In line... ________________________________ From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Thu 2/3/2005 10:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 and OWA once again http://www.ISAserver.org For starters the major differences in the Microsoft way are: 1) they don't use 128bit encryption on the /exchange / public /exchweb TOM: doesn't matter, unless you are using unsecure connections and that is a business req, which is not recommended. 2) they don't enable "the requests appear to come from the original client" in the OWA publish rule TOM: That was to show a feature that many companies like a lot. My doc does NOT state that this is a requirement. You had to read, not just click on things and make them look like the screen shots. 3) they don't create a publishing web enrollment rule (still don't see the point of having this) TOM: Read that section again. Its to provide access to the Web enrollment site for hosts that cannot be placed on the corpnet and still require a CA certificate. 4) they enable anonymous access on the /exchweb and turned off all other authentication TOM: Not required in the scenario discussed in the doc. Maybe required in some scenarios. 5) they enable caching TOM: Definitely NOT required. You know Tom I published OWA on ISA 2004 word for word in your chapter 10, I even printed out all 52 pages of chapter 10 out and put in my three ring binder so I could follow it more closely. After I was done it would not work on my LAN nor would it work properly on my WAN until Tim Jordan in Exchangelist replicated the first problem, here is his message to me: TOM: The key is to read the context. Your deployment strays very far from the deployment I outline. So, there are many unusual requirements you have, so you have to understand what you're doing somewhat, instead of following screenshots. ---snip--- Andrew, I think I've duplicated your problem. I'm now getting a 404 error when connecting to my OWA server. I went through over my settings for Authentication of Exchweb, Exchange, and Exadmin. I have plain text selected on Exchange and Exadmin with no Anonymous users access. Then I noticed it was different for Exchweb so I disabled the Anonymous user access and I started getting the 404 error. TOM: Should make no difference, but might be a side effect of the scenario configuration. So try enabling anonymous access on Exchweb and then let me know and I'll test again. Tim ---snip--- As soon as I enabled the anonymous access on /exchweb I was able to successfully connect to OWA SSL via the LAN, however on the WAN side it would only let me go as far as the OWA login screen, which before I couldn't get it was only letting get to it after I enabled the anonymous access. TOM: OK So finally when I came across the Microsoft GUIDE on HOW-TO do it, I nuked all your rules out of ISA, applied, even restarted ISA so there was nothing of Tom's stuff in my box! (hehe) When I followed Microsoft's rules word for word everything worked, to my amazement during the configuration of my Exchange site the MS rules also pointed out that /exchweb should have been anonymous access enabled. TOM: They are not "my rules". The enable functionality required IN THE SCENARIO. Since the MS doc doesn't cover a specific scenario, its hard to say why it worked in your setup. Good that it worked though. The problem is that you probably misconfigued something and then turned correlation into causation. I think you should really sit down and test your notes again. This time do it were Exchange is not installed on a DC, but installed on a Standalone server, with a separate DC and Certs machine. You can argue all you want on this but I am sure as your guides point out that installing everything on one box also plays a rule in this mess. I set my machines up the Microsoft way. Small Business Server doesn't count though I can't see why there shouldn't be an SBS how-to publish OWA SSL over ISA 2004. :-) TOM: I recieve about 50 emails a week from people who say *thanks* it worked great. You haven't defined what broke your config, so I have no idea what to fix. I have away for doing it with EVS so if you want my advice great, if not leave me alone and let me offer other suggestions to people who may find that doing it your way isn't the correct way for them and their companies. I will not bash you when I make my suggestions, but merely offer it as another avenue for them to explore. Andrew ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, February 03, 2005 11:25 AM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: ISA 2004 and OWA once again Hi Andrew, So, what do you recommend that is different than the guidance I've provided? What is your interpretation of the MS way? How does Mats current implementation deviate from the MS way? Thanks! Tom ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx