Windows Thread, Publishing OWA 2003 SSL via ISA 2006 in Technical; OK I give up..
Been trying for the last few days to publish OWA via SSL through my ISA 2006 ...
1st April 2009, 10:08 AM #1
1st April 2009, 11:22 AM #2
To test I would use the server publishing rule. This would rule out probs with your exchange setup and point to your web publishing rules being the problem. Can you get to https://internalsitename/exchange internally? run isa and exchange best practice analysers see what that throws up.
1st April 2009, 01:24 PM #3
It sounds like you are using SSL to SSL bridging on your ISA and may not have setup internal name resolution quite right.
For SSL to SSL you need the client to access the site via the public url so that it matches what is on the cert. You also need to do the same thing internally so that when the ISA box attempts to access the internal server it does so with the public FQDN that is on the certificate.
I usually do this by adding a line to the hosts file on the ISA box so that it resolves the certified FQDN to the internal ip address rather than having to use the propper internal names which breaks SSL to SSL bridging.
1st April 2009, 01:42 PM #4
Dont think that will be an option as Moorside High School (port 80) goes to my webserver
but https://www.moorsidehigh.com (port 443) goes to my OWA server
suppose I can try and get a subdomain of https://webmail.moorsidehigh.com if I cant do it from my current setup..
Any other ways of doing it?
1st April 2009, 01:47 PM #5
Your setup should be fine as is you just need to get the ISA box itself to resolve Moorside High School to the internal IP of your OWA server that way the certificate still matches the name used to access it both from the client outside and the ISA server as it makes a new SSL connection to the internal OWA server.
1st April 2009, 02:03 PM #6
Hmm I have not done it in ISA 2006 but in 2004 you can have a different internal server fqdn as what the external url is. Is your CA enterprise cert installed correctly on ISA as a trusted root?
The target principle error is when isa is trying to hit a https server and the cert common name (exchange.internaldomain.com) does not match the url isa is trying to hit (exchange.somethingelse.com)
Like others have said, hit your exchange on https and see what the common name is set to. If this is an external domain name then you will have to make the external name resolve to the intenal domain (so when isa tries to contact your exchange it hits exchange.somethingelse.com rather then the internal name) but you can easily just issue a new cert to your exchange IIS and using the exchange servers internal fqdn and then all you do is tell isa to ssl bridge to the fqdn of your internal server. As long as the enterprise trust is okay the bridge should work.
BTW I am on the train typing this up on the way to dos_box so it may seem a little erratic.
1st April 2009, 02:26 PM #7
If I click on your external link I get the SSL error page but no certificate. Have you got the listener configured to use the certificate (which should have the same name as the internal url and be installed on the ISA server)? Are you using authenticating using 'FBA with AD' and at the ISA server?
1st April 2009, 02:55 PM #8
Thats the same thing I get..
Originally Posted by timzim
The cert is the same name as the internal url
I think I have installed it on the ISA server (Personal?)
As for bridging - no certs are being shown??
1st April 2009, 03:26 PM #9
Should be in the machine store (Local computer). Load Certificates snap-in in MMC on your ISA, choose Computer Account and make sure certificate is in Personal store there. Should be issued to mhs-srv-exch (if that is indeed your internal url).
Could be so many other things - maybe you could post some screen shots of the tabs in your OWA rule in ISA (you can fuzz out anything that compromises your security and remove them if you fix it!).
1st April 2009, 04:03 PM #10
OK seem to have got a little bit further though dunno how - lol
Can now get the OWA login screen via SSL using the public URL, but internally
However, when I try to login - it seems to take forever to do anything - still waiting and its been about 5 mins now
Last edited by Gatt; 1st April 2009 at 05:53 PM.
1st April 2009, 05:54 PM #11
Ok just tried logging into OWA via firefox and got this error ..
Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.
The browser has stopped trying to retrieve the requested item. The site is
redirecting the request in a way that will never complete.
* Have you disabled or blocked cookies required by this site?
* NOTE: If accepting the site's cookies does not resolve the problem, it is probably a server configuration
issue and not your computer.
2nd April 2009, 01:32 PM #12
Ok Completely stuck here - I have no idea how to get round this redirect loop
SSL Certificate matches the public name and that of the OWA IIS
"Webmail" ISA rule as follows:
Originally Posted by To
Originally Posted by Public Name
Originally Posted by Paths
Originally Posted by Authentication Delegation
Listener properites are...
Originally Posted by bridging
Originally Posted by connections
Originally Posted by Certificates
Originally Posted by SSO
Originally Posted by Authentication
https://www.moorsidehigh.com/exchange presents us with the OWA FBA login, I login and then I get the above error in Firefox or nothing but a loading bar in IE -
I have been through about every feasable config I can think of - there is little reference to a redirect loop on the 'net
I'm obviously doing something wrong... but cant for the life of me figure out what it is..
2nd April 2009, 02:19 PM #13
You may need to do a tracert from the client to the domain name and see where it goes. This usually happens when the domain name is resolved differently by different computers and it bounces back and forth with no machine taking responcibility.
You need to look at what each computer sees as the domains ip address and make sure that it is correct. Also is the exchange servers webmail setup to listen and accept requests with the host header that it is provided, in this case Moorside High School ?
2nd April 2009, 02:21 PM #14
Have you disabled the FBA on the exchange server. You can't have it enabled on both ISA and the exchange server. Set the authentication to basic in exchange. It will still be protect as the traffic will be be going through SSL.
Originally Posted by Gatt
Thanks to spc-rocket from:
2nd April 2009, 02:51 PM #15
@ashok - good catch, that can also cause it. For internal users just have the listener on ISA listen to both internal and external interfaces then use the external address solely, this way ISA will handle authentication for everyone. You can also set up additional OWA sites that have different auth types but this is a massive hassle and not really worth it in the long run.
By wesleyw in forum Windows
Last Post: 26th November 2008, 09:19 PM
By pantscat in forum Windows
Last Post: 16th October 2008, 12:51 PM
By ICTNUT in forum Windows
Last Post: 15th November 2007, 01:09 PM
By ICTNUT in forum Windows
Last Post: 15th November 2007, 09:35 AM
Last Post: 14th November 2006, 01:40 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)