugin. I can authenticate the plugin on each outlook client but as soon as I choose to use it's features (like search the archive for email) it crashes.

The moment this crash happens the ISA server logs the following generic error:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Mail Archiver
Source: Internal (64.77.91.6)
Destination: (mailarchive.mydomain.com 192.168.100.51:443)
Request: POST http://mailarchive.mydomain.com/soap

Filter information: Req ID: 0cd9a837; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information
1.      Client agent: BmaClient (2.2.0.000)
2.      Object source: Internet (Source is the Internet. Object was added to the cache.)
3.      Cache info: 0x0
4.      Processing time: 47 ms
5.      MIME type:

The Barracuda plugin is clearly using SOAP but I am not sure if that is a problem or not since the protocol is just https.

I have bypassed the ISA Server and the problem dissapears. Hopefully someone on here has dealt with this and can point me in the right direction.
0
Comment
Question by:jshaw08
12 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34906892
IF the Archiver is on the LAN and the Users are on the LAN then they aren't supposed to be involving the ISA to begin with.
0
 

Author Comment

by:jshaw08
ID: 34907392
The users are on the Internet using Outlook Anywhere.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908823
Ok, you got me there.  I wouldn't think SOAP would hurt with HTTPS since it would be "inside" the encrypted HTTPS packet, but I could be wrong.  I have seen SOAP cause problem over HTTP in one case because the developers didn't do everything in a "compliant way" with the SOAP part of it.

Sorry, I would not know where to go with this,...i don't even use Outlook Anywhere for that matter.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 29

Expert Comment

by:pwindell
ID: 34908881
Wait a mnute,..you said Unihomed ISA!!  Heck you should not even be using ISA for any of this at all.  You should be doing 100% of this with whatever the firewall is you are running.  A Single nic ISA is only for using as a Web Caching Server,...yes "Web Publishing" is possble,...but in my opinion a wast of time and nothing but needless excessive complexity.  Forget using ISA for any kind of Publishing across the broad and do all of that between the Firewall and your Exchange & Barracuda,....so the whole entire thing becomes a project between Exchange, Barracuda, and the Firewall,...leave ISA out of it.
0
 

Author Comment

by:jshaw08
ID: 34909003
I'm aware of the ramifications of running ISA Unihomed and that the ISA community despises it. However, it's configured that way for certain reason thats are not important to this problem. I believe my issue may be related to a SSL problem on the Mail Archiver. The following article describes my problem almost identically:

http://robertpallen.blogspot.com/2010/12/blog-post-unable-to-access-published.html

I am in the process of verifying this and will report back in case someone sees this and has the same problem I do,
0
 

Accepted Solution

by:
jshaw08 earned 0 total points
ID: 34916757
It appears as though the Barracuda Message Archive can not be reverse proxied. Here is a snippet from their tech support:

"I have spoken with our engineering department and their recommendation is to have passthrough traffic in and out of the Barracuda. There are SOAP requests made that may not transfer correctly with proxied traffic. Unfortunately the best scenario with the Archiver would be to have exemption rules inbound and outbound for the Archiver to be able to work externally. "
0
 

Author Comment

by:jshaw08
ID: 34916778
Accept
0
 

Author Closing Comment

by:jshaw08
ID: 34949682
I resolved this issue myself.
0
 
LVL 2

Expert Comment

by:iammrherb
ID: 35166195
I am curious on what you did to remedy this or did you just exempt the request
0
 

Author Comment

by:jshaw08
ID: 35166299
I don't understand your question, what do you mean exempt the request?

We had to make some network changes to accomodate our message archiver. The appliance can not be reverse proxied according to their tech support. I did some further packet captures and found the root cause of the issue to be with digest authentication problems and ISA Server.
0
 

Expert Comment

by:sctray
ID: 35447449
Can we get a little more detail of exactly how you resolved this?  

We have the exact same problem on our TMG/ISA.  We have a access rule setup to the Cuda and the website for archiving is accessible remotely but the outlook plug-in continues to crash.

Thanks in advance...
0
 

Author Comment

by:jshaw08
ID: 35449711
Hi sctray, We ended up sticking it in our DMZ and publishing LDAPS to the Barracuda. Not an elegant solution but it works. We were also toying with the idea of a RODC in the DMZ but felt strictly publishing LDAPS to the barracuda only would be the most secure option. If you ever figure out how to reverse proxy the thing I'd love to hear how. Support is clueless.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question