Basically, what weíre trying to do is publish OWA 2003 and Exchange Activesync through our ISA 2004 firewall. Currently, these two things are configured successfully on our front end exchange server.

The problem lies in the fact that on ISA 2004 forms based authentication and other forms of authentication are mutually exclusive on the same listener. Basically, if forms based authentication is enabled on a web listener accepting incoming connections, then no other authentication method can be used at the same time on that IP address.

Currently, we have a rule in the firewall for OWA as follows:

OWA Firewall Rule
Action = Allow
From = Anywhere
To = frontendexchange. Domain.sch.uk
HTTP + HTTPS, tick notify users to use HTTPS instead.
Listener = IntranetIP
Public Name = intranet. Domain.sch.uk
217.xxx.xx.xx
Users = All users
Paths - /exchange/*
/exchweb/*
/Microsoft-Server-ActiveSync/*
/Public/*
Bridging = Web Server, Redirect requests to HTTP port 80

Web Listener (intranetip)
Networks = External, Internal
Port (HTTP) 80
Port (HTTPS) 443
Certificate = Same as above
Authentication Methods= OWA FBA
Always Authenticate? Yes
Domain = Domain.Sch.Uk

If I want to get Exchange Activesync working, I have to edit the firewall rule, remove the above web listener and replace it with one specifically tailored for Activesync. This then enables Activesync to work, but OWA to fail. The configuration for Activesync is as follows:

Exchange ActiveSync Firewall Rule
It is a Mail Server Publishing Rule (will appear as a web rule when completed)

Action = Allow
From = Anywhere
To = frontendexchange.Domain.sch.uk
HTTPS only
Listener = Microsoft Activesync Listener
Public Name = intranet. Domain.sch.uk
217.xxx.xx.xx
Users = All users
Paths - /exchange/*
/exchweb/*
/Microsoft-Server-ActiveSync/*
/Public/*
Bridging = Web Server, Redirect requests to HTTP port 80

Exchange Activesync Listener Rule
Networks = External
Port (HTTP) = Disabled
Port (HTTPS) 443
Cerificate = Same as above
Authentication Methods = Basic
Always Authenticate? No
Domain = Domain.Sch.Uk

Iím aware that I can have the two firewall rules existing at the same time, but havenít bothered because it isnít fully functional at the moment anyway.

I have already tried this:

ISA Server 2004: Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener (v1.1)

It didnít work as expected.

Iím now going to try and do the it official ďMicrosoftĒ way, but Iím a bit stuck. As weíre a school, we operate through SWGfL, who control which servers have what published over the internet. We can get most ports/protocols allowed but it involves having to go through a change request process.

The web address intranet.domain.sch.uk currently resolves to 10.x.x.x which has been assigned to us by SWGfL.

Do I need to move the Exchange Activesync configuration onto a different server, obtain a different external IP address, and different web address (and certificate) for it, or is there another way I can do it by just using our front end exchange server, and itís one IP address/web address? If it helps, I believe our front end exchange server has 2 network cards, one of which isnít in use.

Lots of people seem to think I need to bind another external IP address to our firewall, but isnít it going to get a bit confused if I have 2 IP addresses pointing to the same web address?

Any tips and advice would be greatly appreciated.

Thanks!