Hi Stefaan, I solve this problem in my deployments by using secure Exchange RPC publishing. Nice thing about it is that all versions of Outlook is supported, and it works from almost every location. Sadly, there are still a few locations that have benighted admins who have dopey hardware firewalls that don't understand RPC. But I've had a lot of success on the road with secure Exchange RPC only. Tom ________________________________ From: Stefaan Pouseele [mailto:Stefaan.Pouseele@xxxxxxx] Sent: Mon 10/17/2005 2:18 AM To: [ISAserver.org Discussion List] Subject: [isalist] Remote access to Exchange through ISA 2004 http://www.ISAserver.org Hi, I've a lab environment for testing out OWA and RPC over HTTPS and run into a problem I can't seem to solve. Here is the setup: WKS ---+ +--- [ISA] --- Internet --- WKS ADC ---+ ! DNS - WKS is a XP SP2 workstation that is moved between the Internal and the External network. The goal is obviously that the user should not change anything in the configuration on his workstation. - DNS is the public DNS server (split DNS). - ADC is the Active Directory controller, internal DNS server, Exchange Server and Web server for OWA site and the RPC proxy. So, everything on one and the same box! I can get either the OWA access or the RPC over HTTPS working without problem but not both at the same time due to certificate limitations. Let's elaborate a little bit on this: 1. The ISA server as client (To tab in Web Publishing) does NOT support wildcard certs. So, what you put in the To tab must match EXACTLY the common name in the cert presented by the web server. 2. The ISA server as server (Web Listener) does support wildcard certs. 3. In ISA server the Basic and FBA authentication are mutual exclusive on the same listener. 4. In the configuration of RPC over HTTP in Outlook you need to make sure that the FQDN used as Principal name for proxy server (msstd:FQDN) matches EXACTLY the common name on the cert. So, for a wildcard cert it must be '*.domain.tdl' and no other cert such as 'exchange.domain.tdl' is accepted. In other words, no real support for wildcard certs. To summarize, without FlexAuth from Collective Software or implementing http://www.isaserver.org/tutorials/2004pubowamobile.html you need to have two Web listeners, one for OWA with FBA and one for RPC over HTTPS with Basic Auth. No big deal at all. So, problem solved? Not quite... When the user moves his laptop from external to internal, either the OWA access will complain about the certificate or RPC over HTTP will not work depending on which certificate is assigned to the internal Web server. You can only assign one cert to a web site (in this case the default web site). So, a possible solution is to have two web sites on the same server and therefore two IP addresses, two listeners and two certs on the internal web site too; one for OWA and one for RPC over HTTP. The problem is I can't seem to find out how to reconfigure or install the RPC virtual directory so it does not run on the default website, or how to reconfigure Exchange so that the virtual directories do not run on the default website. Can this be done? Take note I don't know much about IIS or Exchange! Thanks, Stefaan ---------------------------------------------------------------- Disclaimer De informatie in dit bericht is uitsluitend bedoeld voor de geadresseerde en kan vertrouwelijke en/of bevoorrechte gegevens en/of door intellectuele-eigendomsrechten beschermde informatie bevatten. Als u niet de geadresseerde bent, gelieve dit bericht te verwijderen en de afzender te verwittigen. U mag dit bericht niet gebruiken, wijzigen, dupliceren of verspreiden, noch de inhoud ervan bekendmaken aan een derde. De veiligheid of juistheid van e-mailberichten kan niet gegarandeerd worden, vermits de informatie onderschept, verbasterd of vernietigd kan worden, zoek kan raken, te laat of onvolledig kan aankomen of virussen kan bevatten. Cevi NV aanvaardt geen enkele aansprakelijkheid voor verlies of schade die op enigerlei wijze te wijten is aan het gebruik van het medium. Eventuele standpunten of meningen in dit bericht zijn die van de auteur en geven niet noodzakelijk die van Cevi NV of zijn verbonden ondernemingen weer. Bijgevolg bindt dit e-mailbericht Cevi NV niet, tenzij het een uitdrukkelijke andersluidende verklaring van een gemachtigde vertegenwoordiger bevat. Cevi NV, Bisdomplein 3, 9000 Gent - tel. 09 264 07 01 - Rek. nr. 091-0015991-15 RPR Gent - BTW BE 0860.972.295 - cevi@xxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx