[isalist] Re: Outlook RPC via HTTPS - Unable to connect after one authentication prompt
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 Aug 2006 11:13:29 -0500
The BPA should have mentioned the System Policy Rule, not a manual rule.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Tuesday, August 22, 2006 10:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Outlook RPC via HTTPS - Unable to connect
after one authentication prompt
No, I use it as an example. Sorry for any confusion. If we step
back a few questions, did you noticed that ISABPA reported I need a
policy to allow HTTPS connections from local host to Internal? This
conflicts with your advice.
On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
do you own the example.org domain?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Tuesday, August 22, 2006 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Outlook RPC via HTTPS -
Unable to connect after one authentication prompt
On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx>
wrote:
> OK,
> Is FBA enabled on the listener you're using?
Authentication on the listener - only "Basic" is checked
on. I think that is what you mean?
> Is the client setup correctly?
I believe so:
Exchange server: Public FQDN
Username: johndoe
Proxy settings:
http://i86.photobucket.com/albums/k114/presidentbusch/exchproxy.jpg
> Is the RPC proxy installed on the published server?
Yes, it appears because when I run a test from IE:
https://email.example.org/rpc according this this KB
http://support.microsoft.com/kb/884506/en-us all is well.
Thanks, for your help.
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Danny
> > Sent: Tuesday, August 22, 2006 8:47 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outlook RPC via HTTPS -
Unable to
> > connect after one authentication prompt
> >
> > http://www.ISAserver.org
> >
-------------------------------------------------------
> >
> > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx
<mailto:tshinder@xxxxxxxxxxx> > wrote:
> > > Remove that rule, you don't need it.
> >
> > Done.
> >
> > > Run the ISA firewall BPA to make sure your
certificates are
> > in order.
> >
> > Problems:
> >
> > 1) The certificate used by the server specified in a
Web publishing
> > rule cannot be validated
> >
> > To correct this warning, do one or both of the
following
> > Add an access rule that allows HTTPS traffic from
the Local Host
> > network to the network where the Web server resides.
> >
> > Check your network layout and connections.
> >
> > 2) Same error
> >
> > 3) Enabled PMTUDiscovery Reg key to 1
> >
> > > Make sure you're delegating basic authentication
> >
> > Done. (Under the Users tab of this policy).
> >
> > > Make sure the ISA firewall is a domain member
> >
> > It was and is.
> >
> > Thanks, Tom.
> >
> > ...D
> >
> > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx>
wrote:
> > > http://www.ISAserver.org
> > >
-------------------------------------------------------
> > >
> > > Remove that rule, you don't need it.
> > >
> > > Run the ISA firewall BPA to make sure your
certificates are
> > in order.
> > >
> > > Make sure you're delegating basic authentication
> > >
> > > Make sure the ISA firewall is a domain member
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf
Of Danny
> > > > Sent: Monday, August 21, 2006 1:45 PM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Outlook RPC via HTTPS -
Unable to connect
> > > > after one authentication prompt
> > > >
> > > > http://www.ISAserver.org
> > > >
-------------------------------------------------------
> > > >
> > > > Systems: Exchange 2003 SP2, Outlook 2003 SP2,
ISA 2004 SP2. OWA
> > > > already setup and works.
> > > >
> > > > Testing Outlook RPC over HTTPS. MAPI profile
created with Proxy
> > > > details, open Outlook prompted for
domain\username and password,
> > > > Outlook times out with an error that it cannot
connect to
> > the Exchange
> > > > server.
> > > >
> > > > Internally https://FQDN/rpc works as per the
troubleshooting
> > > > section here:
> > > > http://support.microsoft.com/kb/884506/en-us
> > > >
> > > > I also created: "A rule that allows SSL from the
> > Localhost object to
> > > > the Internal network."
> > > >
> > > > Any assistance would be much appreciated.
> > > >
> > > > Here are some ISA logs specific to the Client IP
(public IP) the
> > > > client is accessing from.
> > > >
> > > > Original Client IP Client Agent
Authenticated Client
> > > > Service Server
> > > > Name Referring Server Destination Host
Name
> > > > Transport MIME Type Object
> > > > Source Source Proxy Destination Proxy
> > > > Bidirectional Client Host
> > > > Name Filter Information Network Interface
Raw IP
> > > > Header Raw
> > > > Payload Source Port Processing Time
Bytes Sent
> > > > Bytes Received Result
> > > > Code HTTP Status Code Cache Information
Error
> > > > Information Log Record
> > > > Type Log Time Destination IP
Destination
> > > > Port Protocol Action Rule Client IP
Client
> > > > Username Source
> > > > Network Destination Network HTTP
Method URL
> > > > 0.0.0.0 MSRPC No Reverse
> > > > Proxy GATEWAY email.acmemigdets.com
TCP
> > > > - - - -
-
> > > > - 0 1 2264 281
12202
> > > > The ISA Server denied the specified Uniform
Resource
> > Locator (URL).
