[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

isa 2006/exchange server - outlook mobile http query

hi im currently running a windows 2003 domain platform.

note:
- isp - virgin media
- email setup via registrar company temporarily @ www.123-Reg.co.uk - successfully

internal network: 10.0.0.x/23

- master dc/ad/dns/dhcp/gpmc server
- isa2006/internal nic: 10.0.0.x/23
- exchange 2003 server: 10.0.0.x/23

external public ip address from isp:

- isa2006/external nic is connected via my local netgear vmdg480 box to the internet

local client xp pc:

- internet access successful
- email sent/received externally successful

note:  ive selected the option in 'exchange system manager' to allow 'outlook mobile access' & unsupported!!

qns1.  is there anything i should configure on my isa 2006 firewall policy to be able to do the following:

http://exchange servername/owa ?

note: ive changed the ip address @ 123-Reg.co.uk which will take between 24-48 hrs to propagate so i currently cannot try the above (qns1) yet
0
mikey250
Asked:
mikey250
  • 12
  • 8
7 Solutions
 
Craig BeckCommented:
You need to create a publishing rule to allow Outlook Client Access.  There is a wizard which will take you through the steps (just like creating an access rule).

If you want to use HTTPS you'll also need to obtain a SSL certificate (or you can use a self-signed certificate from the IIS resource kit).
0
 
mikey250Author Commented:
hi ok i will look into creating a rule for 'outlook client access'.

ive never really understood this 'self-signed' certificate ?

thanks for responding!!
0
 
mikey250Author Commented:
hi craig,  ive tried to configure a 'publishing rule to allow outlook web access' but it does not appear correct!

note: my email is allowed to send/receive via a registrar company: www.123-Reg.co.uk

msexchange.gb.net
77.100.239.49 - points to my local domain: dc1-001.local

note: my fqdn for: exchange 2003 server is: exchange2003.dc1-001.local
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikey250Author Commented:
hi craig that is referring to a single nic & i have 2 nics.

i can see the ssl part but not currently using any security as just want to connect first of all

task 1

ive also selected 'publish exchange web client access: but when clicking through wizard it shows:

exchange version: exchange2003 - selected
web client mail services:
- outlook web access - ticked
- outlook rpc/http - unticked only have 1 exchange server as do not have front end or back end exchange
outlook mobile access - ticked
exchange activesync - ticked
publish a single web site or load balancer - ticked ?????
publish a server farm of load balanced web servers - did not tick
use ssl to connect to the published web server or server farm - not ticked
use non-secured connections to connect to published web server or server farm - ticked ?
internal site name: i have no internal website
use a computer name or ip address - unticked/not added
clicked next - prompted to add a valid name for website

uuuuuuuuuuuuuuummmmmm

note: the above is not correct rule

task 2

i have tried adding a normal rule:

name: owa
action: allow
protocols: http
from/listener: external
to: exchange2003.dc1-001.local/internal/local host
condition: all users

note: this has not worked either

note:  im trying to access owa via my own blackberry as a random test

uuuummmmm
0
 
Craig BeckCommented:
Ok sorry you said /owa in your post which made me think Exchange 2007!

There are a few things here.

If you are publishing the server you will always have an internal site name.  That will be the name of the server usually, so you'd put exchange2003.dc1-001.local (if that's your Exchange server's FQDN).  It doesn't matter if you have one or two NICs on the Exchange server or the ISA server - the publishing rule will be the same.

The easiest way to test this is simply to create a non-web server publishing rule and allow HTTP inbound to the IP of the Exchange server.  That will just forward all HTTP traffic from outside to the Exchange (instead of processing rules based on URL, etc, like the Exchange publishing rule will do).
0
 
mikey250Author Commented:
hi so even if it states website address i should still add 'fadn': exchange2003.dc1-001.local but surely my local fqdn as stated could be used by someone else ?

