Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 539
  • Last Modified:

ISA 2004 Blocking HTTPS Incoming

I am trying to access OWA Externally on my SBS 2003.

I have now figured out why I am having troubles with accessing it. ISA seems to be blocking HTTPS.

I have attached a screeshot below.

Does anyone know how to stop this from happening? It says its being blocked by the default rule. I tried adding a new rule by:

- Right clicking Firewall Policy
- New Access Rule
- Allow
- Https Server
- From External
- To Local Host

I then moved this rule to number 1 and I am still getting the access denied. If anyone can help that would be much appreciated.

Thanks
ISAProb.JPG
0
dan4132
Asked:
dan4132
  • 7
  • 7
2 Solutions
 
LeeDerbyshireCommented:
Does it let you access the default web site on the owa server (i.e. leave /owa off the end of the URL)? Since you are accessing a subdirectory (/owa) did you configure the rule to allow sudirectories? Or did you configure a rule specifically for the /owa directory, and not the server top level site?
0
 
dan4132Author Commented:
Heya,

No it wont even let me access the default website either.

When ever I type in HTTPS://mywebsite in the logs of ISA I can see it deny the request straight away. (as per the Screenshot)

The rule has been configured to allow subdirectories. /owa, /exchweb, & /exchange

And I also configured a rule to allow the top website as well but that didn't work either..
0
 
LeeDerbyshireCommented:
Maybe your OWA request doesn't quite match the rule. Have a look through this first (should mostly apply to ISA 2004), then if it doesn't help, post some screen shots of your rule config pages.
Troubleshooting Outlook Web Access Publishing
http://technet.microsoft.com/en-us/library/bb794843.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dan4132Author Commented:
Hey Lee,

Thanks so much for your response.

I have checked through the website and nothing obvious is standing out to me. I have some screenshots of my rules for you:
ISARules.JPG
ISARules2.JPG
0
 
LeeDerbyshireCommented:
Does anything get logged in the OWA server's IIS log files? I'm just wondering if the configuration allows partial, but insufficient, access to owa. For example, if the rule allows /owa , but not /owa/* , you'd see an initial request in the OWA server's iis log file, but nothing after that.
0
 
dan4132Author Commented:
There is only 2 things in the log today but they say nothing about deny access.. assuming I am accessing the right log:

C:\WINDOWS\system32\LogFiles\W3SVC1

I have attached another screenshot for you. Is that the right rule that you needed to see with the /exchange/* ?
ISALog.JPG
0
 
LeeDerbyshireCommented:
That's the correct log, but no OWA requests are logged there. So, nothing's reaching IIS, apart from a few internal WebDAV requests. I assume you haven't used OWA internally today, or you'd see it in there. That page of the rule looks good, but there are other pages, of course. Is the SBS Web Listener that it's using working okay? In other words, are there any other sites or directories that you can actually access using other rules that use it?
0
 
dan4132Author Commented:
Yeh no one is at the office this week so no one was in OWA.

The only thing that I can see is working is port 25 for SMTP.

I used the website canyouseeme.org to scan which ports were open and the only one was port 25.

I can't access anything from the outside of the business to the inside when I use the domain or IP address. I tried access other websites that IIS is hosting on https and they aren't working either..
But they are all working fine inside the network.

I have taken a few more screenshots of the Web Listener properties for you.

How would I check the listener is working ok? I am very new to ISA.. I normally use Cisco ASA's so sorry for playing so dumb with all this.

Thanks again for your help so far!
ISAListen.JPG
ISAListen2.JPG
ISAListen3.JPG
0
 
LeeDerbyshireCommented:
Is the rule enabled? On the General tab.
0
 
dan4132Author Commented:
There is no enable on the General Tab for the Web Listener.

But for the SBS OWA Web Publishing Rule there is an Enable and that is ticked.
0
 
LeeDerbyshireCommented:
Sorry, I meant the Rule, not the Listener. Since the last (Deny) rule appears to be working, how about if you change the OWA rule to All Networks or External (if you can), in case there is something wrong with the Listener - after all, it seems that no HTTP/S access is getting in at all.
0
 
dan4132Author Commented:
Hey Lee,

Well you sir have hit the nail on the head. It was the ALL Networks that needed to be selected in the web listener! That was the problem.. (I have attached a screenshot for fix)

But now I have a new problem haha.. great.. I might need to open up a seperate question if you don't know much about it.. but now when I browse to mydomain/exchange I am getting a 500 error:

The page cannot be displayed  
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Try the following:

Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)
Listener.JPG
0
 
LeeDerbyshireCommented:
I've not heard of that one, but MS have this for it:
http://support.microsoft.com/kb/841664
I think it just means that the server name for the SSL certificate on the OWA server doesn't match the name you are using in the URL to access it. But that's just a guess.
0
 
dan4132Author Commented:
You got it man thanks so much again for all of your help A*!!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now