Re: ISA Server 2004 / Publish RPC over HTTPS
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 Sep 2004 14:05:57 -0700
Why are you playing in the hosts file when Windows is perfectly capable of
making DNS queries?
How is ISA authenticating the RPC/HTTP to the AD with a NetScream in between
them?
Without knowing the details of your publishing rules, it's impossible to say
why ISA is refusing the request.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "Mustafa Cicek" <mbcicek@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 16, 2004 14:06
Subject: [isalist] ISA Server 2004 / Publish RPC over HTTPS
http://www.ISAserver.org
Hi all!
I have a big problem with RPC over HTTPS.
I want to say first off all that I have checked all certificate
configuration. There is no problem with certificates.
I have the following network for my test lab:
INTERNET <> NETSCREEEN FIREWALL 1 <> ISA Server 2004 <> NETSCREEN
FIREWALL 2 <>
INTERNAL NETWORK with Exchange front-end + Exchange back-end and Global
Catalog server.
My steps were:
1) I installed exchange front-end as RPC-proxy
2) All mailboxes and public folders are on exchange back-end
3) I installed an own Certificate Authority on Global Catalog server
(also
Domain Controller). It is Enterpreise Root Certificate Authority.
4) I created a certificate for the web site on front-end becauese of
OWA
and RPC over HTTPS. The common name on certificate is
owa.intra.exchtest.net.
5) I copied the same certificate to ISA server and exported also
private
key.
6) On ISA server I created publishing for OWA and RPC over HTTPS.
7) I installed CA certificate and and owa.intra.exchtest.net
certificate
on the client computers which will access Exchange services.
8) The clients are located in Internet, not in LAN!
9) I have also internal clients in lab.
10) I configured front-end (not back-end) for RPC over HTTPS and also
for
OWA.
11) NETSCREEN FIREWALL 2 has NAT for Exchange front-end. Exchange
front-end has the NAT IP address: 213.183.4.116.
12) I configured the HOSTS file on the ISA server that makes mapping on
the NAT IP address of front-end:
213.183.4.116 owa.intra.exchtest.net
13) The external DNS has the name record owa.intra.exchtest.net that
points the external IP address of ISA server: 213.183.4.125.
Tests:
I have tested until now only two client access: Outlook Web Access
(OWA)
and RPC over HTTPS.
1) I tried on external and internal clients OWA to connect Exchange:
THey
are SUCCESSFULL. No certificate Warning, nor error!
2) I tried on internal clients RPC over HTTPS to connect Exchange: It
is
SUCCESSFULL.
3) I tried on external clients RPC over HTTPS to connect Exchange: It
is
NOT successfull.
My configuration for RPC over HTTPS on client:
1) On client computer I typed as Exchange Server
owa.intra.exchtest.net.
2) On client computer, in proxy field I have typed also
owa.intra.exchtest.net. Also under msstd I have written
owa.intra.exchtest.net.
Protocols:
If I try on external client computer RPC over HTTPS to connect
Exchange, I
cannot connect to Exchange server. I have listed below the ISA server
protocol for this connection:
https..Initiated Connection.. (Here is standard rule applied!!! Why? I
have Publishing for RPC over HTTPS)
https..Denied ((Here is standard rule applied!!! Why? I have Publishing
for RPC over HTTPS)
Connection..RPC_OUT_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll?owa.intra.exchtest.net:[593
or 6001-6004 depending on attempt]
https..Deneid (Here is standard rule applied!!! Why? I have Publishing
for
RPC over HTTPS)
Attempt..RPC_IN_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll?owa.intra.exchtest.net:[593
or 6001-6004 depending on attempt]
It is perhaps interesting to know:
EXCHBE: Exchange back-end.
W3KDC: Global Catalog/Domain Controller.
On Exchange front-end I looked at the ValidPorts in registry:
exchbe.intra.exchtest.net:6001-6002;EXCHBE:6004;exchbe.intra.exchtest.net:6004;
Then I added the following ports to ValidPorts, but I don't know if I
need
them really?!:
EXCHBE:593;exchbe.intra.exchtest.net:593;W3KDC:6004;w3kdc.intra.exchtest.net:6004;W3KDC:593;w3kdc.intra.exchtest.net:593;
If I stop and start the the Exchange services on front-end, the
modified
ports (ValidPorts) are overwritten with the default ValidPorts above.
Now , here are the questions for experts:
1) Why doesn't apply ISA the Publishing rule? Why does standard rule
deny
the connection?
2) Is the name of server where is typed on the field of Exchange Server
(on client computer) correct? Must this name be back-end or frond-end
server?
3) Why are modified ValidPorts overwritten? Do I need ports 593 under
ValidPorts?
4) Is my entry in the HOSTS file on ISA correct?
I hope the problem is clear for you.
I HOPE also soulution tipps!!!!
Best Regards
Mustafa
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
