Outlook Anywhere on ISA 2006

Hi All

 Having recently published our Exchange 2010 CAS Array to host Outlook Anywhere, via NTLM, I'm about to throw them across the room !

 We have this scenario :-

 OWA :
 Public IP1 - Cisco FW - Pvt IP 1 - ISA 2006 Listener 1 - OWA Rule - Internal IP - Cisco FW NAT IP1 - OWA

 Public IP2 - Cisco FW - Pvt IP 2 - ISA 2006 Listener 2 - OA Rule - Internal IP - Cisco FW NAT IP2 - CAS

 The two published systems run on separate IP's from the internet, all the way through to the Exchange boxes, sharing only the internal IP of the ISA box.
 Our OWA uses RSA SecurID, so it has a separate listener on the ISA.
 The NAT on the internal Cisco Firewall runs on two sets of different IP's.

 Our OWA rule works perfectly. The OA rule doesn't !

 When we test OA, traffic is seen on the ISA, coming into the OA External IP, but then a new connection is initiated from the OWA External IP to the NAT IP. The connection sits there until the timeout is reached. We then see an error which correctly states the IP's in the path and says that the "connection attempt failed because the connected party did not properly respond after a period of time".

 Does anyone have a step-by-step guide of how and what the ISA settings should be, as well as a method to track traffic beyond the ISA, to see if the OA request is actually reaching the CAS array ?

 Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DoveSupportAuthor Commented:
Great guide - thank you !

Our ISA box and our AD servers are on either side of a firewall (different subnets). Can I just allow port 389 through for the AD auth to work ?
imkotteesSenior Messaging EngineerCommented:
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

DoveSupportAuthor Commented:
Thanks. Forgive me if I'm not on the same page !

The listener has been told to use the netbios name of our AD domain. The ISA is on a workgroup of its own.
Do we have to create a route or a NAT rule across the firewall ? How else will ISA know to refer to the AD farm on the other side ? Does it broadcast on port 389 and listen for replies ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DoveSupportAuthor Commented:
Doh ! Of course. Thanks. Will test and see . . .
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.