RE: ISA 2004 and OWA once again
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 3 Feb 2005 12:37:07 -0600
In line...
________________________________
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Thu 2/3/2005 10:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and OWA once again
http://www.ISAserver.org
For starters the major differences in the Microsoft way are:
1) they don't use 128bit encryption on the /exchange / public /exchweb
TOM: doesn't matter, unless you are using unsecure connections and that is a
business req, which is not recommended.
2) they don't enable "the requests appear to come from the original client" in
the OWA publish rule
TOM: That was to show a feature that many companies like a lot. My doc does NOT
state that this is a requirement. You had to read, not just click on things and
make them look like the screen shots.
3) they don't create a publishing web enrollment rule (still don't see the
point of having this)
TOM: Read that section again. Its to provide access to the Web enrollment site
for hosts that cannot be placed on the corpnet and still require a CA
certificate.
4) they enable anonymous access on the /exchweb and turned off all other
authentication
TOM: Not required in the scenario discussed in the doc. Maybe required in some
scenarios.
5) they enable caching
TOM: Definitely NOT required.
You know Tom I published OWA on ISA 2004 word for word in your chapter 10, I
even printed out all 52 pages of chapter 10 out and put in my three ring binder
so I could follow it more closely. After I was done it would not work on my LAN
nor would it work properly on my WAN until Tim Jordan in Exchangelist
replicated the first problem, here is his message to me:
TOM: The key is to read the context. Your deployment strays very far from the
deployment I outline. So, there are many unusual requirements you have, so you
have to understand what you're doing somewhat, instead of following screenshots.
---snip---
Andrew,
I think I've duplicated your problem. I'm now getting a 404 error when
connecting to my OWA server.
I went through over my settings for Authentication of Exchweb, Exchange, and
Exadmin.
I have plain text selected on Exchange and Exadmin with no Anonymous users
access. Then I noticed it was different for Exchweb so I disabled the
Anonymous user access and I started getting the 404 error.
TOM: Should make no difference, but might be a side effect of the scenario
configuration.
So try enabling anonymous access on Exchweb and then let me know and I'll test
again.
Tim
---snip---
As soon as I enabled the anonymous access on /exchweb I was able to
successfully connect to OWA SSL via the LAN, however on the WAN side it would
only let me go as far as the OWA login screen, which before I couldn't get it
was only letting get to it after I enabled the anonymous access.
TOM: OK
So finally when I came across the Microsoft GUIDE on HOW-TO do it, I nuked all
your rules out of ISA, applied, even restarted ISA so there was nothing of
Tom's stuff in my box! (hehe) When I followed Microsoft's rules word for word
everything worked, to my amazement during the configuration of my Exchange site
the MS rules also pointed out that /exchweb should have been anonymous access
enabled.
TOM: They are not "my rules". The enable functionality required IN THE
SCENARIO. Since the MS doc doesn't cover a specific scenario, its hard to say
why it worked in your setup. Good that it worked though. The problem is that
you probably misconfigued something and then turned correlation into causation.
I think you should really sit down and test your notes again. This time do it
were Exchange is not installed on a DC, but installed on a Standalone server,
with a separate DC and Certs machine. You can argue all you want on this but I
am sure as your guides point out that installing everything on one box also
plays a rule in this mess. I set my machines up the Microsoft way. Small
Business Server doesn't count though I can't see why there shouldn't be an SBS
how-to publish OWA SSL over ISA 2004. :-)
TOM: I recieve about 50 emails a week from people who say *thanks* it worked
great. You haven't defined what broke your config, so I have no idea what to
fix.
I have away for doing it with EVS so if you want my advice great, if not leave
me alone and let me offer other suggestions to people who may find that doing
it your way isn't the correct way for them and their companies. I will not bash
you when I make my suggestions, but merely offer it as another avenue for them
to explore.
Andrew
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, February 03, 2005 11:25 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: ISA 2004 and OWA once again
Hi Andrew,
So, what do you recommend that is different than the guidance I've provided?
What is your interpretation of the MS way?
How does Mats current implementation deviate from the MS way?
Thanks!
Tom
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
