Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Publishing Barracuda Message Archiver using ISA Server 2006

Posted on 2011-02-15
12
1,152 Views
Last Modified: 2012-06-21
I have a load balanced pair of ISA 2006 ENT servers in a unihomed configuration. The ISA servers are in the DMZ and my Barracuda Message archiver is in the LAN. I have several web sites published using SSL as well as Exchange services working fine.

However, I cannot get the Barracuda Message Archiver working properly when publishing it. I DO have the web interface for this appliance working flawlessly, people can login and do whatever they need to. The problem is with the Outlook plugin. I can authenticate the plugin on each outlook client but as soon as I choose to use it's features (like search the archive for email) it crashes.

The moment this crash happens the ISA server logs the following generic error:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: Mail Archiver
Source: Internal (64.77.91.6)
Destination: (mailarchive.mydomain.com 192.168.100.51:443)
Request: POST http://mailarchive.mydomain.com/soap

Filter information: Req ID: 0cd9a837; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information
1.      Client agent: BmaClient (2.2.0.000)
2.      Object source: Internet (Source is the Internet. Object was added to the cache.)
3.      Cache info: 0x0
4.      Processing time: 47 ms
5.      MIME type:

The Barracuda plugin is clearly using SOAP but I am not sure if that is a problem or not since the protocol is just https.

I have bypassed the ISA Server and the problem dissapears. Hopefully someone on here has dealt with this and can point me in the right direction.
0
Comment
Question by:jshaw08
12 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34906892
IF the Archiver is on the LAN and the Users are on the LAN then they aren't supposed to be involving the ISA to begin with.
0
 

Author Comment

by:jshaw08
ID: 34907392
The users are on the Internet using Outlook Anywhere.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34908823
Ok, you got me there.  I wouldn't think SOAP would hurt with HTTPS since it would be "inside" the encrypted HTTPS packet, but I could be wrong.  I have seen SOAP cause problem over HTTP in one case because the developers didn't do everything in a "compliant way" with the SOAP part of it.

Sorry, I would not know where to go with this,...i don't even use Outlook Anywhere for that matter.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 29

Expert Comment

by:pwindell
ID: 34908881
Wait a mnute,..you said Unihomed ISA!!  Heck you should not even be using ISA for any of this at all.  You should be doing 100% of this with whatever the firewall is you are running.  A Single nic ISA is only for using as a Web Caching Server,...yes "Web Publishing" is possble,...but in my opinion a wast of time and nothing but needless excessive complexity.  Forget using ISA for any kind of Publishing across the broad and do all of that between the Firewall and your Exchange & Barracuda,....so the whole entire thing becomes a project between Exchange, Barracuda, and the Firewall,...leave ISA out of it.
0
 

Author Comment

by:jshaw08
ID: 34909003
I'm aware of the ramifications of running ISA Unihomed and that the ISA community despises it. However, it's configured that way for certain reason thats are not important to this problem. I believe my issue may be related to a SSL problem on the Mail Archiver. The following article describes my problem almost identically:

http://robertpallen.blogspot.com/2010/12/blog-post-unable-to-access-published.html

I am in the process of verifying this and will report back in case someone sees this and has the same problem I do,
0
 

Accepted Solution

by:
jshaw08 earned 0 total points
ID: 34916757
It appears as though the Barracuda Message Archive can not be reverse proxied. Here is a snippet from their tech support:

"I have spoken with our engineering department and their recommendation is to have passthrough traffic in and out of the Barracuda. There are SOAP requests made that may not transfer correctly with proxied traffic. Unfortunately the best scenario with the Archiver would be to have exemption rules inbound and outbound for the Archiver to be able to work externally. "
0
 

Author Comment

by:jshaw08
ID: 34916778
Accept
0
 

Author Closing Comment

by:jshaw08
ID: 34949682
I resolved this issue myself.
0
 
LVL 2

Expert Comment

by:iammrherb
ID: 35166195
I am curious on what you did to remedy this or did you just exempt the request
0
 

Author Comment

by:jshaw08
ID: 35166299
I don't understand your question, what do you mean exempt the request?

We had to make some network changes to accomodate our message archiver. The appliance can not be reverse proxied according to their tech support. I did some further packet captures and found the root cause of the issue to be with digest authentication problems and ISA Server.
0
 

Expert Comment

by:sctray
ID: 35447449
Can we get a little more detail of exactly how you resolved this?  

We have the exact same problem on our TMG/ISA.  We have a access rule setup to the Cuda and the website for archiving is accessible remotely but the outlook plug-in continues to crash.

Thanks in advance...
0
 

Author Comment

by:jshaw08
ID: 35449711
Hi sctray, We ended up sticking it in our DMZ and publishing LDAPS to the Barracuda. Not an elegant solution but it works. We were also toying with the idea of a RODC in the DMZ but felt strictly publishing LDAPS to the barracuda only would be the most secure option. If you ever figure out how to reverse proxy the thing I'd love to hear how. Support is clueless.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question