Re: OWA problem

  • From: Jim Harrison <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 14 Sep 2003 09:10:16 -0700

Hi Tom,

That's not entirely true, Tom; everyone I build out gets split DNS, too.
:-p

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Sat, 13 Sep 2003 10:43:09 -0500
 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org


Hi Mark,

Make sure that you have force basic authentication, and that all
machines have the correct CA cert in their Trusted Root Certificate
Authorities.

Also, make sure you have configured the correct entry in your HOSTS file
to support the redirect (unless you've created a proper split DNS, but
no one does that expect me and Jim :-)

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
Sent: Saturday, September 13, 2003 10:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: OWA problem


http://www.ISAserver.org


These are the complete log entries from one attempt:

192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Win32),
-, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -, 0, 0, 117, 2627, -, -,
GET, -, -, -, 200, -, -, -
192.168.130.201, anonymous,
CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 16:43:08, -,
SMS-CO-02, -, myinternal.exchange.hostname, -, 80, 30, 218, 0, http, -,
GET,
http://myinternal.exchange.hostname/CertEnroll/myinternal.exchange.hostn
ame_services.crt, -, Inet, 11004, -, -, -
192.168.130.201, anonymous,
CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 16:43:29, -,
SMS-CO-02, -, myinternal.exchange.hostname, -, 80, 30, 218, 0, http, -,
GET,
http://myinternal.exchange.hostname/CertEnroll/myinternal.exchange.hostn
ame_services.crt, -, Inet, 11004, -, -, -
192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -, SMS-CO-02, -,
myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 282, 1602, SSL-tunnel, -,
-, myexternal.owa.name:443, -, Inet, 64, -, -, -
192.168.130.201, anonymous,
CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 16:43:56, -,
SMS-CO-02, -, myinternal.exchange.hostname, -, 80, 30, 218, 0, http, -,
GET,
http://myinternal.exchange.hostname/CertEnroll/myinternal.exchange.hostn
ame_services.crt, -, Inet, 11004, -, -, -
192.168.130.201, anonymous,
CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 16:44:17, -,
SMS-CO-02, -, myinternal.exchange.hostname, -, 80, 30, 218, 0, http, -,
GET,
http://myinternal.exchange.hostname/CertEnroll/myinternal.exchange.hostn
ame_services.crt, -, Inet, 11004, -, -, -
192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -, SMS-CO-02, -,
myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 536, 2330, SSL-tunnel, -,
-, myexternal.owa.name:443, -, Inet, 995, -, -, -

No blocked connection from the filters, and the fws log only shows my
rdp connections. On my side, there are no log entries either, just the
occasional ping being blocked. And, of course, 443 allowed.

The inbound listener is configured for all IP addresses (dial-up) and to
accept basic auth only. I had to configure a packet filter for inbound
443 access however to make this "work" actually. Without the filter, I'd
be getting host not found errors or just a blank page. 

Thanks
Mark

> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
> Posted At: Saturday, September 13, 2003 4:33 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: OWA problem
> Subject: [isalist] Re: OWA problem
> 
> 
> http://www.ISAserver.org
> 
> 
> Those URLs are the Windows certificate validation mechanism 
> attempting to obtain the CRL. It's probably not important to 
> your OWA problem.
> 
> What other failed connections do you find in the logs?
> 
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> 
> 
> On Sat, 13 Sep 2003 01:14:45 +0200
>  "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote: 
> http://www.ISAserver.org
> 
> 
> Hi guys,
> 
> I have now set up OWA via SSL for the first time. Thanks for 
> the great article, Tom!
> 
> A problem remains with it which I am not able to locate right 
> now: when I try to connect to the OWA site from the outside, 
> I'm presented with the certificate, but as soon as I accept 
> the connection, I get a 403 error. 
> 
> As I can only test from behind another ISA server, I had a 
> look at the logs there and found out that the remote browser 
> issues a GET for the web enrollment services with the 
> internal name of my OWA server, which is of course bound to fail:
> 
> 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 
> 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -, 
> SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 
> 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -, 
> Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0 
> (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -, 
> 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name, 
> xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -, 
> myexternal.owa.name:443, -, Inet, 995, -, -, - 
> 192.168.130.201, anonymous, 
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> 80, 30, 218, 0, http, -, GET, 
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 192.168.130.201, anonymous, 
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> 80, 20, 218, 0, http, -, GET, 
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 
> Any ideas on this?
> 
> Thanks,
> Mark
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email 
> to $subst('Email.Unsub')
> 
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> 
> All mail from this domain is virus-scanned with RAV. 
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2003