+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Thread, Publishing OWA 2003 SSL via ISA 2006 in Technical; OK I give up.. Been trying for the last few days to publish OWA via SSL through my ISA 2006 ...
  1. #1

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499

    Publishing OWA 2003 SSL via ISA 2006

    OK I give up..

    Been trying for the last few days to publish OWA via SSL through my ISA 2006 box

    I can create the SSL cert with my Domain CA
    I Export/Import it into ISA
    Create a OWA rule pointing to my OWA box..

    I ge a multitude of errors

    info:
    Public OWA URL - https://www.moorsidehigh.com/exchange
    Internal OWA URL - https://mhs-srv-exch/exchange
    SSL Port: 443

    Most of the time i am getting a 403 - Forbidden - mentioning target principle name
    Other attempts I get a time out (408?) and had a 500, etc
    All from the public URL

    I have tried these 2 site with no joy

    Publishing Exchange Client Access with ISA 2006 - The Complete Solution (Part 1)
    http://www.shijaz.com/isaserver/isa2006_publish_owa.

    So..

    Has anyone managed to publish OWA 2003 via SSL through ISA 2006 - if so HOW did you do it


  2. #2

    Join Date
    Mar 2008
    Location
    Midlands
    Posts
    119
    Thank Post
    0
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    To test I would use the server publishing rule. This would rule out probs with your exchange setup and point to your web publishing rules being the problem. Can you get to https://internalsitename/exchange internally? run isa and exchange best practice analysers see what that throws up.

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,186
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    It sounds like you are using SSL to SSL bridging on your ISA and may not have setup internal name resolution quite right.

    For SSL to SSL you need the client to access the site via the public url so that it matches what is on the cert. You also need to do the same thing internally so that when the ISA box attempts to access the internal server it does so with the public FQDN that is on the certificate.

    I usually do this by adding a line to the hosts file on the ISA box so that it resolves the certified FQDN to the internal ip address rather than having to use the propper internal names which breaks SSL to SSL bridging.

  4. Thanks to SYNACK from:

    Gatt (1st April 2009)

  5. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Hmmm..

    Dont think that will be an option as Moorside High School (port 80) goes to my webserver
    but https://www.moorsidehigh.com (port 443) goes to my OWA server

    suppose I can try and get a subdomain of https://webmail.moorsidehigh.com if I cant do it from my current setup..

    Any other ways of doing it?

  6. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,186
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Your setup should be fine as is you just need to get the ISA box itself to resolve Moorside High School to the internal IP of your OWA server that way the certificate still matches the name used to access it both from the client outside and the ISA server as it makes a new SSL connection to the internal OWA server.

  7. Thanks to SYNACK from:

    Gatt (1st April 2009)

  8. #6

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,625
    Thank Post
    918
    Thanked 1,336 Times in 816 Posts
    Blog Entries
    1
    Rep Power
    448
    Hmm I have not done it in ISA 2006 but in 2004 you can have a different internal server fqdn as what the external url is. Is your CA enterprise cert installed correctly on ISA as a trusted root?
    The target principle error is when isa is trying to hit a https server and the cert common name (exchange.internaldomain.com) does not match the url isa is trying to hit (exchange.somethingelse.com)
    Like others have said, hit your exchange on https and see what the common name is set to. If this is an external domain name then you will have to make the external name resolve to the intenal domain (so when isa tries to contact your exchange it hits exchange.somethingelse.com rather then the internal name) but you can easily just issue a new cert to your exchange IIS and using the exchange servers internal fqdn and then all you do is tell isa to ssl bridge to the fqdn of your internal server. As long as the enterprise trust is okay the bridge should work.

    BTW I am on the train typing this up on the way to dos_box so it may seem a little erratic.

  9. Thanks to ZeroHour from:

    Gatt (1st April 2009)

  10. #7

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    If I click on your external link I get the SSL error page but no certificate. Have you got the listener configured to use the certificate (which should have the same name as the internal url and be installed on the ISA server)? Are you using authenticating using 'FBA with AD' and at the ISA server?

  11. #8

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Quote Originally Posted by timzim View Post
    If I click on your external link I get the SSL error page but no certificate. Have you got the listener configured to use the certificate (which should have the same name as the internal url and be installed on the ISA server)? Are you using authenticating using 'FBA with AD' and at the ISA server?
    Thats the same thing I get..

    The cert is the same name as the internal url
    I think I have installed it on the ISA server (Personal?)

    As for bridging - no certs are being shown??

  12. #9

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Should be in the machine store (Local computer). Load Certificates snap-in in MMC on your ISA, choose Computer Account and make sure certificate is in Personal store there. Should be issued to mhs-srv-exch (if that is indeed your internal url).
    Could be so many other things - maybe you could post some screen shots of the tabs in your OWA rule in ISA (you can fuzz out anything that compromises your security and remove them if you fix it!).

  13. #10

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    OK seem to have got a little bit further though dunno how - lol
    Can now get the OWA login screen via SSL using the public URL, but internally

    However, when I try to login - it seems to take forever to do anything - still waiting and its been about 5 mins now
    Last edited by Gatt; 1st April 2009 at 04:53 PM.

  14. #11

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Ok just tried logging into OWA via firefox and got this error ..
    Redirect Loop

    Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.




    The browser has stopped trying to retrieve the requested item. The site is
    redirecting the request in a way that will never complete.


    * Have you disabled or blocked cookies required by this site?

    * NOTE: If accepting the site's cookies does not resolve the problem, it is probably a server configuration
    issue and not your computer.

  15. #12

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Ok Completely stuck here - I have no idea how to get round this redirect loop
    SSL Certificate matches the public name and that of the OWA IIS
    "Webmail" ISA rule as follows:

    Quote Originally Posted by To
    Published Site: mhs-srv-exch
    Computer name or IP: <<ip of mhs-srv-exch>>
    Forward original host header
    requests come from original client
    Quote Originally Posted by Public Name
    Quote Originally Posted by Paths
    External Paths - <same as internal>
    Internal Paths - /public/* , /exchange/* . /exchweb/*
    Quote Originally Posted by Authentication Delegation
    no delegation, but client may authenticate directly
    Quote Originally Posted by bridging
    Web server, SSL, 443 (cannot see any certificates?)
    Listener properites are...
    Quote Originally Posted by connections
    SSL - 443
    Quote Originally Posted by Certificates
    Quote Originally Posted by SSO
    Off
    Quote Originally Posted by Authentication
    Windows AD



    https://www.moorsidehigh.com/exchange presents us with the OWA FBA login, I login and then I get the above error in Firefox or nothing but a loading bar in IE -

    I have been through about every feasable config I can think of - there is little reference to a redirect loop on the 'net

    I'm obviously doing something wrong... but cant for the life of me figure out what it is..

  16. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,186
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    You may need to do a tracert from the client to the domain name and see where it goes. This usually happens when the domain name is resolved differently by different computers and it bounces back and forth with no machine taking responcibility.

    You need to look at what each computer sees as the domains ip address and make sure that it is correct. Also is the exchange servers webmail setup to listen and accept requests with the host header that it is provided, in this case Moorside High School ?

  17. #14

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Quote Originally Posted by Gatt View Post
    Ok Completely stuck here - I have no idea how to get round this redirect loop
    SSL Certificate matches the public name and that of the OWA IIS
    "Webmail" ISA rule as follows:










    Listener properites are...











    https://www.moorsidehigh.com/exchange presents us with the OWA FBA login, I login and then I get the above error in Firefox or nothing but a loading bar in IE -

    I have been through about every feasable config I can think of - there is little reference to a redirect loop on the 'net

    I'm obviously doing something wrong... but cant for the life of me figure out what it is..
    Have you disabled the FBA on the exchange server. You can't have it enabled on both ISA and the exchange server. Set the authentication to basic in exchange. It will still be protect as the traffic will be be going through SSL.

    Ash.

  18. Thanks to spc-rocket from:

    Gatt (2nd April 2009)

  19. #15

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,186
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    @ashok - good catch, that can also cause it. For internal users just have the listener on ISA listen to both internal and external interfaces then use the external address solely, this way ISA will handle authentication for everyone. You can also set up additional OWA sites that have different auth types but this is a massive hassle and not really worth it in the long run.

  20. Thanks to SYNACK from:

    Gatt (2nd April 2009)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. ISA 2004 and Sharepoint Publishing
    By wesleyw in forum Windows
    Replies: 1
    Last Post: 26th November 2008, 08:19 PM
  2. Replies: 3
    Last Post: 16th October 2008, 11:51 AM
  3. ISA 2006 Publishing SSL Sites
    By ICTNUT in forum Windows
    Replies: 0
    Last Post: 15th November 2007, 12:09 PM
  4. Error with NEW SSL Cert in OWA
    By ICTNUT in forum Windows
    Replies: 3
    Last Post: 15th November 2007, 08:35 AM
  5. ISA 2004 Web Publishing Rules
    By Ric_ in forum Windows
    Replies: 0
    Last Post: 14th November 2006, 12:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •