Solved

Publishing Barracuda Message Archiver using ISA Server 2006

Posted on 2011-02-15
12
1,159 Views
Last Modified: 2012-06-21
I have a load balanced pair of ISA 2006 ENT servers in a unihomed configuration. The ISA servers are in the DMZ and my Barracuda Message archiver is in the LAN. I have several web sites published using SSL as well as Exchange services working fine.

However, I cannot get the Barracuda Message Archiver working properly when publishing it. I DO have the web interface for this appliance working flawlessly, people can login and do whatever they need to. The problem is with the Outlook plugin. I can authenticate the plugin on each outlook client but as soon as I choose to use it's features (like search the archive for email) it crashes.

The moment this crash happens the ISA server logs the following generic error:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Mail Archiver
Source: Internal (64.77.91.6)
Destination: (mailarchive.mydomain.com 192.168.100.51:443)
Request: POST http://mailarchive.mydomain.com/soap

Filter information: Req ID: 0cd9a837; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information
1.      Client agent: BmaClient (2.2.0.000)
2.      Object source: Internet (Source is the Internet. Object was added to the cache.)
3.      Cache info: 0x0
4.      Processing time: 47 ms
5.      MIME type:

The Barracuda plugin is clearly using SOAP but I am not sure if that is a problem or not since the protocol is just https.

I have bypassed the ISA Server and the problem dissapears. Hopefully someone on here has dealt with this and can point me in the right direction.
0
Comment
Question by:jshaw08
12 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34906892
IF the Archiver is on the LAN and the Users are on the LAN then they aren't supposed to be involving the ISA to begin with.
0
 

Author Comment

by:jshaw08
ID: 34907392
The users are on the Internet using Outlook Anywhere.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908823
Ok, you got me there.  I wouldn't think SOAP would hurt with HTTPS since it would be "inside" the encrypted HTTPS packet, but I could be wrong.  I have seen SOAP cause problem over HTTP in one case because the developers didn't do everything in a "compliant way" with the SOAP part of it.

Sorry, I would not know where to go with this,...i don't even use Outlook Anywhere for that matter.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:pwindell
ID: 34908881
Wait a mnute,..you said Unihomed ISA!!  Heck you should not even be using ISA for any of this at all.  You should be doing 100% of this with whatever the firewall is you are running.  A Single nic ISA is only for using as a Web Caching Server,...yes "Web Publishing" is possble,...but in my opinion a wast of time and nothing but needless excessive complexity.  Forget using ISA for any kind of Publishing across the broad and do all of that between the Firewall and your Exchange & Barracuda,....so the whole entire thing becomes a project between Exchange, Barracuda, and the Firewall,...leave ISA out of it.
0
 

Author Comment

by:jshaw08
ID: 34909003
I'm aware of the ramifications of running ISA Unihomed and that the ISA community despises it. However, it's configured that way for certain reason thats are not important to this problem. I believe my issue may be related to a SSL problem on the Mail Archiver. The following article describes my problem almost identically:

http://robertpallen.blogspot.com/2010/12/blog-post-unable-to-access-published.html

I am in the process of verifying this and will report back in case someone sees this and has the same problem I do,
0
 

Accepted Solution

by:
jshaw08 earned 0 total points
ID: 34916757
It appears as though the Barracuda Message Archive can not be reverse proxied. Here is a snippet from their tech support:

"I have spoken with our engineering department and their recommendation is to have passthrough traffic in and out of the Barracuda. There are SOAP requests made that may not transfer correctly with proxied traffic. Unfortunately the best scenario with the Archiver would be to have exemption rules inbound and outbound for the Archiver to be able to work externally. "
0
 

Author Comment

by:jshaw08
ID: 34916778
Accept
0
 

Author Closing Comment

by:jshaw08
ID: 34949682
I resolved this issue myself.
0
 
LVL 2

Expert Comment

by:iammrherb
ID: 35166195
I am curious on what you did to remedy this or did you just exempt the request
0
 

Author Comment

by:jshaw08
ID: 35166299
I don't understand your question, what do you mean exempt the request?

We had to make some network changes to accomodate our message archiver. The appliance can not be reverse proxied according to their tech support. I did some further packet captures and found the root cause of the issue to be with digest authentication problems and ISA Server.
0
 

Expert Comment

by:sctray
ID: 35447449
Can we get a little more detail of exactly how you resolved this?  

We have the exact same problem on our TMG/ISA.  We have a access rule setup to the Cuda and the website for archiving is accessible remotely but the outlook plug-in continues to crash.

Thanks in advance...
0
 

Author Comment

by:jshaw08
ID: 35449711
Hi sctray, We ended up sticking it in our DMZ and publishing LDAPS to the Barracuda. Not an elegant solution but it works. We were also toying with the idea of a RODC in the DMZ but felt strictly publishing LDAPS to the barracuda only would be the most secure option. If you ever figure out how to reverse proxy the thing I'd love to hear how. Support is clueless.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TMG Proxy issues 1 558
TMG 2010 - How to block connection from "Mac Mail" to Exchange Server 5 566
TMG Server Web listener not accepting OWA Cert 20 76
TMG 2010 Deployment 3 103
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question