RE: Internet Access and OWA access
- From: "Alex Gonzalez" <AGonzalez@xxxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 2 Aug 2005 10:30:52 -0400
Why is the DNS server on a different Network ID? There is no DNS in the DMZ
Are there Networks behind the ISA firewall? The ISA server sits in a DMZ so
yes.
Does the default gateway provide a path to both the Internet *and* the OWA
server? From the ISA server I can get to the OWA server and the Internet but as
far as a path, are you talking about like a layer 3 route?
IP? Is this what appears on the "To" tab? If so, this won't work. The entry on
the "To" tab must be same as the common/subject name on the Web site
certificate bound to the OWA site. Ok this I can change. That means I need to
create an internal host record for it then correct?
So the listener is listening on this address only, right? Yes. There is a
firewall NAT from a 198 address that nats to this.
Use Forms-based authentication or Basic auth. FBA is more secure and you should
use it whenever publishing an OWA site. Remember to turn off FBA on the
Exchange Server. Ok this I can change but how is ISA going to get the OWA FBA
form?
If the ISA firewall is a domain member, or if you have a RADIUS server on the
corpnet, then you can pre-authenticate at the ISA firewall, which is a more
secure config. The server is a domain member.
I suspect your have a routing problem or a name resolution problem. This ISA
firewall must be able to resolve the name on the "To" tab to the address of the
OWA site, depending on the routing relationship between the ISA firewall's
Network and the OWA server's Network (Route or NAT). And let me guess. It's
because DNS sits on a different segment and the server is single homed on a
different one with no DNS?
P.S -- See, if you're willing to put up with just a little abuse, you can get
some helpful info (I learned this from Jim H. ;-) I dont mind too much abuse
and I appreciate the help. I am more of an Exchange/AD/SMS (which is getting
boring) guy. This ISA stuff is new to me but so far I am liking it quite a
bit. I thought SMS was a pain to get working.
Thanks for all the help.
Alex
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tue 8/2/2005 10:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internet Access and OWA access
http://www.ISAserver.org
Hi Alex,
Inline...
________________________________
From: Alex Gonzalez [mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 02, 2005 9:02 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Internet Access and OWA access
Well I dont have the 350 so here you go.
1. IP addressing information on the ISA firewall's NIC?
IP: 172.27.0.25
GW: 172.27.0.1
DNS: 10.1.25.42 and .26
[Thomas W. Shinder] Why is the DNS server on a different Network ID?
Are there Networks behind the ISA firewall?
Does the default gateway provide a path to both the Internet *and* the
OWA server?
2. Exact config of the Web Publishing Rule?
I'll walk you through click by click of this
1. Publish new mail server
2. Web clientaccess
3. Just OWA selected
4. Secure connections only
5. IP 10.1.25.12
[Thomas W. Shinder] IP? Is this what appears on the
"To" tab? If so, this won't work. The entry on the "To" tab must be same as the
common/subject name on the Web site certificate bound to the OWA site.
6. Public name mail.company.com Same as on cert
[Thomas W. Shinder] OK, good. This is also the name the
external users must use to access the site.
7. Listener config
7a. Network is internal IP address 172.27.0.27
This is an additional address on the server as well
[Thomas W. Shinder] So the listener is listening on
this address only, right?
7b. Preferences is enable HTTP and enable HTTPS.
[Thomas W. Shinder] If you're not allowing non-SSL
connections, remove the HTTP checkmark.
7c. I installed the cert on the server and chose
it when I enabled HTTPS
[Thomas W. Shinder] OK good. Remember the
common/subject name on this cert must match what you have on the "Public Name"
tab.
7c. Authentication is integrated
[Thomas W. Shinder] Wrong. Use Forms-based
authentication or Basic auth. FBA is more secure and you should use it whenever
publishing an OWA site. Remember to turn off FBA on the Exchange Server.
8. User sets is All users
[Thomas W. Shinder] If the ISA firewall is a domain
member, or if you have a RADIUS server on the corpnet, then you can
pre-authenticate at the ISA firewall, which is a more secure config.
3. Common/subject name on the Web site certificates bound to the OWA
listener and OWA Web site?
They are both the same mail.company.com. I would rather not
publish that info on here.
[Thomas W. Shinder] OK. as long as they match the names on the "Public
Name" tab and the "To" tab.
4. Cocktail napkin network diagram that includes only the players in
the scenario.
See Attached. The vertical lines indicate firewall's.
[Thomas W. Shinder] The ISA fireall is a firewall !!! Don't get me
started again :-)))
And for the record, this is not my idea of the design. I am just
implementing someone elses design. I f
[Thomas W. Shinder] OK, no problem. I won't hold it against you ;-))
Comment: I suspect your have a routing problem or a name resolution
problem. This ISA firewall must be able to resolve the name on the "To" tab to
the address of the OWA site, depending on the routing relationship between the
ISA firewall's Network and the OWA server's Network (Route or NAT).
HTH,
Tom
P.S -- See, if you're willing to put up with just a little abuse, you
can get some helpful info (I learned this from Jim H. ;-)
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tue 8/2/2005 9:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internet Access and OWA access
http://www.ISAserver.org
Hi Alex,
OK, you've taken enough punished for deploying a unihomed ISA firewall
:-)
Now, lets solve your problem.
1. IP addressing information on the ISA firewall's NIC?
2. Exact config of the Web Publishing Rule?
2A. Exact config of Web listener
3. Common/subject name on the Web site certificates bound to the OWA
listener and OWA Web site?
4. Cocktail napkin network diagram that includes only the players in
the scenario.
You can answer these questions, or send me a check for three-fiddy and
I'll read your ISAinfo printout and answer them for you ;-)
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
