Solved

ISA 2004 Blocking HTTPS Incoming

Posted on 2013-01-22
14
533 Views
Last Modified: 2013-01-23
I am trying to access OWA Externally on my SBS 2003.

I have now figured out why I am having troubles with accessing it. ISA seems to be blocking HTTPS.

I have attached a screeshot below.

Does anyone know how to stop this from happening? It says its being blocked by the default rule. I tried adding a new rule by:

- Right clicking Firewall Policy
- New Access Rule
- Allow
- Https Server
- From External
- To Local Host

I then moved this rule to number 1 and I am still getting the access denied. If anyone can help that would be much appreciated.

Thanks
ISAProb.JPG
0
Comment
Question by:dan4132
  • 7
  • 7
14 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805405
Does it let you access the default web site on the owa server (i.e. leave /owa off the end of the URL)? Since you are accessing a subdirectory (/owa) did you configure the rule to allow sudirectories? Or did you configure a rule specifically for the /owa directory, and not the server top level site?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38805419
Heya,

No it wont even let me access the default website either.

When ever I type in HTTPS://mywebsite in the logs of ISA I can see it deny the request straight away. (as per the Screenshot)

The rule has been configured to allow subdirectories. /owa, /exchweb, & /exchange

And I also configured a rule to allow the top website as well but that didn't work either..
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38805469
Maybe your OWA request doesn't quite match the rule. Have a look through this first (should mostly apply to ISA 2004), then if it doesn't help, post some screen shots of your rule config pages.
Troubleshooting Outlook Web Access Publishing
http://technet.microsoft.com/en-us/library/bb794843.aspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:dan4132
ID: 38805785
Hey Lee,

Thanks so much for your response.

I have checked through the website and nothing obvious is standing out to me. I have some screenshots of my rules for you:
ISARules.JPG
ISARules2.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806168
Does anything get logged in the OWA server's IIS log files? I'm just wondering if the configuration allows partial, but insufficient, access to owa. For example, if the rule allows /owa , but not /owa/* , you'd see an initial request in the OWA server's iis log file, but nothing after that.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38806326
There is only 2 things in the log today but they say nothing about deny access.. assuming I am accessing the right log:

C:\WINDOWS\system32\LogFiles\W3SVC1

I have attached another screenshot for you. Is that the right rule that you needed to see with the /exchange/* ?
ISALog.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806363
That's the correct log, but no OWA requests are logged there. So, nothing's reaching IIS, apart from a few internal WebDAV requests. I assume you haven't used OWA internally today, or you'd see it in there. That page of the rule looks good, but there are other pages, of course. Is the SBS Web Listener that it's using working okay? In other words, are there any other sites or directories that you can actually access using other rules that use it?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38806459
Yeh no one is at the office this week so no one was in OWA.

The only thing that I can see is working is port 25 for SMTP.

I used the website canyouseeme.org to scan which ports were open and the only one was port 25.

I can't access anything from the outside of the business to the inside when I use the domain or IP address. I tried access other websites that IIS is hosting on https and they aren't working either..
But they are all working fine inside the network.

I have taken a few more screenshots of the Web Listener properties for you.

How would I check the listener is working ok? I am very new to ISA.. I normally use Cisco ASA's so sorry for playing so dumb with all this.

Thanks again for your help so far!
ISAListen.JPG
ISAListen2.JPG
ISAListen3.JPG
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 38806837
Is the rule enabled? On the General tab.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38807805
There is no enable on the General Tab for the Web Listener.

But for the SBS OWA Web Publishing Rule there is an Enable and that is ticked.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
ID: 38809730
Sorry, I meant the Rule, not the Listener. Since the last (Deny) rule appears to be working, how about if you change the OWA rule to All Networks or External (if you can), in case there is something wrong with the Listener - after all, it seems that no HTTP/S access is getting in at all.
0
 
LVL 3

Author Comment

by:dan4132
ID: 38809924
Hey Lee,

Well you sir have hit the nail on the head. It was the ALL Networks that needed to be selected in the web listener! That was the problem.. (I have attached a screenshot for fix)

But now I have a new problem haha.. great.. I might need to open up a seperate question if you don't know much about it.. but now when I browse to mydomain/exchange I am getting a 500 error:

The page cannot be displayed  
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Try the following:

Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)
Listener.JPG
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 500 total points
ID: 38810080
I've not heard of that one, but MS have this for it:
http://support.microsoft.com/kb/841664
I think it just means that the server name for the SSL certificate on the OWA server doesn't match the name you are using in the URL to access it. But that's just a guess.
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 38810095
You got it man thanks so much again for all of your help A*!!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question