Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISA 2004 Blocking HTTPS Incoming

Posted on 2013-01-22
14
Medium Priority
?
538 Views
Last Modified: 2013-01-23
I am trying to access OWA Externally on my SBS 2003.

I have now figured out why I am having troubles with accessing it. ISA seems to be blocking HTTPS.

I have attached a screeshot below.

Does anyone know how to stop this from happening? It says its being blocked by the default rule. I tried adding a new rule by:

- Right clicking Firewall Policy
- New Access Rule
- Allow
- Https Server
- From External
- To Local Host

I then moved this rule to number 1 and I am still getting the access denied. If anyone can help that would be much appreciated.

Thanks
ISAProb.JPG
0
Comment
Question by:dan4132
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805405
Does it let you access the default web site on the owa server (i.e. leave /owa off the end of the URL)? Since you are accessing a subdirectory (/owa) did you configure the rule to allow sudirectories? Or did you configure a rule specifically for the /owa directory, and not the server top level site?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38805419
Heya,

No it wont even let me access the default website either.

When ever I type in HTTPS://mywebsite in the logs of ISA I can see it deny the request straight away. (as per the Screenshot)

The rule has been configured to allow subdirectories. /owa, /exchweb, & /exchange

And I also configured a rule to allow the top website as well but that didn't work either..
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805469
Maybe your OWA request doesn't quite match the rule. Have a look through this first (should mostly apply to ISA 2004), then if it doesn't help, post some screen shots of your rule config pages.
Troubleshooting Outlook Web Access Publishing
http://technet.microsoft.com/en-us/library/bb794843.aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Author Comment

by:dan4132
ID: 38805785
Hey Lee,

Thanks so much for your response.

I have checked through the website and nothing obvious is standing out to me. I have some screenshots of my rules for you:
ISARules.JPG
ISARules2.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806168
Does anything get logged in the OWA server's IIS log files? I'm just wondering if the configuration allows partial, but insufficient, access to owa. For example, if the rule allows /owa , but not /owa/* , you'd see an initial request in the OWA server's iis log file, but nothing after that.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38806326
There is only 2 things in the log today but they say nothing about deny access.. assuming I am accessing the right log:

C:\WINDOWS\system32\LogFiles\W3SVC1

I have attached another screenshot for you. Is that the right rule that you needed to see with the /exchange/* ?
ISALog.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806363
That's the correct log, but no OWA requests are logged there. So, nothing's reaching IIS, apart from a few internal WebDAV requests. I assume you haven't used OWA internally today, or you'd see it in there. That page of the rule looks good, but there are other pages, of course. Is the SBS Web Listener that it's using working okay? In other words, are there any other sites or directories that you can actually access using other rules that use it?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38806459
Yeh no one is at the office this week so no one was in OWA.

The only thing that I can see is working is port 25 for SMTP.

I used the website canyouseeme.org to scan which ports were open and the only one was port 25.

I can't access anything from the outside of the business to the inside when I use the domain or IP address. I tried access other websites that IIS is hosting on https and they aren't working either..
But they are all working fine inside the network.

I have taken a few more screenshots of the Web Listener properties for you.

How would I check the listener is working ok? I am very new to ISA.. I normally use Cisco ASA's so sorry for playing so dumb with all this.

Thanks again for your help so far!
ISAListen.JPG
ISAListen2.JPG
ISAListen3.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806837
Is the rule enabled? On the General tab.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38807805
There is no enable on the General Tab for the Web Listener.

But for the SBS OWA Web Publishing Rule there is an Enable and that is ticked.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 2000 total points
ID: 38809730
Sorry, I meant the Rule, not the Listener. Since the last (Deny) rule appears to be working, how about if you change the OWA rule to All Networks or External (if you can), in case there is something wrong with the Listener - after all, it seems that no HTTP/S access is getting in at all.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38809924
Hey Lee,

Well you sir have hit the nail on the head. It was the ALL Networks that needed to be selected in the web listener! That was the problem.. (I have attached a screenshot for fix)

But now I have a new problem haha.. great.. I might need to open up a seperate question if you don't know much about it.. but now when I browse to mydomain/exchange I am getting a 500 error:

The page cannot be displayed  
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Try the following:

Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)
Listener.JPG
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 2000 total points
ID: 38810080
I've not heard of that one, but MS have this for it:
http://support.microsoft.com/kb/841664
I think it just means that the server name for the SSL certificate on the OWA server doesn't match the name you are using in the URL to access it. But that's just a guess.
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 38810095
You got it man thanks so much again for all of your help A*!!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question