Publishing OWA 2003 SSL via ISA 2006

[Gatt]

OK I give up..

Been trying for the last few days to publish OWA via SSL through my ISA 2006 box

I can create the SSL cert with my Domain CA
I Export/Import it into ISA
Create a OWA rule pointing to my OWA box..

I ge a multitude of errors

info:
Public OWA URL - https://www.moorsidehigh.com/exchange
Internal OWA URL - https://mhs-srv-exch/exchange
SSL Port: 443

Most of the time i am getting a 403 - Forbidden - mentioning target principle name
Other attempts I get a time out (408?) and had a 500, etc
All from the public URL

I have tried these 2 site with no joy

Publishing Exchange Client Access with ISA 2006 - The Complete Solution (Part 1)
http://www.shijaz.com/isaserver/isa2006_publish_owa.

So..

Has anyone managed to publish OWA 2003 via SSL through ISA 2006 - if so HOW did you do it

[AliG]

To test I would use the server publishing rule. This would rule out probs with your exchange setup and point to your web publishing rules being the problem. Can you get to https://internalsitename/exchange internally? run isa and exchange best practice analysers see what that throws up.

[SYNACK]

It sounds like you are using SSL to SSL bridging on your ISA and may not have setup internal name resolution quite right.

For SSL to SSL you need the client to access the site via the public url so that it matches what is on the cert. You also need to do the same thing internally so that when the ISA box attempts to access the internal server it does so with the public FQDN that is on the certificate.

I usually do this by adding a line to the hosts file on the ISA box so that it resolves the certified FQDN to the internal ip address rather than having to use the propper internal names which breaks SSL to SSL bridging.

[Gatt]

Hmmm..

Dont think that will be an option as Moorside High School (port 80) goes to my webserver
but https://www.moorsidehigh.com (port 443) goes to my OWA server

suppose I can try and get a subdomain of https://webmail.moorsidehigh.com if I cant do it from my current setup..

Any other ways of doing it?

[SYNACK]

Your setup should be fine as is you just need to get the ISA box itself to resolve Moorside High School to the internal IP of your OWA server that way the certificate still matches the name used to access it both from the client outside and the ISA server as it makes a new SSL connection to the internal OWA server.

[ZeroHour]

Hmm I have not done it in ISA 2006 but in 2004 you can have a different internal server fqdn as what the external url is. Is your CA enterprise cert installed correctly on ISA as a trusted root?
The target principle error is when isa is trying to hit a https server and the cert common name (exchange.internaldomain.com) does not match the url isa is trying to hit (exchange.somethingelse.com)
Like others have said, hit your exchange on https and see what the common name is set to. If this is an external domain name then you will have to make the external name resolve to the intenal domain (so when isa tries to contact your exchange it hits exchange.somethingelse.com rather then the internal name) but you can easily just issue a new cert to your exchange IIS and using the exchange servers internal fqdn and then all you do is tell isa to ssl bridge to the fqdn of your internal server. As long as the enterprise trust is okay the bridge should work.

BTW I am on the train typing this up on the way to dos_box so it may seem a little erratic.

[timzim]

If I click on your external link I get the SSL error page but no certificate. Have you got the listener configured to use the certificate (which should have the same name as the internal url and be installed on the ISA server)? Are you using authenticating using 'FBA with AD' and at the ISA server?

[Gatt]

If I click on your external link I get the SSL error page but no certificate. Have you got the listener configured to use the certificate (which should have the same name as the internal url and be installed on the ISA server)? Are you using authenticating using 'FBA with AD' and at the ISA server?

Thats the same thing I get..

The cert is the same name as the internal url
I think I have installed it on the ISA server (Personal?)

As for bridging - no certs are being shown??

[timzim]

Should be in the machine store (Local computer). Load Certificates snap-in in MMC on your ISA, choose Computer Account and make sure certificate is in Personal store there. Should be issued to mhs-srv-exch (if that is indeed your internal url).
Could be so many other things - maybe you could post some screen shots of the tabs in your OWA rule in ISA (you can fuzz out anything that compromises your security and remove them if you fix it!).

[Gatt]

OK seem to have got a little bit further though dunno how - lol
Can now get the OWA login screen via SSL using the public URL, but internally

However, when I try to login - it seems to take forever to do anything - still waiting and its been about 5 mins now

[Gatt]

Ok just tried logging into OWA via firefox and got this error ..

Redirect Loop

Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.




The browser has stopped trying to retrieve the requested item. The site is
redirecting the request in a way that will never complete.


* Have you disabled or blocked cookies required by this site?

* NOTE: If accepting the site's cookies does not resolve the problem, it is probably a server configuration
issue and not your computer.

[Gatt]

Ok Completely stuck here - I have no idea how to get round this redirect loop
SSL Certificate matches the public name and that of the OWA IIS
"Webmail" ISA rule as follows:

Published Site: mhs-srv-exch
Computer name or IP: <<ip of mhs-srv-exch>>
Forward original host header
requests come from original client

Moorside High School

External Paths - <same as internal>
Internal Paths - /public/* , /exchange/* . /exchweb/*

no delegation, but client may authenticate directly

Web server, SSL, 443 (cannot see any certificates?)

Listener properites are...

SSL - 443

Use single - Moorside High School

Off

Windows AD

https://www.moorsidehigh.com/exchange presents us with the OWA FBA login, I login and then I get the above error in Firefox or nothing but a loading bar in IE -

I have been through about every feasable config I can think of - there is little reference to a redirect loop on the 'net

I'm obviously doing something wrong... but cant for the life of me figure out what it is..

[SYNACK]

You may need to do a tracert from the client to the domain name and see where it goes. This usually happens when the domain name is resolved differently by different computers and it bounces back and forth with no machine taking responcibility.

You need to look at what each computer sees as the domains ip address and make sure that it is correct. Also is the exchange servers webmail setup to listen and accept requests with the host header that it is provided, in this case Moorside High School ?

[spc-rocket]

Ok Completely stuck here - I have no idea how to get round this redirect loop
SSL Certificate matches the public name and that of the OWA IIS
"Webmail" ISA rule as follows:










Listener properites are...











https://www.moorsidehigh.com/exchange presents us with the OWA FBA login, I login and then I get the above error in Firefox or nothing but a loading bar in IE -

I have been through about every feasable config I can think of - there is little reference to a redirect loop on the 'net

I'm obviously doing something wrong... but cant for the life of me figure out what it is..

Have you disabled the FBA on the exchange server. You can't have it enabled on both ISA and the exchange server. Set the authentication to basic in exchange. It will still be protect as the traffic will be be going through SSL.

Ash.

[SYNACK]

@ashok - good catch, that can also cause it. For internal users just have the listener on ISA listen to both internal and external interfaces then use the external address solely, this way ISA will handle authentication for everyone. You can also set up additional OWA sites that have different auth types but this is a massive hassle and not really worth it in the long run.