[isalist] Re: Outlook RPC via HTTPS - Unable to connect after one authentication prompt

The BPA should have mentioned the System Policy Rule, not a manual rule.
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
        Sent: Tuesday, August 22, 2006 10:55 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Outlook RPC via HTTPS - Unable to connect
after one authentication prompt
        
        
        No, I use it as an example. Sorry for any confusion. If we step
back a few questions, did you noticed that ISABPA reported I need a
policy to allow HTTPS connections from local host to Internal? This
conflicts with your advice. 
        
        
        
        On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: 

                do you own the example.org domain? 
                
                 
                Thomas W Shinder, M.D.
                Site: www.isaserver.org <http://www.isaserver.org/> 
                Blog: http://blogs.isaserver.org/shinder/
                Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> 
                MVP -- ISA Firewalls

                 


________________________________

                        
                        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
                        
                        Sent: Tuesday, August 22, 2006 9:29 AM
                        
                        To: isalist@xxxxxxxxxxxxx
                        Subject: [isalist] Re: Outlook RPC via HTTPS -
Unable to connect after one authentication prompt
                        


                
                On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx>
wrote:
                > OK,
                > Is FBA enabled on the listener you're using?
                
                Authentication on the listener - only "Basic" is checked
on. I think that is what you mean? 
                
                > Is the client setup correctly?
                
                I believe so:
                
                Exchange server: Public FQDN
                Username: johndoe
                
                Proxy settings:
http://i86.photobucket.com/albums/k114/presidentbusch/exchproxy.jpg 
                
                > Is the RPC proxy installed on the published server?
                
                Yes, it appears because when I run a test from IE:
https://email.example.org/rpc according this this KB
http://support.microsoft.com/kb/884506/en-us all is well.
                
                Thanks, for your help.
                
