sjordaan
asked on
ISA 2004: 12006 Chain Loop
My ISA Logs show a chain proxy loop, and I get a 12206 error when trying to access my OWA through ISA 2004, which publishes my Exchange 2003 Server. I have checked the Binding order
on my NIC's. I'm not running any third party proxy software on my server. It is a SBS 2003 Premium Server. Please can you assist
on my NIC's. I'm not running any third party proxy software on my server. It is a SBS 2003 Premium Server. Please can you assist
OWA publishing rule properties --> test rule ? is it ok ?
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem
You also posted three different threads under three different titles and they are all basically the same thing,...so no one knows which one to answer.
Determine which one you want to keep and then request the moderator delete the others.
You also posted three different threads under three different titles and they are all basically the same thing,...so no one knows which one to answer.
Determine which one you want to keep and then request the moderator delete the others.
Generally the Chain Loop Error,...means you have,...a Chain Loop.
You have not given enough information about the configuration and your situation for anyone to have anything to base a response on.
You have not given enough information about the configuration and your situation for anyone to have anything to base a response on.
ASKER
My ISA BPA has stopped comlaining about a chain loop now, but I get a new error, I bought a SSL certificate from Godaddy. Which is in my trusted authorities
I get the following error
ISA Server failed to establish an SSL connection with "server.mydomain.com". The certificate chain was issued by an authority that is not trusted.
The failure is due to error: The certificate chain was issued by an authority that is not trusted.
I get the following error
ISA Server failed to establish an SSL connection with "server.mydomain.com". The certificate chain was issued by an authority that is not trusted.
The failure is due to error: The certificate chain was issued by an authority that is not trusted.
You had to have done the Root Certificate installation improperly.
You should have a:
Root Certificate
Intermediate Certificate
then the actual web SSL Certificate for the ssl "site".
You should have a:
Root Certificate
Intermediate Certificate
then the actual web SSL Certificate for the ssl "site".
ASKER
I have installed the certificate as per Godaddy instructions for IIS 6.0, Is there anything else I should do?
To Install the Intermediate Certificate Bundle
1.Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
2.In the Management Console, select File then Add/Remove Snap In.
3.In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
4.Choose Computer Account then click Next.
5.Choose Local Computer, then click Finish.
6.Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
11.Click Next in the Certificate Import Wizard.
12.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.
NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.
13.Expand the Trusted Root Certification Authorities folder
14.Double-click the Certificates folder to show a list of all certificates.
15.Find the Go Daddy Class 2 Certification Authority certificate.
16.Right-click on the certificate and select Properties.
17.Select the radio button next to Disable all purposes for this certificate.
18.Click OK.
19.Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
To Install the Intermediate Certificate Bundle
1.Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
2.In the Management Console, select File then Add/Remove Snap In.
3.In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
4.Choose Computer Account then click Next.
5.Choose Local Computer, then click Finish.
6.Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
11.Click Next in the Certificate Import Wizard.
12.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.
NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.
13.Expand the Trusted Root Certification Authorities folder
14.Double-click the Certificates folder to show a list of all certificates.
15.Find the Go Daddy Class 2 Certification Authority certificate.
16.Right-click on the certificate and select Properties.
17.Select the radio button next to Disable all purposes for this certificate.
18.Click OK.
19.Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
Those steps look correct to me. I don't know what to tell you.
does Godaddy have any support where you can call and get a real human? Maybe Dannica Patrick? (g). But anyway they would be the best ones to help troubleshoot that,..it's their job,...they do it everyday.
ASKER
I have cleared the Alert from ISA 2004. BPA is clear now of this error.
Getting back to the 12206 Error I get. When trying to access my OWA, I get the 12206 Error, but if I keep refreshing the browser it lets me in.
Getting back to the 12206 Error I get. When trying to access my OWA, I get the 12206 Error, but if I keep refreshing the browser it lets me in.
Well there is more going on here than what you described,...but I'm not sure what to even ask for. Are they any 3rd party Add-ins for ISA installed? Are they any other web filtering products involved (even if on a different machine)? There has to be more to this than what you have mentioned.
One example of this would be where the ISA process traffic and then forwards to a 3rd party filtering product,...which may then pass it to the ISA after it process it,...causing it to go around in circles (a chain loop). It doesn't reallty matter if the 3rd party product is on the same box with the ISA or a different box,...doesn't matter.
One example of this would be where the ISA process traffic and then forwards to a 3rd party filtering product,...which may then pass it to the ISA after it process it,...causing it to go around in circles (a chain loop). It doesn't reallty matter if the 3rd party product is on the same box with the ISA or a different box,...doesn't matter.
ASKER
We aren't running any other Third Party Software for Webfiltering. The ISA box is connected directly to my ISP's router. The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN. As it has better Usage Reports for individual users as apposed to ISA. The Linux Box is connected directly to the ISP's Router. Our ISA server does not have any involvement with this IPCOP Appliance. Do you think it could be causing the Loop?
The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN.
Well,...then,...there you go,...a 3rd party proxying tool,...and the perfect way to create a chain loop. BTW - ISA also reports the User Accounts,..and the Client Hosts Names,...when configured properly.
Get rid of one or the other. If you get rid of ISA then you have to re-configure the SBS to be a single-Nic Server. You will have to re-run the Internet Connection Wizard "thing" on SBS afterwards. Your Appache Proxy will be the LAN's Proxy Server and the Linux Box with the IPTables (or whatever it is using) will become the LAN Firewall. The Linux box will then be dual-homed and sit on the Network edge.
If you get rid of the Linux box then the SBS will just remain as it is
Well,...then,...there you go,...a 3rd party proxying tool,...and the perfect way to create a chain loop. BTW - ISA also reports the User Accounts,..and the Client Hosts Names,...when configured properly.
Get rid of one or the other. If you get rid of ISA then you have to re-configure the SBS to be a single-Nic Server. You will have to re-run the Internet Connection Wizard "thing" on SBS afterwards. Your Appache Proxy will be the LAN's Proxy Server and the Linux Box with the IPTables (or whatever it is using) will become the LAN Firewall. The Linux box will then be dual-homed and sit on the Network edge.
If you get rid of the Linux box then the SBS will just remain as it is
ASKER
I have sudsequently disabled the IPCOP, But I get more errors
I'm getting the following error:
ISA failed to establish an SSL Connection with "server.mydomain.com". No Connection could be made because the target machine actively refused it
I'm getting the following error:
ISA failed to establish an SSL Connection with "server.mydomain.com". No Connection could be made because the target machine actively refused it
ASKER
Hi Pwindell, Thank you for the advice. Think I'm going to try convince the local IT Guy to remove the IPCOP Appliance.
Please excuse my ignorance, BTW is this a third party app? As the standard ISA Reporting is poor.
Thanks
Please excuse my ignorance, BTW is this a third party app? As the standard ISA Reporting is poor.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes,...the ISA reporting sucks.
But there are third party tools designed specifically to work with ISA that might be good. Look for things like that on http://www.isaserver.org
But there are third party tools designed specifically to work with ISA that might be good. Look for things like that on http://www.isaserver.org
ASKER
Thanks