Solved

Office 365 Migration problem (Possible ISA issue)

Posted on 2013-01-15
12
2,155 Views
Last Modified: 2013-02-17
Hi,

I hope someone can help with a problem I've been struggling with for sometime now. I'll do my best to remember everything that's been tried and tested so far but I'll try to stick to the main issue as much as possible. In short, the problem I have is that I cannot add the Office 365 forest to my Exchange environment.

Having spent some time on the issue, I still think the connection is being blocked by our firewall (x2 ISA Server 2006) however, through all the work I have done, the rules look to be setup correctly to me.

So to get to the specific error, when I try to add the Office 365 forest, I get the error shown below. I can sign into the Office 365 portal with the same credentials, on the same machine and the Directory Sync tool (on another server) also works fine with the same credentials. If anyone has any specific questions about our setup, I should be able to answer them.

Thanks in advance.
365.png
0
Comment
Question by:wiggumc
  • 7
  • 2
  • 2
  • +1
12 Comments
 

Author Comment

by:wiggumc
ID: 38777925
Actually just to note, that screenshot shows "Negotiate" authentication. This is what happens when I enter incorrect credentials. When I enter the correct credentials, it shows "Basic" authentication, as per the 2nd screenshot.

Thanks.
basic.png
0
 
LVL 5

Expert Comment

by:Kernel_Recovery_Tools
ID: 38781396
Hello wigumc,

Please check with these articles http://technet.microsoft.com/en-us/library/jj204570.aspx and http://www.msexchange.org/articles-tutorials/office-365/exchange-online/

I hope these article would sort out the issue.

Thanks
Kernel Recovery Tools
0
 

Author Comment

by:wiggumc
ID: 38782229
Hi,

Thanks for the comment but these links are quite generic and contain a lot of info. Is there anything in particular you could point out, based on the error I'm receiving?

Cheers.
0
 

Author Comment

by:wiggumc
ID: 38783601
Hi,

As an update to this; it definitely seems to be a proxy/firewall issue. I have just tested turning off the proxy for all HTTPS connections and this works. When I turn it back on, it breaks things. I do, however, have my rules setup on the ISA server to whitelist connections on port 443 to the domains specified by Microsoft. Any ideas?

Thanks.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
ID: 38785270
You cannot proxy the connection to Office365. You must write a new rule that bypasses the proxy service for that connection. ISA does HTTPS proxying by deconstructing the SSL connection and creating a new SSL connection from the ISA server itself. While this works for many things, anything that relies on MTLS will break. Lync has the same issue.
0
 

Author Comment

by:wiggumc
ID: 38786346
Hi cgaliher,

Thanks for the clarification. That's what I suspected. Would you be able to give me any help setting up the ISA rule? We have a default enterprise policy with HTTPS proxying enabled. I have a rule setup to allow traffic to the domains below, from my Exchange server, via protocols HTTP, HTTPS and TCP. However, when I go into the protocols within this rule, go to the parameters and then the filters, and try to uncheck "Web Proxy Filter", I am told it can't be deselected because it is used by the corresponding protocol at enterprise level. I am sure I wouldn't need to go on and enable it for every other rule that's setup but I don't really know how to get around this. Any suggestions would be appreciated. What I esentially need is for all HTTP and HTTPS traffic to be proxied, apart from the Office 365 traffic.

*.exchangelabs.com
*.lync.com
*.microsoftonline.com
*.microsoftonline-p.com
*.outlook.com
*.sharepoint.com
osub.microsoft.com

Thanks,

Zak
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 38786351
Without knowing all of your other rules and how you've set up the server, I can't be of much more help than I already have been. ISA is a very powerful product and has a lot of moving parts. Understanding the rules, precedence, enforcement, is not trivial and can't be easily summed up in a reply..especially with so many unknowns. Sorry.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 38800807
The way it is generally done would be to create a new network entity - without binding it to an adaptor - that includes the ip addresses of the target - and then create a route relationship between the new network and the internal entity.

Not so easy though when it is to a remote forest where - in essence - you are creating a federated relationship.

I assume you had already run the best practice analyser for isa2006 and followed its recommendations?
0
 

Author Comment

by:wiggumc
ID: 38801429
Hi Keith,

Thanks for your reply. This is just a quick placeholder to say that I will take on your advice and reply properly later today. I'm working on another critical issue just now.

Thanks again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38801440
no problem, snowed in so can't actually test this for the moment myself either :)
0
 

Accepted Solution

by:
wiggumc earned 0 total points
ID: 38809029
Hi Keith,

Ok, at the moment we are trialling Office 365 and I am tempted to just leave the HTTPS proxy switched off for the purposes of the trial if I can't get a resolution today as time is tight. If you or anyone else can suggest anything today though, that'd be great. I'll try to outline everything I've tried.

So, firstly, to make things work I uncheck the Web Proxy filter on the HTTPS protocol. Obviously not ideal, but it allows Office 365 to work properly. So to try to get this working with Web Proxy filter on for HTTPS I have tried...

Following your advice Keith, I tried creating a new network with all the IP addresses listed here: http://onlinehelp.microsoft.com/Office365-enterprises/hh373144.aspx. Once it was created, I also added all the relevant MS domain names too. I then created a local network rule with the source network as the servers I have setup for Office 365 and the destination as all the Office 365 sites. Does that sound like the right way to go about it? In any case, it didn't work. For testing purposes, I also tried setting the source to our entire internal network which also didn't work.

I then checked the rules I had tried creating previously against this page:

http://blogs.technet.com/b/keithab/archive/2012/01/17/creating-a-rule-to-bypass-the-web-proxy-filter-in-isa-server-or-forefront-tmg.aspx

Mine looked correct apart from adding the deny rule below which I then did. What confuses me is, under Troubleshooting in the ISA server, I used the traffic simulator option with the source as my Office 365 exchange server, the destination as ps.outlook.com and the account as my admin account that works for these services (I did also try anonymous user) and the ISA server bypasses the rules I created (they are right at the top) and passes them with another rule that proxies the connection. No idea why.

The final thing I tried was this: http://support.microsoft.com/kb/268326. So I created a Locallat.txt file, placed in the correct folder on my Exchange server, and it again it didn't work.

Any ideas or suggestions will be appreciated!
0
 

Author Closing Comment

by:wiggumc
ID: 38898165
Hi,

Thanks for all the suggestions but unfortunately this required a call to Microsoft to resolve. The bottom line is that we do not actually need the web proxy filter enabled for HTTPS traffic though there was a lot more to it than that. All suggestions here were valid so thanks again for the help.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Office 365 is currently available in five editions. Three of them are for business use: Office 365 Business Essentials, Office 365 Business, and Office 365 Business Premium. Two of them are for home/personal use: Office 365 Home and Office 365 Perso…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now