• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 167
  • Last Modified:

Outlook Anywhere on ISA 2006

Hi All

 Having recently published our Exchange 2010 CAS Array to host Outlook Anywhere, via NTLM, I'm about to throw them across the room !

 We have this scenario :-

 OWA :
 Public IP1 - Cisco FW - Pvt IP 1 - ISA 2006 Listener 1 - OWA Rule - Internal IP - Cisco FW NAT IP1 - OWA

 Public IP2 - Cisco FW - Pvt IP 2 - ISA 2006 Listener 2 - OA Rule - Internal IP - Cisco FW NAT IP2 - CAS

 The two published systems run on separate IP's from the internet, all the way through to the Exchange boxes, sharing only the internal IP of the ISA box.
 Our OWA uses RSA SecurID, so it has a separate listener on the ISA.
 The NAT on the internal Cisco Firewall runs on two sets of different IP's.

 Our OWA rule works perfectly. The OA rule doesn't !

 When we test OA, traffic is seen on the ISA, coming into the OA External IP, but then a new connection is initiated from the OWA External IP to the NAT IP. The connection sits there until the timeout is reached. We then see an error which correctly states the IP's in the path and says that the "connection attempt failed because the connected party did not properly respond after a period of time".

 Does anyone have a step-by-step guide of how and what the ISA settings should be, as well as a method to track traffic beyond the ISA, to see if the OA request is actually reaching the CAS array ?

 Thanks in advance
  • 3
  • 3
1 Solution
DoveSupportAuthor Commented:
Great guide - thank you !

Our ISA box and our AD servers are on either side of a firewall (different subnets). Can I just allow port 389 through for the AD auth to work ?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

DoveSupportAuthor Commented:
Thanks. Forgive me if I'm not on the same page !

The listener has been told to use the netbios name of our AD domain. The ISA is on a workgroup of its own.
Do we have to create a route or a NAT rule across the firewall ? How else will ISA know to refer to the AD farm on the other side ? Does it broadcast on port 389 and listen for replies ?
DoveSupportAuthor Commented:
Doh ! Of course. Thanks. Will test and see . . .

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now