                > > -----Original Message----- 
                > > From: isalist-bounce@xxxxxxxxxxxxx
                > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Danny
                > > Sent: Tuesday, August 22, 2006 8:47 AM
                > > To: isalist@xxxxxxxxxxxxx
                > > Subject: [isalist] Re: Outlook RPC via HTTPS -
Unable to
                > > connect after one authentication prompt 
                > >
                > > http://www.ISAserver.org
                > >
-------------------------------------------------------
                > >
                > > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx
<mailto:tshinder@xxxxxxxxxxx> > wrote:
                > > > Remove that rule, you don't need it.
                > >
                > > Done.
                > >
                > > > Run the ISA firewall BPA to make sure your
certificates are
                > > in order. 
                > >
                > > Problems:
                > >
                > > 1) The certificate used by the server specified in a
Web publishing
                > > rule cannot be validated
                > >
                > > To correct this warning, do one or both of the
following 
                > > Add an access rule that allows HTTPS traffic from
the Local Host
                > > network to the network where the Web server resides.
                > >
                > > Check your network layout and connections.
                > > 
                > > 2) Same error
                > >
                > > 3) Enabled PMTUDiscovery Reg key to 1
                > >
                > > > Make sure you're delegating basic authentication
                > >
                > > Done. (Under the Users tab of this policy). 
                > >
                > > > Make sure the ISA firewall is a domain member
                > >
                > > It was and is.
                > >
                > > Thanks, Tom.
                > >
                > > ...D
                > >
                > > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx>
wrote:
                > > > http://www.ISAserver.org
                > > >
------------------------------------------------------- 
                > > >
                > > > Remove that rule, you don't need it.
                > > >
                > > > Run the ISA firewall BPA to make sure your
certificates are
                > > in order.
                > > >
                > > > Make sure you're delegating basic authentication 
                > > >
                > > > Make sure the ISA firewall is a domain member
                > > >
                > > > HTH,
                > > > Tom
                > > >
                > > > Thomas W Shinder, M.D.
                > > > Site: www.isaserver.org
                > > > Blog: http://blogs.isaserver.org/shinder/
                > > > Book: http://tinyurl.com/3xqb7
                > > > MVP -- ISA Firewalls
                > > >
                > > >
                > > >
                > > > > -----Original Message-----
                > > > > From: isalist-bounce@xxxxxxxxxxxxx
                > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf
Of Danny
                > > > > Sent: Monday, August 21, 2006 1:45 PM 
                > > > > To: isalist@xxxxxxxxxxxxx
                > > > > Subject: [isalist] Outlook RPC via HTTPS -
Unable to connect
                > > > > after one authentication prompt 
                > > > >
                > > > > http://www.ISAserver.org
                > > > >
-------------------------------------------------------
                > > > >
                > > > > Systems: Exchange 2003 SP2, Outlook 2003 SP2,
ISA 2004 SP2. OWA 
                > > > > already setup and works.
                > > > >
                > > > > Testing Outlook RPC over HTTPS. MAPI profile
created with Proxy
                > > > > details, open Outlook prompted for
domain\username and password, 
                > > > > Outlook times out with an error that it cannot
connect to
                > > the Exchange
                > > > > server.
                > > > >
                > > > > Internally https://FQDN/rpc works as per the
troubleshooting
                > > > > section here:
                > > > > http://support.microsoft.com/kb/884506/en-us 
                > > > >
                > > > > I also created: "A rule that allows SSL from the
                > > Localhost object to
                > > > > the Internal network."
                > > > >
                > > > > Any assistance would be much appreciated. 
                > > > >
                > > > > Here are some ISA logs specific to the Client IP
(public IP) the
                > > > > client is accessing from.
                > > > >
                > > > > Original Client IP    Client Agent
Authenticated Client 
                > > > > Service       Server
                > > > > Name  Referring Server        Destination Host
Name
                > > > > Transport     MIME Type       Object
                > > > > Source        Source Proxy    Destination Proxy 
                > > > > Bidirectional Client Host
                > > > > Name  Filter Information      Network Interface
Raw IP
                > > > > Header        Raw
                > > > > Payload       Source Port     Processing Time
Bytes Sent 
                > > > > Bytes Received        Result
                > > > > Code  HTTP Status Code        Cache Information
Error
                > > > > Information   Log Record
                > > > > Type  Log Time        Destination IP
Destination 
                > > > > Port  Protocol        Action  Rule    Client IP
Client
                > > > > Username      Source
                > > > > Network       Destination Network     HTTP
Method     URL
                > > > > 0.0.0.0       MSRPC   No      Reverse
                > > > > Proxy GATEWAY         email.acmemigdets.com
TCP
                > > > >       -       -               -               -
- 
                > > > > -     0       1       2264    281
12202
                > > > > The ISA Server denied the specified Uniform
Resource
                > > Locator (URL).
                > > > >       0x8     0x200   Web Proxy Filter
21/08/2006 2:07:43 
                > > > > PM    192.168.11.4    443     https   Denied
Connection
                > >     Default
                > > > > rule  123.123.123.123 anonymous       External 
                > > > > RPC_IN_DATA
                > > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet 
                > > > > s.com:6004
                > > > > 0.0.0.0       MSRPC   No      Reverse
                > > > > Proxy GATEWAY         email.acmemigdets.com
TCP
                > > > >       -       -               -               -
-
                > > > > -     0       1       2264    282
12202
                > > > > The ISA Server denied the specified Uniform
Resource 
                > > Locator (URL).
                > > > >       0x8     0x200   Web Proxy Filter
21/08/2006 2:07:43
                > > > > PM    192.168.11.4    443     https   Denied
Connection 
                > >     Default
                > > > > rule  123.123.123.123 anonymous       External
                > > > > RPC_OUT_DATA
                > > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet 
                > > > > s.com:6004
                > > > > 0.0.0.0       MSRPC   No      Reverse 
                > > > > Proxy GATEWAY         email.acmemigdets.com
TCP
                > > > >       -       -               -               -
-
                > > > > -     0       1       2264    280
12202 
                > > > > The ISA Server denied the specified Uniform
Resource
                > > Locator (URL).
                > > > >       0x8     0x200   Web Proxy Filter
21/08/2006 2:07:44
                > > > > PM     192.168.11.4    443     https   Denied
Connection
                > >     Default
                > > > > rule  123.123.123.123 anonymous       External
                > > > > RPC_IN_DATA 
                > > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet 
