RE: ISA 2004 and Exchange 2k3 OWA

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 31 Jan 2005 22:39:07 -0600

Hi Mats,

Here's how you do it:

Example: owa.domain.com

Request and bind a Web site certificate to the OWA site, make sure the
common name on the certificate is owa.domain.com

Export that certificate WITH ITS PRIVATE KEY to a file.

Import the certificate with its private key into the ISA firewall's
machine certificate store.

Create the OWA Web publishing rule. Bind the OWA Web site certificate to
the Web listener.

Make sure the Public Name you use for the Web Publishing Rule is EXACTLY
THE SAME as the common name on the certificate

Make sure the ISA firewall resolves the name of the OWA site to the
actual IP address of the site.

Finally, check out the HUMUNGOUS amount of info on www.isaserver.org and
in the ISA2004 Exchange deployment kit on the www.microsoft.com/isa Web
sites. 

The lab shows you how it works and what buttons to push. Use our stuff
to actually make it work. There are easy ways and hard ways to do
things. I know how to do it the hard way and that's why I make the big
money :-)  Try getting it to work the easy way first, and then when you
want to do it the hard way, you'll be in the position to ask the right
questions.

HTH,
Tom 

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx] 
Sent: Monday, January 31, 2005 10:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

Right now I don't really care which way, I just need it to work.
So if you have another way please tell me.

_____________________________________
Mats Hellman
@ mats.hellman@xxxxxxxxxxxxx


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 1. helmikuuta 2005 6:29
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

Hi Mats,

You can do it the virtual lab way, or my way.

If you want to do it the virtual lab way, then you'll need to study up
on how everything works, and get at least a basic understanding of PKI
and how use uses certs.

Or, you can do it my way, which always works, and you don't have to
understanding everything.

So, my way or the highway?

:-)

HTH<
Tom 

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx]
Sent: Monday, January 31, 2005 10:18 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

The cert names in the VL are different. But thanks, I'll try it as soon
as I get to the machine.
Are you up 24/7 or what? You must be the one posting most to this list.
Well, have a nice day and thanks again. I'll let you know if it works
out.

_____________________________________
Mats Hellman
@ mats.hellman@xxxxxxxxxxxxx


-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: 1. helmikuuta 2005 6:13
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

The certs NEED to be exactly the same..won't work otherwise. The machine
can be called what you like, but the cert mane and the website name HAVE
to be the same.

S 

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx]
Sent: Monday, January 31, 2005 10:43 PM
To: ISA Mailing List
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

The ISA cert is webmail.mydomain.com, which is fqdm but the local IIS
cert is not. If you checkout Microsoft's virtual lab on ISA OWA
publishing they use the same. The machine is called something totally
different in the local network. 
_____________________________________
Mats Hellman
@ mats.hellman@xxxxxxxxxxxxx

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: 31. tammikuuta 2005 22:58
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

The dns record has to be the same as the cert fqdn... As in
mine....mail.optimum.bm....that's the fqdn for ext and int dns....that's
what the certs published to....that's the host header on the iis server
and that's where ISA redirects all web requests to.

S

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx]
Sent: Monday, January 31, 2005 4:48 PM
To: ISA Mailing List
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

The local server is called owa so I have a host record pointing to
10.10.0.2 wich is the owa.mydomain.com.
There is a HTTPS listner on the ISA and the cert is installed on it.
The wizard takes care of the routing so yes it should be ok. But for
some reason ISA still falls back to deny all.
Could the installation have gone wrong or something?
The page shown to clients is the default one for IE when a page is not
found.

Mats Hellman

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: 31. tammikuuta 2005 20:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

You've installed the cert in IIS and on the ISA server?

You've created an ssl listener on the ISA server? 

You've published the OWA server on the ISA using the SSL listener and
routed it to the webserver?

S

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx]
Sent: Monday, January 31, 2005 2:52 PM
To: ISA Mailing List
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

Some more info.
ISA is now one of the firewalls protecting the internal network
10.10.0.1-10.10.0.126 255.255.255.128 from the external. External now
has 5 Static IP:s.
I'm not going to list them here other than the end, 170,171,172,173,174.
Webmail.mydomain.com is the external address a client will use to access
OWA, it points to the IP 172 and I've made the certificate
(webmail.mydomain.com) with the OWA servers CA. I also installed the OWA
servers certificate and it replies nicely in the local network for OWA
access.
I've tried this from the external net using my laptop and GPRS. The
client (IE) just says it can't find the website and the ISA server live
log shows ISA falls back to the last default rule to deny all traffic.
The OWA publishing has been done with the ISA 2004 servers wizard to
publish a mail server, in this case an OWA client.
Any ideas?

Mats Hellman

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: 31. tammikuuta 2005 16:31
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

And whether your trying to test this from a pc external to your USA or
from behind ISA.

S 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, January 31, 2005 10:23 AM
To: ISA Mailing List
Subject: [isalist] RE: ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

"doesn't work" and "by the book" doesn't give us anything to work with.
 
Q1 - what is the error seen at the client?
Q2 - EXACTLY who is the publishing rule configured?
Q3 - what is the EXACT URL entered in the browser address bar?

Jim

-----Original Message-----
From: Mats Hellman [mailto:mats.hellman@xxxxxxxxxxxxx]
Sent: Sunday, January 30, 2005 10:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2004 and Exchange 2k3 OWA

http://www.ISAserver.org

Hello list.
I'm having some problems publishing my OWA.
I've done everything by the book and this still does not work. I've been
trough the Virtual Labs at Microsoft and I've read trough a whole lot of
documents.
I'm trying to set up a secure-secure connection between the ISA and
Exchange OWA server. I've tried it a few times and for some reason, even
with the publish rule there, ISA always falls back to the default, deny
all rule. For troubleshooting I opened ICMP ports on the external
interfaces and ISA replies to ping, but if I try to relay the ping to
another local network server ISA blocks it by the default rule again.
What am I doing wrong here? Does anyone have a clue? Could this be an
installation or an interface configuration problem or where should I
start looking?


Mats Hellman

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mats.hellman@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mats.hellman@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mats.hellman@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mats.hellman@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mats.hellman@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




Other related posts: