[isalist] Re: Outlook RPC via HTTPS - Unable to connect after one authentication prompt

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Tue, 22 Aug 2006 12:39:08 -0400

I found it. It was the path created during the policy creation wizard:

External path was /rpc internal path was /rpc/*
I edited the External path to be the same as internal. Thanks for your help
thus far.

On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: 

 As you've already proven, this isn't the issue :)

Plus, why would you need to create an SSL rule to allow CRL checks?

*

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
*

 ------------------------------
*From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Danny
*Sent:* Tuesday, August 22, 2006 10:55 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: Outlook RPC via HTTPS - Unable to connect after
one authentication prompt

No, I use it as an example. Sorry for any confusion. If we step back a few
questions, did you noticed that ISABPA reported I need a policy to allow
HTTPS connections from local host to Internal? This conflicts with your
advice.


On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
>
>  do you own the example.org domain?
>
> * *
>
> *Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls*
>
>
>   ------------------------------
>  *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:
> isalist-bounce@xxxxxxxxxxxxx] *On Behalf Of *Danny
> *Sent:* Tuesday, August 22, 2006 9:29 AM
>
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Outlook RPC via HTTPS - Unable to connect after
> one authentication prompt
>
>  On 8/22/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > OK,
> > Is FBA enabled on the listener you're using?
>
> Authentication on the listener - only "Basic" is checked on. I think
> that is what you mean?
>
> > Is the client setup correctly?
>
> I believe so:
>
> Exchange server: Public FQDN
> Username: johndoe
>
> Proxy settings: 
http://i86.photobucket.com/albums/k114/presidentbusch/exchproxy.jpg
>
>
> > Is the RPC proxy installed on the published server?
>
> Yes, it appears because when I run a test from IE:
> https://email.example.org/rpc according this this KB
> http://support.microsoft.com/kb/884506/en-us all is well.
>
> Thanks, for your help.
>
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
> > > Sent: Tuesday, August 22, 2006 8:47 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Outlook RPC via HTTPS - Unable to
> > > connect after one authentication prompt
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx> wrote:
> > > > Remove that rule, you don't need it.
> > >
> > > Done.
> > >
> > > > Run the ISA firewall BPA to make sure your certificates are
> > > in order.
> > >
> > > Problems:
> > >
> > > 1) The certificate used by the server specified in a Web publishing
> > > rule cannot be validated
> > >
> > > To correct this warning, do one or both of the following
> > > Add an access rule that allows HTTPS traffic from the Local Host
> > > network to the network where the Web server resides.
> > >
> > > Check your network layout and connections.
> > >
> > > 2) Same error
> > >
> > > 3) Enabled PMTUDiscovery Reg key to 1
> > >
> > > > Make sure you're delegating basic authentication
> > >
> > > Done. (Under the Users tab of this policy).
> > >
> > > > Make sure the ISA firewall is a domain member
> > >
> > > It was and is.
> > >
> > > Thanks, Tom.
> > >
> > > ...D
> > >
> > > On 8/21/06, Thomas W Shinder < tshinder@xxxxxxxxxxx> wrote:
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > Remove that rule, you don't need it.
> > > >
> > > > Run the ISA firewall BPA to make sure your certificates are
> > > in order.
> > > >
> > > > Make sure you're delegating basic authentication
> > > >
> > > > Make sure the ISA firewall is a domain member
> > > >
> > > > HTH,
> > > > Tom
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
> > > > > Sent: Monday, August 21, 2006 1:45 PM
> > > > > To: isalist@xxxxxxxxxxxxx
> > > > > Subject: [isalist] Outlook RPC via HTTPS - Unable to connect
> > > > > after one authentication prompt
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > Systems: Exchange 2003 SP2, Outlook 2003 SP2, ISA 2004 SP2. OWA
> > > > > already setup and works.
> > > > >
> > > > > Testing Outlook RPC over HTTPS. MAPI profile created with Proxy
> > > > > details, open Outlook prompted for domain\username and password,
>
> > > > > Outlook times out with an error that it cannot connect to
> > > the Exchange
> > > > > server.
> > > > >
> > > > > Internally https://FQDN/rpc works as per the troubleshooting
> > > > > section here:
> > > > > http://support.microsoft.com/kb/884506/en-us
> > > > >
> > > > > I also created: "A rule that allows SSL from the
> > > Localhost object to
> > > > > the Internal network."
> > > > >
> > > > > Any assistance would be much appreciated.
> > > > >
> > > > > Here are some ISA logs specific to the Client IP (public IP) the
> > > > > client is accessing from.
> > > > >
> > > > > Original Client IP    Client Agent    Authenticated Client
> > > > > Service       Server
> > > > > Name  Referring Server        Destination Host Name
> > > > > Transport     MIME Type       Object
> > > > > Source        Source Proxy    Destination Proxy
> > > > > Bidirectional Client Host
> > > > > Name  Filter Information      Network Interface       Raw IP
> > > > > Header        Raw
> > > > > Payload       Source Port     Processing Time Bytes Sent
> > > > > Bytes Received        Result
> > > > > Code  HTTP Status Code        Cache Information       Error
> > > > > Information   Log Record
> > > > > Type  Log Time        Destination IP  Destination
> > > > > Port  Protocol        Action  Rule    Client IP       Client
> > > > > Username      Source