                > > > > s.com:593 
                > > > > 0.0.0.0       MSRPC   No      Reverse
                > > > > Proxy GATEWAY         email.acmemigdets.com
TCP
                > > > >       -       -               -               -
- 
                > > > > -     0       1       2264    281
12202
                > > > > The ISA Server denied the specified Uniform
Resource
                > > Locator (URL).
                > > > >       0x8     0x200   Web Proxy Filter
21/08/2006 2:07:44 
                > > > > PM    192.168.11.4    443     https   Denied
Connection
                > >     Default
                > > > > rule  123.123.123.123 anonymous       External 
                > > > > RPC_OUT_DATA
                > > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet 
                > > > > s.com:593
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             1238    0       0
0       0x0 
                > > > >               0x0     0x0     Firewall
21/08/2006 2:07:44
                > > > > PM    192.168.11.4    443     HTTPS   Initiated
                > > > > Connection             123.123.123.123
External
                > > > > Local Host    -       -
                > > > > 123.123.123.123
GATEWAY - 
                > > > >       TCP     -
                > > > > -                             14090   0       0
0       0x0
                > > > >               0x0     0x0     Firewall
21/08/2006 2:07:44
                > > > > PM     192.168.11.4    443     HTTPS   Initiated
                > > > > Connection            123.123.123.123
External
                > > > > Local Host    -       - 
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             1238    0
1054    3701 
                > > > > 0x80074e21
                > > > >               0x0     0x0     Firewall
21/08/2006
                > > > > 2:07:44 PM    192.168.11.4    443     HTTPS
Closed 
                > > > > Connection            123.123.123.123
External
                > > > > Local Host    -       -
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             14090   0
1015    3741
                > > > > 0x80074e20
                > > > >               0x0     0x0     Firewall
21/08/2006 
                > > > > 2:07:44 PM    192.168.11.4    443     HTTPS
Closed
                > > > > Connection            123.123.123.123
External 
                > > > > Local Host    -       -
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             1239    0       0
0       0x0 
                > > > >               0x0     0x0     Firewall
21/08/2006 2:07:44
                > > > > PM    192.168.11.4    443     HTTPS   Initiated
                > > > > Connection             123.123.123.123
External
                > > > > Local Host    -       -
                > > > > 123.123.123.123
GATEWAY - 
                > > > >       TCP     -
                > > > > -                             14091   0       0
0       0x0
                > > > >               0x0     0x0     Firewall
21/08/2006 2:07:44
                > > > > PM     192.168.11.4    443     HTTPS   Initiated
                > > > > Connection            123.123.123.123
External
                > > > > Local Host    -       - 
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             14091   2000
1054    3741 
                > > > > 0x80074e20
                > > > >               0x0     0x0     Firewall
21/08/2006
                > > > > 2:07:46 PM    192.168.11.4    443     HTTPS
Closed 
                > > > > Connection            123.123.123.123
External
                > > > > Local Host    -       -
                > > > > 123.123.123.123
GATEWAY -
                > > > >       TCP     -
                > > > > -                             1239    2000
1053    3701
                > > > > 0x80074e21
                > > > >               0x0     0x0     Firewall
21/08/2006 
                > > > > 2:07:46 PM    192.168.11.4    443     HTTPS
Closed
                > > > > Connection            123.123.123.123
External 
                > > > > Local Host    -       -
                > > > >
------------------------------------------------------
                > > > > List Archives:
http://www.freelists.org/archives/isalist/ 
                > > > > ISA Server Newsletter:
                > > http://www.isaserver.org/pages/newsletter.asp 
                > > > > ISA Server Articles and Tutorials: 
                > > > > http://www.isaserver.org/articles_tutorials/ 
                > > > > ISA Server Blogs: http://blogs.isaserver.org/ 
                > > > >
------------------------------------------------------
                > > > > Visit TechGenix.com for more information about
our other sites:
                > > > > http://www.techgenix.com
                > > > >
------------------------------------------------------
                > > > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp 
                > > > > Report abuse to listadmin@xxxxxxxxxxxxx
                > > > >
                > > > >
                > > > >
                > > >
------------------------------------------------------ 
                > > > List Archives:
http://www.freelists.org/archives/isalist/
                > > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                > > > ISA Server Articles and Tutorials:
                > > http://www.isaserver.org/articles_tutorials/ 
                > > > ISA Server Blogs: http://blogs.isaserver.org/
                > > >
------------------------------------------------------
                > > > Visit TechGenix.com for more information about our
other sites: 
                > > > http://www.techgenix.com
                > > >
------------------------------------------------------
                > > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
                > > > Report abuse to listadmin@xxxxxxxxxxxxx
                > > >
                > > >
                > >
                > >
                > > -- 
                > > CPDE - Certified Petroleum Distribution Engineer
                > > CCBC - Certified Canadian Beer Consumer
                > >
------------------------------------------------------
                > > List Archives:
http://www.freelists.org/archives/isalist/
                > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                > > ISA Server Articles and Tutorials: 
                > > http://www.isaserver.org/articles_tutorials/ 
                > > ISA Server Blogs: http://blogs.isaserver.org/
                > >
------------------------------------------------------
                > > Visit TechGenix.com for more information about our
other sites:
                > > http://www.techgenix.com
                > >
------------------------------------------------------
                > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
                > > Report abuse to listadmin@xxxxxxxxxxxxx
                > >
                > >
                > >
                > ------------------------------------------------------
                > List Archives:
http://www.freelists.org/archives/isalist/
                > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                > ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
                > ISA Server Blogs: http://blogs.isaserver.org/
                > ------------------------------------------------------

                > Visit TechGenix.com for more information about our
other sites:
                > http://www.techgenix.com
                > ------------------------------------------------------
                > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
                > Report abuse to listadmin@xxxxxxxxxxxxx
                > 
                > 
                
                
                -- 
                CPDE - Certified Petroleum Distribution Engineer
                CCBC - Certified Canadian Beer Consumer
                




        -- 
        CPDE - Certified Petroleum Distribution Engineer
        CCBC - Certified Canadian Beer Consumer 

Other related posts: