Solved

Office 365 Migration problem (Possible ISA issue)

Posted on 2013-01-15
12
2,200 Views
Last Modified: 2013-02-17
Hi,

I hope someone can help with a problem I've been struggling with for sometime now. I'll do my best to remember everything that's been tried and tested so far but I'll try to stick to the main issue as much as possible. In short, the problem I have is that I cannot add the Office 365 forest to my Exchange environment.

Having spent some time on the issue, I still think the connection is being blocked by our firewall (x2 ISA Server 2006) however, through all the work I have done, the rules look to be setup correctly to me.

So to get to the specific error, when I try to add the Office 365 forest, I get the error shown below. I can sign into the Office 365 portal with the same credentials, on the same machine and the Directory Sync tool (on another server) also works fine with the same credentials. If anyone has any specific questions about our setup, I should be able to answer them.

Thanks in advance.
365.png
0
Comment
Question by:wiggumc
  • 7
  • 2
  • 2
  • +1
12 Comments
 

Author Comment

by:wiggumc
ID: 38777925
Actually just to note, that screenshot shows "Negotiate" authentication. This is what happens when I enter incorrect credentials. When I enter the correct credentials, it shows "Basic" authentication, as per the 2nd screenshot.

Thanks.
basic.png
0
 
LVL 5

Expert Comment

by:Kernel_Recovery_Tools
ID: 38781396
Hello wigumc,

Please check with these articles http://technet.microsoft.com/en-us/library/jj204570.aspx and http://www.msexchange.org/articles-tutorials/office-365/exchange-online/

I hope these article would sort out the issue.

Thanks
Kernel Recovery Tools
0
 

Author Comment

by:wiggumc
ID: 38782229
Hi,

Thanks for the comment but these links are quite generic and contain a lot of info. Is there anything in particular you could point out, based on the error I'm receiving?

Cheers.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:wiggumc
ID: 38783601
Hi,

As an update to this; it definitely seems to be a proxy/firewall issue. I have just tested turning off the proxy for all HTTPS connections and this works. When I turn it back on, it breaks things. I do, however, have my rules setup on the ISA server to whitelist connections on port 443 to the domains specified by Microsoft. Any ideas?

Thanks.
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
ID: 38785270
You cannot proxy the connection to Office365. You must write a new rule that bypasses the proxy service for that connection. ISA does HTTPS proxying by deconstructing the SSL connection and creating a new SSL connection from the ISA server itself. While this works for many things, anything that relies on MTLS will break. Lync has the same issue.
0
 

Author Comment

by:wiggumc
ID: 38786346
Hi cgaliher,

Thanks for the clarification. That's what I suspected. Would you be able to give me any help setting up the ISA rule? We have a default enterprise policy with HTTPS proxying enabled. I have a rule setup to allow traffic to the domains below, from my Exchange server, via protocols HTTP, HTTPS and TCP. However, when I go into the protocols within this rule, go to the parameters and then the filters, and try to uncheck "Web Proxy Filter", I am told it can't be deselected because it is used by the corresponding protocol at enterprise level. I am sure I wouldn't need to go on and enable it for every other rule that's setup but I don't really know how to get around this. Any suggestions would be appreciated. What I esentially need is for all HTTP and HTTPS traffic to be proxied, apart from the Office 365 traffic.

*.exchangelabs.com
*.lync.com
*.microsoftonline.com
*.microsoftonline-p.com
*.outlook.com
*.sharepoint.com
osub.microsoft.com

Thanks,

Zak
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 38786351
Without knowing all of your other rules and how you've set up the server, I can't be of much more help than I already have been. ISA is a very powerful product and has a lot of moving parts. Understanding the rules, precedence, enforcement, is not trivial and can't be easily summed up in a reply..especially with so many unknowns. Sorry.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 38800807
The way it is generally done would be to create a new network entity - without binding it to an adaptor - that includes the ip addresses of the target - and then create a route relationship between the new network and the internal entity.

Not so easy though when it is to a remote forest where - in essence - you are creating a federated relationship.

I assume you had already run the best practice analyser for isa2006 and followed its recommendations?
0
 

Author Comment

by:wiggumc
ID: 38801429
Hi Keith,

Thanks for your reply. This is just a quick placeholder to say that I will take on your advice and reply properly later today. I'm working on another critical issue just now.

Thanks again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38801440
no problem, snowed in so can't actually test this for the moment myself either :)
0
 

Accepted Solution

by:
wiggumc earned 0 total points
ID: 38809029
Hi Keith,

Ok, at the moment we are trialling Office 365 and I am tempted to just leave the HTTPS proxy switched off for the purposes of the trial if I can't get a resolution today as time is tight. If you or anyone else can suggest anything today though, that'd be great. I'll try to outline everything I've tried.

So, firstly, to make things work I uncheck the Web Proxy filter on the HTTPS protocol. Obviously not ideal, but it allows Office 365 to work properly. So to try to get this working with Web Proxy filter on for HTTPS I have tried...

Following your advice Keith, I tried creating a new network with all the IP addresses listed here: http://onlinehelp.microsoft.com/Office365-enterprises/hh373144.aspx. Once it was created, I also added all the relevant MS domain names too. I then created a local network rule with the source network as the servers I have setup for Office 365 and the destination as all the Office 365 sites. Does that sound like the right way to go about it? In any case, it didn't work. For testing purposes, I also tried setting the source to our entire internal network which also didn't work.

I then checked the rules I had tried creating previously against this page:

http://blogs.technet.com/b/keithab/archive/2012/01/17/creating-a-rule-to-bypass-the-web-proxy-filter-in-isa-server-or-forefront-tmg.aspx

Mine looked correct apart from adding the deny rule below which I then did. What confuses me is, under Troubleshooting in the ISA server, I used the traffic simulator option with the source as my Office 365 exchange server, the destination as ps.outlook.com and the account as my admin account that works for these services (I did also try anonymous user) and the ISA server bypasses the rules I created (they are right at the top) and passes them with another rule that proxies the connection. No idea why.

The final thing I tried was this: http://support.microsoft.com/kb/268326. So I created a Locallat.txt file, placed in the correct folder on my Exchange server, and it again it didn't work.

Any ideas or suggestions will be appreciated!
0
 

Author Closing Comment

by:wiggumc
ID: 38898165
Hi,

Thanks for all the suggestions but unfortunately this required a call to Microsoft to resolve. The bottom line is that we do not actually need the web proxy filter enabled for HTTPS traffic though there was a lot more to it than that. All suggestions here were valid so thanks again for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question