Annoying Outlook Anywhere
Posted on 2014-07-24
Having recently published our Exchange 2010 SP2 CAS Array to host Outlook Anywhere, via NTLM, I'm about to throw them across the room !
We have this scenario :-
Public IP1 - Cisco FW - External IP1 - ISA 2006 Listener 1 - OWA Rule - Internal IP - Cisco FW NAT IP1 - OWA
Public IP2 - Cisco FW - External IP2 - ISA 2006 Listener 2 - OA Rule - Internal IP - Cisco FW NAT IP2 - CAS
The two published systems run on separate IP's from the internet, all the way through to the Exchange boxes, sharing only the internal IP of the ISA box.
Our OWA uses RSA SecurID, so it has a separate listener on the ISA.
The NAT on the internal Cisco Firewall runs on two sets of different IP's.
Our OWA rule works perfectly. The OA rule doesn't !
When we test OA, traffic is seen on the ISA, coming into the OA External IP, but then a new connection is initiated from the OWA External IP to the NAT IP. The connection sits there until the timeout is reached. We then see an error which correctly states the IP's in the path and says that the "connection attempt failed because the connected party did not properly respond after a period of time".
Does anyone have a step-by-step guide of how and what the ISA settings should be, as well as a method to track traffic beyond the ISA, to see if the OA request is actually reaching the CAS array ?
Thanks in advance