Solved

ISA 2004 Blocking HTTPS Incoming

Posted on 2013-01-22
14
527 Views
Last Modified: 2013-01-23
I am trying to access OWA Externally on my SBS 2003.

I have now figured out why I am having troubles with accessing it. ISA seems to be blocking HTTPS.

I have attached a screeshot below.

Does anyone know how to stop this from happening? It says its being blocked by the default rule. I tried adding a new rule by:

- Right clicking Firewall Policy
- New Access Rule
- Allow
- Https Server
- From External
- To Local Host

I then moved this rule to number 1 and I am still getting the access denied. If anyone can help that would be much appreciated.

Thanks
ISAProb.JPG
0
Comment
Question by:dan4132
  • 7
  • 7
14 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805405
Does it let you access the default web site on the owa server (i.e. leave /owa off the end of the URL)? Since you are accessing a subdirectory (/owa) did you configure the rule to allow sudirectories? Or did you configure a rule specifically for the /owa directory, and not the server top level site?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38805419
Heya,

No it wont even let me access the default website either.

When ever I type in HTTPS://mywebsite in the logs of ISA I can see it deny the request straight away. (as per the Screenshot)

The rule has been configured to allow subdirectories. /owa, /exchweb, & /exchange

And I also configured a rule to allow the top website as well but that didn't work either..
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805469
Maybe your OWA request doesn't quite match the rule. Have a look through this first (should mostly apply to ISA 2004), then if it doesn't help, post some screen shots of your rule config pages.
Troubleshooting Outlook Web Access Publishing
http://technet.microsoft.com/en-us/library/bb794843.aspx
0
 
LVL 3

Author Comment

by:dan4132
ID: 38805785
Hey Lee,

Thanks so much for your response.

I have checked through the website and nothing obvious is standing out to me. I have some screenshots of my rules for you:
ISARules.JPG
ISARules2.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806168
Does anything get logged in the OWA server's IIS log files? I'm just wondering if the configuration allows partial, but insufficient, access to owa. For example, if the rule allows /owa , but not /owa/* , you'd see an initial request in the OWA server's iis log file, but nothing after that.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38806326
There is only 2 things in the log today but they say nothing about deny access.. assuming I am accessing the right log:

C:\WINDOWS\system32\LogFiles\W3SVC1

I have attached another screenshot for you. Is that the right rule that you needed to see with the /exchange/* ?
ISALog.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806363
That's the correct log, but no OWA requests are logged there. So, nothing's reaching IIS, apart from a few internal WebDAV requests. I assume you haven't used OWA internally today, or you'd see it in there. That page of the rule looks good, but there are other pages, of course. Is the SBS Web Listener that it's using working okay? In other words, are there any other sites or directories that you can actually access using other rules that use it?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:dan4132
ID: 38806459
Yeh no one is at the office this week so no one was in OWA.

The only thing that I can see is working is port 25 for SMTP.

I used the website canyouseeme.org to scan which ports were open and the only one was port 25.

I can't access anything from the outside of the business to the inside when I use the domain or IP address. I tried access other websites that IIS is hosting on https and they aren't working either..
But they are all working fine inside the network.

I have taken a few more screenshots of the Web Listener properties for you.

How would I check the listener is working ok? I am very new to ISA.. I normally use Cisco ASA's so sorry for playing so dumb with all this.

Thanks again for your help so far!
ISAListen.JPG
ISAListen2.JPG
ISAListen3.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806837
Is the rule enabled? On the General tab.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38807805
There is no enable on the General Tab for the Web Listener.

But for the SBS OWA Web Publishing Rule there is an Enable and that is ticked.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
ID: 38809730
Sorry, I meant the Rule, not the Listener. Since the last (Deny) rule appears to be working, how about if you change the OWA rule to All Networks or External (if you can), in case there is something wrong with the Listener - after all, it seems that no HTTP/S access is getting in at all.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38809924
Hey Lee,

Well you sir have hit the nail on the head. It was the ALL Networks that needed to be selected in the web listener! That was the problem.. (I have attached a screenshot for fix)

But now I have a new problem haha.. great.. I might need to open up a seperate question if you don't know much about it.. but now when I browse to mydomain/exchange I am getting a 500 error:

The page cannot be displayed  
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Try the following:

Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)
Listener.JPG
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 500 total points
ID: 38810080
I've not heard of that one, but MS have this for it:
http://support.microsoft.com/kb/841664
I think it just means that the server name for the SSL certificate on the OWA server doesn't match the name you are using in the URL to access it. But that's just a guess.
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 38810095
You got it man thanks so much again for all of your help A*!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now