RE: Internet Access and OWA access
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 2 Aug 2005 14:00:36 -0500
Hi Alex,
That's great! Also good to hear no more unihomed ISA firewalls :-)
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Alex Gonzalez [mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 02, 2005 12:42 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Internet Access and OWA access
Wow it's actaully working. Thanks for all your help. I really
appreciate it. And I promise not to implement single homed again.
Alex
________________________________
From: Alex Gonzalez [mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx]
Sent: Tue 8/2/2005 11:13 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Internet Access and OWA access
Ok following your tips for setting up the site I can hit it
internally if I am proxying through the ISA server but I can not hit it
externally if I use a host file for DNS name to the nat'd address (198
address to the 172 ISA address) of the ISA server. I have then added to
the host file on the ISA server the internal IP address of the OWA
server.
Getting closer though...
Alex
________________________________
From: Alex Gonzalez [mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx]
Sent: Tue 8/2/2005 10:30 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Internet Access and OWA access
Why is the DNS server on a different Network ID? There is no DNS
in the DMZ
Are there Networks behind the ISA firewall? The ISA server sits
in a DMZ so yes.
Does the default gateway provide a path to both the Internet
*and* the OWA server? From the ISA server I can get to the OWA server
and the Internet but as far as a path, are you talking about like a
layer 3 route?
IP? Is this what appears on the "To" tab? If so, this won't
work. The entry on the "To" tab must be same as the common/subject name
on the Web site certificate bound to the OWA site. Ok this I can change.
That means I need to create an internal host record for it then correct?
So the listener is listening on this address only, right? Yes.
There is a firewall NAT from a 198 address that nats to this.
Use Forms-based authentication or Basic auth. FBA is more secure
and you should use it whenever publishing an OWA site. Remember to turn
off FBA on the Exchange Server. Ok this I can change but how is ISA
going to get the OWA FBA form?
If the ISA firewall is a domain member, or if you have a RADIUS
server on the corpnet, then you can pre-authenticate at the ISA
firewall, which is a more secure config. The server is a domain member.
I suspect your have a routing problem or a name resolution
problem. This ISA firewall must be able to resolve the name on the "To"
tab to the address of the OWA site, depending on the routing
relationship between the ISA firewall's Network and the OWA server's
Network (Route or NAT). And let me guess. It's because DNS sits on a
different segment and the server is single homed on a different one with
no DNS?
P.S -- See, if you're willing to put up with just a little
abuse, you can get some helpful info (I learned this from Jim H. ;-) I
dont mind too much abuse and I appreciate the help. I am more of an
Exchange/AD/SMS (which is getting boring) guy. This ISA stuff is new to
me but so far I am liking it quite a bit. I thought SMS was a pain to
get working.
Thanks for all the help.
Alex
Other related posts:
