Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISA 2004: 12006 Chain Loop

Posted on 2011-03-17
17
Medium Priority
?
947 Views
Last Modified: 2012-05-11
My ISA Logs show a chain proxy loop, and I get a 12206 error when trying to access my OWA through ISA 2004, which publishes my Exchange 2003 Server. I have checked the Binding order
on my NIC's. I'm not running any third party proxy software on my server. It is a SBS 2003 Premium Server. Please can you assist
0
Comment
Question by:sjordaan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 

Author Comment

by:sjordaan
ID: 35154319
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem
Thanks
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35154605
OWA publishing rule properties --> test rule ? is it ok ?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35167013
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem

You also posted three different threads under three different titles and they are all basically the same thing,...so no one knows which one to answer.

Determine which one you want to keep and then request the moderator delete the others.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:pwindell
ID: 35167027
Generally the Chain Loop Error,...means you have,...a Chain Loop.

You have not given enough information about the configuration and your situation for anyone to have anything to base a response on.
0
 

Author Comment

by:sjordaan
ID: 35167162
My ISA BPA has stopped comlaining about a chain loop now, but I get a new error, I bought a SSL certificate from Godaddy. Which is in my trusted authorities

I get the following error

ISA Server failed to establish an SSL connection with "server.mydomain.com". The certificate chain was issued by an authority that is not trusted.

 The failure is due to error: The certificate chain was issued by an authority that is not trusted.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35167870
You had to have done the Root Certificate installation improperly.  

You should have a:
Root Certificate
Intermediate Certificate
then the actual web SSL Certificate for the ssl "site".
0
 

Author Comment

by:sjordaan
ID: 35168357
I have installed the certificate as per Godaddy instructions for IIS 6.0, Is there anything else I should do?

To Install the Intermediate Certificate Bundle
1.Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
2.In the Management Console, select File then Add/Remove Snap In.
3.In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
4.Choose Computer Account then click Next.
5.Choose Local Computer, then click Finish.
6.Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
11.Click Next in the Certificate Import Wizard.
12.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.
NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

13.Expand the Trusted Root Certification Authorities folder
14.Double-click the Certificates folder to show a list of all certificates.
15.Find the Go Daddy Class 2 Certification Authority certificate.
16.Right-click on the certificate and select Properties.
17.Select the radio button next to Disable all purposes for this certificate.
18.Click OK.
19.Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168383
Those steps look correct to me.  I don't know what to tell you.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168400
does Godaddy have any support where you can call and get a real human?  Maybe Dannica Patrick?  (g).   But anyway they would be the best ones to help troubleshoot that,..it's their job,...they do it everyday.
0
 

Author Comment

by:sjordaan
ID: 35168415
I have cleared the Alert from ISA 2004. BPA is clear now of this error.
Getting back to the 12206 Error I get. When trying to access my OWA, I get the 12206 Error, but if I keep refreshing the browser it lets me in.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168481
Well there is more going on here than what you described,...but I'm not sure what to even ask for.  Are they any 3rd party Add-ins for ISA installed?  Are they any other web filtering products involved (even if on a different machine)?  There has to be more to this than what you have mentioned.

One example of this would be where the ISA process traffic and then forwards to a 3rd party filtering product,...which may then pass it to the ISA after it process it,...causing it to go around in circles (a chain loop).  It doesn't reallty matter if the 3rd party product is on the same box with the ISA or a different box,...doesn't matter.
0
 

Author Comment

by:sjordaan
ID: 35168636
We aren't running any other Third Party Software for Webfiltering. The ISA box is connected directly to my ISP's router. The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN. As it has better Usage Reports for individual users as apposed to ISA. The Linux Box is connected directly to the ISP's Router. Our ISA server does not have any involvement with this IPCOP Appliance. Do you think it could be causing the Loop?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168713
The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN.

Well,...then,...there you go,...a 3rd party proxying tool,...and the perfect way to create a chain loop.  BTW - ISA also reports the User Accounts,..and the Client Hosts Names,...when configured properly.

Get rid of one or the other.  If you get rid of ISA then you have to re-configure the SBS to be a single-Nic Server.  You will have to re-run the Internet Connection Wizard "thing" on SBS afterwards. Your Appache Proxy will be the LAN's Proxy Server and the Linux Box with the IPTables (or whatever it is using) will become the LAN Firewall.  The Linux box will then be dual-homed and sit on the Network edge.

If you get rid of the Linux box then the SBS will just remain as it is
0
 

Author Comment

by:sjordaan
ID: 35168756
I have sudsequently disabled the IPCOP, But I get more errors
I'm getting the following error:

ISA failed to establish an SSL Connection with "server.mydomain.com". No Connection could be made because the target machine actively refused it
0
 

Author Comment

by:sjordaan
ID: 35168825
Hi Pwindell, Thank you for the advice. Think I'm going to try convince the local IT Guy to remove the IPCOP Appliance.

Please excuse my ignorance, BTW is this a third party app? As the standard ISA Reporting is poor.

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 35168849
Well I know you can't just turn stuff off and disable stuff.  This whole thing (think "big picture") is how your LAN is designed and how it relates to the outside world.   To change things,...you have to redesign things.  So yes,...your IT guy need to deal with that.

In a normal ISA-OWA situation where the LAN has a straight-forward Microsoft ISA design without 3rd-party influence,... you would create a stadard Split-DNS setup with your AD/DNS so that the public Domain Name in the Cert is properly resolved depending and where the user is comming from. LAN Users must resolve it to the direct LAN IP of the Exchange/OWA, while the Public External User would resolve to the Public IP# the Name is Publilcly registered to.  Then you install the Cert on the OWA box first,...then export the cert as a PFX File with Public Key and copy it to the ISa and then install it on the ISA's Certificate Store.  Then run the Publishing Wizard on ISA to publish OWA.

Then when LAN user go to OWA they go directly to OWA without ISA,...but External Users would get to OWA via the Publilc Side of the ISA.

Unfortuneatly, you have SBS which just stands everything on its head and spins it in circles because everything is on one box.  That it why you have to ask people who specialize in SBS on how to deal with it.  Me personally,..I won't go near SBS.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35168875
Yes,...the ISA reporting sucks.

But there are third party tools designed specifically to work with ISA that might be good.  Look for things like that on http://www.isaserver.org

0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question