Solved

ISA 2004: 12006 Chain Loop

Posted on 2011-03-17
17
938 Views
Last Modified: 2012-05-11
My ISA Logs show a chain proxy loop, and I get a 12206 error when trying to access my OWA through ISA 2004, which publishes my Exchange 2003 Server. I have checked the Binding order
on my NIC's. I'm not running any third party proxy software on my server. It is a SBS 2003 Premium Server. Please can you assist
0
Comment
Question by:sjordaan
  • 9
  • 7
17 Comments
 

Author Comment

by:sjordaan
ID: 35154319
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem
Thanks
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35154605
OWA publishing rule properties --> test rule ? is it ok ?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35167013
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem

You also posted three different threads under three different titles and they are all basically the same thing,...so no one knows which one to answer.

Determine which one you want to keep and then request the moderator delete the others.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 35167027
Generally the Chain Loop Error,...means you have,...a Chain Loop.

You have not given enough information about the configuration and your situation for anyone to have anything to base a response on.
0
 

Author Comment

by:sjordaan
ID: 35167162
My ISA BPA has stopped comlaining about a chain loop now, but I get a new error, I bought a SSL certificate from Godaddy. Which is in my trusted authorities

I get the following error

ISA Server failed to establish an SSL connection with "server.mydomain.com". The certificate chain was issued by an authority that is not trusted.

 The failure is due to error: The certificate chain was issued by an authority that is not trusted.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35167870
You had to have done the Root Certificate installation improperly.  

You should have a:
Root Certificate
Intermediate Certificate
then the actual web SSL Certificate for the ssl "site".
0
 

Author Comment

by:sjordaan
ID: 35168357
I have installed the certificate as per Godaddy instructions for IIS 6.0, Is there anything else I should do?

To Install the Intermediate Certificate Bundle
1.Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
2.In the Management Console, select File then Add/Remove Snap In.
3.In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
4.Choose Computer Account then click Next.
5.Choose Local Computer, then click Finish.
6.Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
11.Click Next in the Certificate Import Wizard.
12.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.
NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

13.Expand the Trusted Root Certification Authorities folder
14.Double-click the Certificates folder to show a list of all certificates.
15.Find the Go Daddy Class 2 Certification Authority certificate.
16.Right-click on the certificate and select Properties.
17.Select the radio button next to Disable all purposes for this certificate.
18.Click OK.
19.Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168383
Those steps look correct to me.  I don't know what to tell you.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Expert Comment

by:pwindell
ID: 35168400
does Godaddy have any support where you can call and get a real human?  Maybe Dannica Patrick?  (g).   But anyway they would be the best ones to help troubleshoot that,..it's their job,...they do it everyday.
0
 

Author Comment

by:sjordaan
ID: 35168415
I have cleared the Alert from ISA 2004. BPA is clear now of this error.
Getting back to the 12206 Error I get. When trying to access my OWA, I get the 12206 Error, but if I keep refreshing the browser it lets me in.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168481
Well there is more going on here than what you described,...but I'm not sure what to even ask for.  Are they any 3rd party Add-ins for ISA installed?  Are they any other web filtering products involved (even if on a different machine)?  There has to be more to this than what you have mentioned.

One example of this would be where the ISA process traffic and then forwards to a 3rd party filtering product,...which may then pass it to the ISA after it process it,...causing it to go around in circles (a chain loop).  It doesn't reallty matter if the 3rd party product is on the same box with the ISA or a different box,...doesn't matter.
0
 

Author Comment

by:sjordaan
ID: 35168636
We aren't running any other Third Party Software for Webfiltering. The ISA box is connected directly to my ISP's router. The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN. As it has better Usage Reports for individual users as apposed to ISA. The Linux Box is connected directly to the ISP's Router. Our ISA server does not have any involvement with this IPCOP Appliance. Do you think it could be causing the Loop?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168713
The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN.

Well,...then,...there you go,...a 3rd party proxying tool,...and the perfect way to create a chain loop.  BTW - ISA also reports the User Accounts,..and the Client Hosts Names,...when configured properly.

Get rid of one or the other.  If you get rid of ISA then you have to re-configure the SBS to be a single-Nic Server.  You will have to re-run the Internet Connection Wizard "thing" on SBS afterwards. Your Appache Proxy will be the LAN's Proxy Server and the Linux Box with the IPTables (or whatever it is using) will become the LAN Firewall.  The Linux box will then be dual-homed and sit on the Network edge.

If you get rid of the Linux box then the SBS will just remain as it is
0
 

Author Comment

by:sjordaan
ID: 35168756
I have sudsequently disabled the IPCOP, But I get more errors
I'm getting the following error:

ISA failed to establish an SSL Connection with "server.mydomain.com". No Connection could be made because the target machine actively refused it
0
 

Author Comment

by:sjordaan
ID: 35168825
Hi Pwindell, Thank you for the advice. Think I'm going to try convince the local IT Guy to remove the IPCOP Appliance.

Please excuse my ignorance, BTW is this a third party app? As the standard ISA Reporting is poor.

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35168849
Well I know you can't just turn stuff off and disable stuff.  This whole thing (think "big picture") is how your LAN is designed and how it relates to the outside world.   To change things,...you have to redesign things.  So yes,...your IT guy need to deal with that.

In a normal ISA-OWA situation where the LAN has a straight-forward Microsoft ISA design without 3rd-party influence,... you would create a stadard Split-DNS setup with your AD/DNS so that the public Domain Name in the Cert is properly resolved depending and where the user is comming from. LAN Users must resolve it to the direct LAN IP of the Exchange/OWA, while the Public External User would resolve to the Public IP# the Name is Publilcly registered to.  Then you install the Cert on the OWA box first,...then export the cert as a PFX File with Public Key and copy it to the ISa and then install it on the ISA's Certificate Store.  Then run the Publishing Wizard on ISA to publish OWA.

Then when LAN user go to OWA they go directly to OWA without ISA,...but External Users would get to OWA via the Publilc Side of the ISA.

Unfortuneatly, you have SBS which just stands everything on its head and spins it in circles because everything is on one box.  That it why you have to ask people who specialize in SBS on how to deal with it.  Me personally,..I won't go near SBS.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168875
Yes,...the ISA reporting sucks.

But there are third party tools designed specifically to work with ISA that might be good.  Look for things like that on http://www.isaserver.org

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now