Re: OWA problem
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 14 Sep 2003 18:39:28 +0200
Hi Jim,
There's only a sc-status field. Which is 12202. Does that get us
anywhere? Interesting to note that the request was a GET to the external
name, with the URI being headed by http instead of https.
I'll need someone to test externally, the site I used to test with is
currently having DNS problems with dyndns. nslookup returns the right
ip, but from the remote webproxy logs I take that requests are issued to
an IP address which is not mine. This was not the case yesterday, but it
makes testing quite hard - took me a little while to find out :)
As soon as I get someone online, I'll post the relevant details.
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Posted At: Sunday, September 14, 2003 6:15 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: OWA problem
> Subject: [isalist] Re: OWA problem
>
>
> http://www.ISAserver.org
>
>
> 12202 is specific to a rule violation.
> Look for the WEBEXT log entries that quote that sc-result
> code. Those requests are the problematic ones.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> On Sat, 13 Sep 2003 18:56:48 +0200
> "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote:
> http://www.ISAserver.org
>
>
> Ok, I'll check on the dns later - in the meantime I had a
> chance to look at it from a client directly connected to the
> internet. Same result (403 forbidden, 12202)
>
> Thanks
> Mark
>
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Posted At: Saturday, September 13, 2003 5:43 PM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] Re: OWA problem
> > Subject: [isalist] Re: OWA problem
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Mark,
> >
> > Make sure that you have force basic authentication, and that
> > all machines have the correct CA cert in their Trusted Root
> > Certificate Authorities.
> >
> > Also, make sure you have configured the correct entry in your
> > HOSTS file to support the redirect (unless you've created a
> > proper split DNS, but no one does that expect me and Jim :-)
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> >
> >
> > -----Original Message-----
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: Saturday, September 13, 2003 10:03 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: OWA problem
> >
> >
> > http://www.ISAserver.org
> >
> >
> > These are the complete log entries from one attempt:
> >
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Win32), -, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -,
> > 0, 0, 117, 2627, -, -, GET, -, -, -, 200, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:08, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:29, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -,
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > 282, 1602, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > Inet, 64, -, -, - 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:56, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:44:17, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -,
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > 536, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > Inet, 995, -, -, -
> >
> > No blocked connection from the filters, and the fws log only
> > shows my rdp connections. On my side, there are no log
> > entries either, just the occasional ping being blocked. And,
> > of course, 443 allowed.
> >
> > The inbound listener is configured for all IP addresses
> > (dial-up) and to accept basic auth only. I had to configure a
> > packet filter for inbound 443 access however to make this
> > "work" actually. Without the filter, I'd be getting host not
> > found errors or just a blank page.
> >
> > Thanks
> > Mark
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > Posted At: Saturday, September 13, 2003 4:33 PM
> > > Posted To: www.isaserver.org
> > > Conversation: [isalist] Re: OWA problem
> > > Subject: [isalist] Re: OWA problem
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Those URLs are the Windows certificate validation mechanism
> > > attempting to obtain the CRL. It's probably not important to your
> > > OWA problem.
> > >
> > > What other failed connections do you find in the logs?
> > >
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > >
> > >
> > > On Sat, 13 Sep 2003 01:14:45 +0200
> > > "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote:
> > > http://www.ISAserver.org
> > >
> > >
> > > Hi guys,
> > >
> > > I have now set up OWA via SSL for the first time. Thanks for the
> > > great article, Tom!
> > >
> > > A problem remains with it which I am not able to locate right
> > > now: when I try to connect to the OWA site from the outside,
> > > I'm presented with the certificate, but as soon as I accept
> > > the connection, I get a 403 error.
> > >
> > > As I can only test from behind another ISA server, I had
> a look at
> > > the logs there and found out that the remote browser issues a GET
> > > for the web enrollment services with the internal name of my OWA
> > > server, which is of course bound to fail:
> > >
> > > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -,
> > > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > > 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > > Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0
> > > (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -,
> > > 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name,
> > > xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -,
> > > myexternal.owa.name:443, -, Inet, 995, -, -, -
> > > 192.168.130.201, anonymous,
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > > 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > > 80, 30, 218, 0, http, -, GET,
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > > 192.168.130.201, anonymous,
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > > 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > > 80, 20, 218, 0, http, -, GET,
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > >
> > > Any ideas on this?
> > >
> > > Thanks,
> > > Mark
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory:
> http://www.serverfiles.com No.1
> > > Exchange > Server Resource
> > > Site: http://www.msexchange.org Windows Security Resource
> > > Site: http://www.windowsecurity.com/ Network Security
> > > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email
> > > to $subst('Email.Unsub')
> > >
> > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> > >
> > > All mail from this domain is virus-scanned with RAV.
> > www.ravantivirus.com
> >
> > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: isaserver@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com No.1 Exchange > Server Resource
> Site: http://www.msexchange.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email
> to $subst('Email.Unsub')
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
> All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