ok i will look at this 'non-web server publishing rule'

i was thinking as my external send/receive goes via: 123-Reg.co.uk for my (a & mx) being:

msexchange.gb.net
77.100.239.49

i thought it might be:  http://exchange2003.dc1-local.msexchange.gb.net

task 1

im now trying publishing rule again:

internal site: exchange2003.dc1-001.local
use computer name or ip address: left empty
next
accept requests for: (this domain name)
public name: msexchange.gb.net - ive added this as this is linked to my internal exchange
next
web listener
owa - ive already pre-created a rule so selected i list 'owa'
listener properties:
networks: external
port http: 80
port https: disabled
authentication method: fba with ad
! 'the session timeout function of the web listener will not be applied to non-browser clients.  this will allow the continued use of stored credentials for activesync users' - not sure what this means!!!!!!!!!
authentication delegation: basic authentication - selected by default
next
states: the current config specifies that authentication with the published server will be performed over http without encryption.  this config is considered insecure because credentials will be forward to the published server in plain text. (this is what i expected due to using http and not https
clicked ok for above statement
next
user sets: all authenticated users/all users
next
complete

trying now
0
 
Craig BeckCommented:
All you need to do is put the internal name of the Exchange server in the box.  This tells the ISA server what internal site to forward HTTP traffic to from the internet.  It's not defining the URL your external clients connect to - it's purely for the ISA server.  You should also put the IP address of the Exchange server in the IP box below that too.

The DNS record you've created (msexchange.gb.net) is pointing to your ISA server's external NIC, so that's good.  This means you would just use http://msexchange.gb.net/exchange to get to the OWA from the internet.
0
 
mikey250Author Commented:
yes your right i keep saying: owa when i mean: oma :)

currently when i add in my blackberry via internet:

http://msexchange.gb.net/exchange - it currently states 'there is insufficient network coverage to process your request'

rrrrhhh
0
 
Craig BeckCommented:
That's probably a blackberry issue - I can see the ISA 403 deny page from the internet.
0
 
mikey250Author Commented:
selecting publish exchange rule:

oma
next
exchange version: exchange server 2003
web client mail services:
outlook web access - ticked
outlook rpc/https - unticked
outlook mobile access - ticked
exchange activesync - ticked
publishing type:
publish a single web site or load balance - selected
publish a server farm of load balanced web servers - not ticked
next
server connection security:
use ssl - not selected
use non-secured - selected
next
internal publishing details:
internal site name: exchange2003
'if isa server cannot resolve the internal site name, isa server can connect using the computer name or ip address of the server hosting the site'
use computer name or ip address: exchange2003.dc1-001.local - detected/browsed
next
accept requests for: (this domain name)
public name: msexchange.gb.net - ive added this as this is linked to my internal exchange
next
web listener
selected: new:
name: oma
web listener ip addresses:
external - selected
next
'isa server will compress content sent to clients through the web listener if the clients requesting the content support compression' - ticked by default
next
authentication settings:
html form authentication - selected by default
select how isa server will validate client credentials:
windows active directory - selected by default
next
enable sso - ticked but now ive unticked
sso domain name: unticked
next
finish
states: the current config specifies that authentication with the published server will be performed over http without encryption.  this config is considered insecure because credentials will be forward to the published server in plain text. (this is what i expected due to using http and not https
clicked ok for above statement
next
authentication delegation:
basic authentication - selected by default
next
states: the current config specifies that authentication with the published server will be performed over http without encryption.  this config is considered insecure because credentials will be forward to the published server in plain text - clicked ok
user sets: all authenticated users/all users
next
finish

gonna try again with mobile if my mobile allows me due to lost connection

can you try ?
0
 
mikey250Author Commented:
im typing in:

http://msexchange.gb.net/exchange

error code: 403 forbidden isa server is configured to block http requests that require authentication (12250)

qns1.  because it states above (isa server is configured to block - does this mean it has reached by isa server although not allowing ?
0
 
mikey250Author Commented:
im typing in: http://msexchange.gb.net/exchange

error code: 403 forbidden isa server is configured to block http requests that require authentication (12250)

qns1.  because it states above (isa server is configured to block - does this mean it has reached by isa server although not allowing ?


query:

i have noticed a potential issue in my firewall publishing oma policy rule!!

when i clicked on the wizard for 'publishing exchange' it prompted for the expected as below:

name: oma
action: allow
protocols: http
from/listener: external
to: exchange2003
condition: all authenticated users/all users

after the above the wizard continued through the wizard

name: oma
next
exchange version: exchange server 2003
web client mail services:
outlook web access - ticked
outlook rpc/https - unticked
outlook mobile access - ticked
exchange activesync - ticked
publishing type:
publish a single web site or load balance - selected
publish a server farm of load balanced web servers - not ticked
next
server connection security:
use ssl - not selected
use non-secured - selected
next
internal publishing details:
internal site name: exchange2003
'if isa server cannot resolve the internal site name, isa server can connect using the computer name or ip address of the server hosting the site'
use computer name or ip address: exchange2003.dc1-001.local - detected/browsed
next
accept requests for: (this domain name)
public name: msexchange.gb.net - ive added this as this is linked to my internal exchange
next

when i continued to the next part below i completed as normal

web listener
selected: new:
name: oma
web listener ip addresses:
external - selected
next
'isa server will compress content sent to clients through the web listener if the clients requesting the content support compression' - ticked by default
next
authentication settings:
html form authentication - selected by default
select how isa server will validate client credentials:
windows active directory - selected by default
next
enable sso - ticked but now ive unticked
sso domain name: unticked
next
finish
states: the current config specifies that authentication with the published server will be performed over http without encryption.  this config is considered insecure because credentials will be forward to the published server in plain text. - clicked ok for above statement
next
authentication delegation:
basic authentication - selected by default
next
states: the current config specifies that authentication with the published server will be performed over http without encryption.  this config is considered insecure because credentials will be forward to the published server in plain text - clicked ok
user sets: all authenticated users/all users
next
finish

at the end i looked at firewall policy for: exchange & it showed it as:

name: oma
action: allow
protocols: http
from/listener: oma
to: exchange2003
condition: all authenticated users/all users

qns2.  for some unknown reason 'from/listener: oma' has appeared, when i expected it to say: external as i completed above steps so this should not have happened!!

ive now change accessed properties & checked and the below showed: anywhere so i have now also added the below:

from/listener: external

name: oma
action: allow
protocols: http
from/listener: external
to: exchange2003
condition: all authenticated users/all users


somethings not right with this!!!
0
 
Craig BeckCommented:
Yes that means the ISA saw the request but the publishing rule was either configured to block the traffic, or the authentication isn't configured correctly between the ISA and the Exchange
0
 
Craig BeckCommented:
You MUST have a listener if you're configuring a Web Server publishing rule - it's what tells the ISA how to process the inbound HTTP or HTTPS request.  This is created during the wizard (unless you select an existing listener).
0
 
mikey250Author Commented:
hi i will have to return back to this tomorrow but i appreciate your help!!

although i changed my: 123-Reg.co.uk ip address to the new one, i forgot to check the below:

ive noticed that when i checked my smtp configurations the web listener address was still stuck on the old isa/external public ip address.

for some unknown reason after removing the old web listener address in smtp firewall policy it has not located another so i cannot select it.

ive have now deleted both 'smtp inbound & outbound' firewall policy but tomorrow i will re-add both smtp policies again & hopefully it will detect my new isa/external public ip address.

once this is done i can then try the: 'oma' again!!
0
 
Craig BeckCommented:
You'll need to restart the Firewall service to let ISA detect the new IP address, and close and re-open the ISA Management MMC.
0
 
mikey250Author Commented:
hi craig, i did what you said and my isa is working fine, although it is off at the moment but when i opened up a browser on my 'mobile phone' it still showed the white blank page.

i do remember when i configured a new 'access rule' that i added: www.msexchange.gb.net, when i think i should have just added: msexchange.gb.net

because now it does not show a specific 403 isa server issue.

so i need to return hopefully sometime today and make that change and check again!!
0
 
mikey250Author Commented:
hi craig,  apologies for taking so long but i will close this thread now!!
0
 
mikey250Author Commented:
good advice.  appreciated!!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now