Re: OWA problem

• From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 14 Sep 2003 22:32:24 +0200

Hi Tom,

Ok ok no need to shout at me :)

Look, I think I've isolated one problem related to the listener and
dial-up.

When ISA detects a change in IP address, the resetsvrpubrules script is
triggered and it corrects the publishing rules and restarts the firewall
service. As the listener is part of the webproxy service which doesn't
get restarted, it obvioulsy sticks with it's "old" configuration.

That's where it gets odd: if you specify one listener for all IPs, you
don't enter an IP in the configuration dialog. But as I found out, the
'orginal' IP address of the external interface gets cached. This is the
logical conclusion of a test I made with the listener configuration. I
disabled SSL listening, saved the cahnges without restarting services,
enabled it again and saved with restarting services. Now the difference
is clear: as this procedure restarted the webproxy service, an updated
configuration was written or rather put into effect. This is pretty
clear and reproducable. The (directly connected) machine which could not
connect to my site before (blocked packets in packet filter log!) is now
presented the before mentioned warning dialog.

I could restart webproxy AND firewall services, but this would result in
the dial-up connection being closed again, which brings me to the
beginning of the problem: a change of IP address. I'll have a look at
this.

Now I will have to troubleshoot '500 - internal server error, principal
name incorrect'. 

Mark



> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Posted At: Sunday, September 14, 2003 7:05 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: OWA problem
> Subject: [isalist] Re: OWA problem
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Mark,
> 
> What is the EXACT configuration of the Web Publishing Rule?
> 
> Thanks!
> Tom
> 
> Thomas W Shinder 
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1 
> Configuring ISA Server: http://tinyurl.com/1llp 
> 
> 
> 
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
> Sent: Sunday, September 14, 2003 4:26 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: OWA problem
> 
> 
> http://www.ISAserver.org
> 
> 
> Btw, the FQDN I used is not contained in my internal domain, 
> so it should always resolve to an external ip.
> 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Posted At: Saturday, September 13, 2003 5:43 PM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] Re: OWA problem
> > Subject: [isalist] Re: OWA problem
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Mark,
> > 
> > Make sure that you have force basic authentication, and that
> > all machines have the correct CA cert in their Trusted Root 
> > Certificate Authorities.
> > 
> > Also, make sure you have configured the correct entry in your
> > HOSTS file to support the redirect (unless you've created a 
> > proper split DNS, but no one does that expect me and Jim :-)
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> > 
> >  
> > 
> > 
> > -----Original Message-----
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: Saturday, September 13, 2003 10:03 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: OWA problem
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > These are the complete log entries from one attempt:
> > 
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Win32), -, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -, 
> > 0, 0, 117, 2627, -, -, GET, -, -, -, 200, -, -, - 
> > 192.168.130.201, anonymous, 
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > 16:43:08, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > 80, 30, 218, 0, http, -, GET, 
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, 
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > 16:43:29, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > 80, 30, 218, 0, http, -, GET, 
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -, 
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 
> > 282, 1602, SSL-tunnel, -, -, myexternal.owa.name:443, -, 
> > Inet, 64, -, -, - 192.168.130.201, anonymous, 
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > 16:43:56, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > 80, 30, 218, 0, http, -, GET, 
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, 
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > 16:44:17, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > 80, 30, 218, 0, http, -, GET, 
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE 
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -, 
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 
> > 536, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -, 
> > Inet, 995, -, -, -
> > 
> > No blocked connection from the filters, and the fws log only
> > shows my rdp connections. On my side, there are no log 
> > entries either, just the occasional ping being blocked. And, 
> > of course, 443 allowed.
> > 
> > The inbound listener is configured for all IP addresses
> > (dial-up) and to accept basic auth only. I had to configure a 
> > packet filter for inbound 443 access however to make this 
> > "work" actually. Without the filter, I'd be getting host not 
> > found errors or just a blank page. 
> > 
> > Thanks
> > Mark
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > Posted At: Saturday, September 13, 2003 4:33 PM
> > > Posted To: www.isaserver.org
> > > Conversation: [isalist] Re: OWA problem
> > > Subject: [isalist] Re: OWA problem
> > > 
> > > 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > Those URLs are the Windows certificate validation mechanism 
> > > attempting to obtain the CRL. It's probably not important to your 
> > > OWA problem.
> > > 
> > > What other failed connections do you find in the logs?
> > > 
> > >   Jim Harrison
> > >   MCP(NT4, W2K), A+, Network+, PCG
> > >   http://isaserver.org/Jim_Harrison/
> > >   http://isatools.org
> > >   Read the help / books / articles!
> > > 
> > > 
> > > On Sat, 13 Sep 2003 01:14:45 +0200
> > >  "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote: 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > Hi guys,
> > > 
> > > I have now set up OWA via SSL for the first time. Thanks for the 
> > > great article, Tom!
> > > 
> > > A problem remains with it which I am not able to locate right
> > > now: when I try to connect to the OWA site from the outside,
> > > I'm presented with the certificate, but as soon as I accept 
> > > the connection, I get a 403 error. 
> > > 
> > > As I can only test from behind another ISA server, I had 
> a look at 
> > > the logs there and found out that the remote browser issues a GET 
> > > for the web enrollment services with the internal name of my OWA 
> > > server, which is of course bound to fail:
> > > 
> > > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -,
> > > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, 
> > > 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -, 
> > > Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0 
> > > (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -, 
> > > 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name, 
> > > xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -, 
> > > myexternal.owa.name:443, -, Inet, 995, -, -, - 
> > > 192.168.130.201, anonymous, 
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > > 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > > 80, 30, 218, 0, http, -, GET, 
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > > 192.168.130.201, anonymous, 
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, 
> > > 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -, 
> > > 80, 20, 218, 0, http, -, GET, 
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > > 
> > > Any ideas on this?
> > > 
> > > Thanks,
> > > Mark
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory: 
> http://www.serverfiles.com No.1 
> > > Exchange > Server Resource
> > > Site: http://www.msexchange.org Windows Security Resource
> > > Site: http://www.windowsecurity.com/ Network Security 
> > > Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion 
> > > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email 
> > > to $subst('Email.Unsub')
> > > 
> > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> > > 
> > > All mail from this domain is virus-scanned with RAV.
> > www.ravantivirus.com
> > 
> > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1 
> > Exchange Server Resource Site: http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to 
> > $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1 
> > Exchange Server Resource Site: http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1 
> > Exchange Server Resource Site: http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: isaserver@xxxxxxxxxxxx
> > To unsubscribe send a blank email to 
> > $subst('Email.Unsub')
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank 
> email to $subst('Email.Unsub')
> 

Other related posts:

• » OWA problem
• » RE: OWA problem
• » RE: OWA problem
• » RE: OWA problem
• » Re: OWA problem
• » OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » RE: OWA problem
• » Re: OWA problem
• » RE: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » RE: OWA problem
• » RE: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » OWA problem
• » RE: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem
• » Re: OWA problem

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---