> > > > 0x8 0x200 Web Proxy Filter
21/08/2006 2:07:43
> > > > PM 192.168.11.4 443 https Denied
Connection
> > Default
> > > > rule 123.123.123.123 anonymous External
> > > > RPC_IN_DATA
> > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > s.com:6004
> > > > 0.0.0.0 MSRPC No Reverse
> > > > Proxy GATEWAY email.acmemigdets.com
TCP
> > > > - - - -
-
> > > > - 0 1 2264 282
12202
> > > > The ISA Server denied the specified Uniform
Resource
> > Locator (URL).
> > > > 0x8 0x200 Web Proxy Filter
21/08/2006 2:07:43
> > > > PM 192.168.11.4 443 https Denied
Connection
> > Default
> > > > rule 123.123.123.123 anonymous External
> > > > RPC_OUT_DATA
> > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > s.com:6004
> > > > 0.0.0.0 MSRPC No Reverse
> > > > Proxy GATEWAY email.acmemigdets.com
TCP
> > > > - - - -
-
> > > > - 0 1 2264 280
12202
> > > > The ISA Server denied the specified Uniform
Resource
> > Locator (URL).
> > > > 0x8 0x200 Web Proxy Filter
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 https Denied
Connection
> > Default
> > > > rule 123.123.123.123 anonymous External
> > > > RPC_IN_DATA
> > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > s.com:593
> > > > 0.0.0.0 MSRPC No Reverse
> > > > Proxy GATEWAY email.acmemigdets.com
TCP
> > > > - - - -
-
> > > > - 0 1 2264 281
12202
> > > > The ISA Server denied the specified Uniform
Resource
> > Locator (URL).
> > > > 0x8 0x200 Web Proxy Filter
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 https Denied
Connection
> > Default
> > > > rule 123.123.123.123 anonymous External
> > > > RPC_OUT_DATA
> > > >
http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > s.com:593
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 1238 0 0
0 0x0
> > > > 0x0 0x0 Firewall
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 HTTPS Initiated
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 14090 0 0
0 0x0
> > > > 0x0 0x0 Firewall
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 HTTPS Initiated
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 1238 0
1054 3701
> > > > 0x80074e21
> > > > 0x0 0x0 Firewall
21/08/2006
> > > > 2:07:44 PM 192.168.11.4 443 HTTPS
Closed
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 14090 0
1015 3741
> > > > 0x80074e20
> > > > 0x0 0x0 Firewall
21/08/2006
> > > > 2:07:44 PM 192.168.11.4 443 HTTPS
Closed
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 1239 0 0
0 0x0
> > > > 0x0 0x0 Firewall
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 HTTPS Initiated
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 14091 0 0
0 0x0
> > > > 0x0 0x0 Firewall
21/08/2006 2:07:44
> > > > PM 192.168.11.4 443 HTTPS Initiated
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 14091 2000
1054 3741
> > > > 0x80074e20
> > > > 0x0 0x0 Firewall
21/08/2006
> > > > 2:07:46 PM 192.168.11.4 443 HTTPS
Closed
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > > 123.123.123.123
GATEWAY -
> > > > TCP -
> > > > - 1239 2000
1053 3701
> > > > 0x80074e21
> > > > 0x0 0x0 Firewall
21/08/2006
> > > > 2:07:46 PM 192.168.11.4 443 HTTPS
Closed
> > > > Connection 123.123.123.123
External
> > > > Local Host - -
> > > >
------------------------------------------------------
> > > > List Archives:
//www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > >
------------------------------------------------------
> > > > Visit TechGenix.com for more information about
our other sites:
> > > > http://www.techgenix.com
> > > >
------------------------------------------------------
> > > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > >
> > >
------------------------------------------------------
> > > List Archives:
//www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > >
------------------------------------------------------
> > > Visit TechGenix.com for more information about our
other sites:
> > > http://www.techgenix.com
> > >
------------------------------------------------------
> > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> >
> > --
> > CPDE - Certified Petroleum Distribution Engineer
> > CCBC - Certified Canadian Beer Consumer
> >
------------------------------------------------------
> > List Archives:
//www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> >
------------------------------------------------------
> > Visit TechGenix.com for more information about our
other sites:
> > http://www.techgenix.com
> >
------------------------------------------------------
> > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> ------------------------------------------------------
> List Archives:
//www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our
other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
Other related posts:
