ISA 2004: 12006 Chain Loop

My ISA Logs show a chain proxy loop, and I get a 12206 error when trying to access my OWA through ISA 2004, which publishes my Exchange 2003 Server. I have checked the Binding order
on my NIC's. I'm not running any third party proxy software on my server. It is a SBS 2003 Premium Server. Please can you assist
sjordaanAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
Well I know you can't just turn stuff off and disable stuff.  This whole thing (think "big picture") is how your LAN is designed and how it relates to the outside world.   To change things,...you have to redesign things.  So yes,...your IT guy need to deal with that.

In a normal ISA-OWA situation where the LAN has a straight-forward Microsoft ISA design without 3rd-party influence,... you would create a stadard Split-DNS setup with your AD/DNS so that the public Domain Name in the Cert is properly resolved depending and where the user is comming from. LAN Users must resolve it to the direct LAN IP of the Exchange/OWA, while the Public External User would resolve to the Public IP# the Name is Publilcly registered to.  Then you install the Cert on the OWA box first,...then export the cert as a PFX File with Public Key and copy it to the ISa and then install it on the ISA's Certificate Store.  Then run the Publishing Wizard on ISA to publish OWA.

Then when LAN user go to OWA they go directly to OWA without ISA,...but External Users would get to OWA via the Publilc Side of the ISA.

Unfortuneatly, you have SBS which just stands everything on its head and spins it in circles because everything is on one box.  That it why you have to ask people who specialize in SBS on how to deal with it.  Me personally,..I won't go near SBS.
0
 
sjordaanAuthor Commented:
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem
Thanks
0
 
Suliman Abu KharroubIT Consultant Commented:
OWA publishing rule properties --> test rule ? is it ok ?
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
pwindellCommented:
I'm desperate to get this resolved, as I have read numerous forums on this problem. But nothing seems to fix the problem

You also posted three different threads under three different titles and they are all basically the same thing,...so no one knows which one to answer.

Determine which one you want to keep and then request the moderator delete the others.

0
 
pwindellCommented:
Generally the Chain Loop Error,...means you have,...a Chain Loop.

You have not given enough information about the configuration and your situation for anyone to have anything to base a response on.
0
 
sjordaanAuthor Commented:
My ISA BPA has stopped comlaining about a chain loop now, but I get a new error, I bought a SSL certificate from Godaddy. Which is in my trusted authorities

I get the following error

ISA Server failed to establish an SSL connection with "server.mydomain.com". The certificate chain was issued by an authority that is not trusted.

 The failure is due to error: The certificate chain was issued by an authority that is not trusted.
0
 
pwindellCommented:
You had to have done the Root Certificate installation improperly.  

You should have a:
Root Certificate
Intermediate Certificate
then the actual web SSL Certificate for the ssl "site".
0
 
sjordaanAuthor Commented:
I have installed the certificate as per Godaddy instructions for IIS 6.0, Is there anything else I should do?

To Install the Intermediate Certificate Bundle
1.Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
2.In the Management Console, select File then Add/Remove Snap In.
3.In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
4.Choose Computer Account then click Next.
5.Choose Local Computer, then click Finish.
6.Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
11.Click Next in the Certificate Import Wizard.
12.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.
NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

13.Expand the Trusted Root Certification Authorities folder
14.Double-click the Certificates folder to show a list of all certificates.
15.Find the Go Daddy Class 2 Certification Authority certificate.
16.Right-click on the certificate and select Properties.
17.Select the radio button next to Disable all purposes for this certificate.
18.Click OK.
19.Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
0
 
pwindellCommented:
Those steps look correct to me.  I don't know what to tell you.
0
 
pwindellCommented:
does Godaddy have any support where you can call and get a real human?  Maybe Dannica Patrick?  (g).   But anyway they would be the best ones to help troubleshoot that,..it's their job,...they do it everyday.
0
 
sjordaanAuthor Commented:
I have cleared the Alert from ISA 2004. BPA is clear now of this error.
Getting back to the 12206 Error I get. When trying to access my OWA, I get the 12206 Error, but if I keep refreshing the browser it lets me in.
0
 
pwindellCommented:
Well there is more going on here than what you described,...but I'm not sure what to even ask for.  Are they any 3rd party Add-ins for ISA installed?  Are they any other web filtering products involved (even if on a different machine)?  There has to be more to this than what you have mentioned.

One example of this would be where the ISA process traffic and then forwards to a 3rd party filtering product,...which may then pass it to the ISA after it process it,...causing it to go around in circles (a chain loop).  It doesn't reallty matter if the 3rd party product is on the same box with the ISA or a different box,...doesn't matter.
0
 
sjordaanAuthor Commented:
We aren't running any other Third Party Software for Webfiltering. The ISA box is connected directly to my ISP's router. The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN. As it has better Usage Reports for individual users as apposed to ISA. The Linux Box is connected directly to the ISP's Router. Our ISA server does not have any involvement with this IPCOP Appliance. Do you think it could be causing the Loop?
0
 
pwindellCommented:
The only other thing that is on the network is an IPCOP Linux Appliance. We use this as a proxy server for internal LAN.

Well,...then,...there you go,...a 3rd party proxying tool,...and the perfect way to create a chain loop.  BTW - ISA also reports the User Accounts,..and the Client Hosts Names,...when configured properly.

Get rid of one or the other.  If you get rid of ISA then you have to re-configure the SBS to be a single-Nic Server.  You will have to re-run the Internet Connection Wizard "thing" on SBS afterwards. Your Appache Proxy will be the LAN's Proxy Server and the Linux Box with the IPTables (or whatever it is using) will become the LAN Firewall.  The Linux box will then be dual-homed and sit on the Network edge.

If you get rid of the Linux box then the SBS will just remain as it is
0
 
sjordaanAuthor Commented:
I have sudsequently disabled the IPCOP, But I get more errors
I'm getting the following error:

ISA failed to establish an SSL Connection with "server.mydomain.com". No Connection could be made because the target machine actively refused it
0
 
sjordaanAuthor Commented:
Hi Pwindell, Thank you for the advice. Think I'm going to try convince the local IT Guy to remove the IPCOP Appliance.

Please excuse my ignorance, BTW is this a third party app? As the standard ISA Reporting is poor.

Thanks
0
 
pwindellCommented:
Yes,...the ISA reporting sucks.

But there are third party tools designed specifically to work with ISA that might be good.  Look for things like that on http://www.isaserver.org

0
All Courses

From novice to tech pro — start learning today.