> > > > > Network       Destination Network     HTTP Method     URL
> > > > > 0.0.0.0       MSRPC   No      Reverse
> > > > > Proxy GATEWAY         email.acmemigdets.com   TCP
> > > > >       -       -               -               -       -
> > > > > -     0       1       2264    281             12202
> > > > > The ISA Server denied the specified Uniform Resource
> > > Locator (URL).
> > > > >       0x8     0x200   Web Proxy Filter        21/08/2006 2:07:43
>
> > > > > PM    192.168.11.4    443     https   Denied Connection
> > >     Default
> > > > > rule  123.123.123.123 anonymous       External
> > > > > RPC_IN_DATA
> > > > > http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > > s.com:6004
> > > > > 0.0.0.0       MSRPC   No      Reverse
> > > > > Proxy GATEWAY         email.acmemigdets.com    TCP
> > > > >       -       -               -               -       -
> > > > > -     0       1       2264    282             12202
> > > > > The ISA Server denied the specified Uniform Resource
> > > Locator (URL).
> > > > >       0x8     0x200   Web Proxy Filter        21/08/2006 2:07:43
> > > > > PM    192.168.11.4    443     https   Denied Connection
> > >     Default
> > > > > rule  123.123.123.123 anonymous       External
> > > > > RPC_OUT_DATA
> > > > > http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > > s.com:6004
> > > > > 0.0.0.0       MSRPC   No      Reverse
> > > > > Proxy GATEWAY         email.acmemigdets.com   TCP
> > > > >       -       -               -               -       -
> > > > > -     0       1       2264    280             12202
> > > > > The ISA Server denied the specified Uniform Resource
> > > Locator (URL).
> > > > >       0x8     0x200   Web Proxy Filter        21/08/2006 2:07:44
> > > > > PM     192.168.11.4    443     https   Denied Connection
> > >     Default
> > > > > rule  123.123.123.123 anonymous       External
> > > > > RPC_IN_DATA
> > > > > http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > > s.com:593
> > > > > 0.0.0.0       MSRPC   No      Reverse
> > > > > Proxy GATEWAY         email.acmemigdets.com   TCP
> > > > >       -       -               -               -       -
> > > > > -     0       1       2264    281             12202
> > > > > The ISA Server denied the specified Uniform Resource
> > > Locator (URL).
> > > > >       0x8     0x200   Web Proxy Filter        21/08/2006 2:07:44
>
> > > > > PM    192.168.11.4    443     https   Denied Connection
> > >     Default
> > > > > rule  123.123.123.123 anonymous       External
> > > > > RPC_OUT_DATA
> > > > > http://email.acmemigdets.com/rpc/rpcproxy.dll?email.acmemigdet
> > > > > s.com:593
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             1238    0       0       0
> 0x0
> > > > >               0x0     0x0     Firewall        21/08/2006 2:07:44
> > > > > PM    192.168.11.4    443     HTTPS   Initiated
> > > > > Connection             123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             14090   0       0       0
> 0x0
> > > > >               0x0     0x0     Firewall        21/08/2006 2:07:44
> > > > > PM     192.168.11.4    443     HTTPS   Initiated
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             1238    0       1054    3701
> > > > > 0x80074e21
> > > > >               0x0     0x0     Firewall        21/08/2006
> > > > > 2:07:44 PM    192.168.11.4    443     HTTPS   Closed
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                                GATEWAY -
> > > > >       TCP     -
> > > > > -                             14090   0       1015    3741
> > > > > 0x80074e20
> > > > >               0x0     0x0     Firewall        21/08/2006
> > > > > 2:07:44 PM    192.168.11.4    443     HTTPS   Closed
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             1239    0       0       0
> 0x0
> > > > >               0x0     0x0     Firewall        21/08/2006 2:07:44
> > > > > PM    192.168.11.4    443     HTTPS   Initiated
> > > > > Connection             123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             14091   0       0       0
> 0x0
> > > > >               0x0     0x0     Firewall        21/08/2006 2:07:44
> > > > > PM     192.168.11.4    443     HTTPS   Initiated
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                               GATEWAY -
> > > > >       TCP     -
> > > > > -                             14091   2000    1054    3741
> > > > > 0x80074e20
> > > > >               0x0     0x0     Firewall        21/08/2006
> > > > > 2:07:46 PM    192.168.11.4    443     HTTPS   Closed
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > 123.123.123.123                                GATEWAY -
> > > > >       TCP     -
> > > > > -                             1239    2000    1053    3701
> > > > > 0x80074e21
> > > > >               0x0     0x0     Firewall        21/08/2006
> > > > > 2:07:46 PM    192.168.11.4    443     HTTPS   Closed
> > > > > Connection            123.123.123.123         External
> > > > > Local Host    -       -
> > > > > ------------------------------------------------------
> > > > > List Archives: //www.freelists.org/archives/isalist/
> > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server Articles and Tutorials:
> > > > > http://www.isaserver.org/articles_tutorials/
> > > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >
> > > > >
> > > > >
> > > > ------------------------------------------------------
> > > > List Archives: //www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > >
> > > --
> > > CPDE - Certified Petroleum Distribution Engineer
> > > CCBC - Certified Canadian Beer Consumer
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>



--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer




--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2006