Hey all, I emailed a few weeks ago with a pretty crazy scenario (multiple listeners FBA and Basic Authent etc, etc.) and as I kept adding more policies/configs - I started to dig a hole and was only going deeper and deeper. I thought I should go back to a basics! Re-work a simple ISA setup... I tried, as you all have, to use intuition, this list, ISAServ.Org, and hands on experience, and at times to perhaps Wing It, but again, the digging a hole thing! Now this is a long mail, I appologize, and have read the manuals, as well, MANY printed ISAServer.Org articles - I am so frustrated due to the thought I am missing, perhaps, a simple "thing"... So here's the deal, I am in a test environment consisting of a Back End Exchange Box and a Front End Exchange box (both W2K3), another W2K3 Box is the ISA 2004. Within ISA - 2 NICS (for simplisity - one NIC named LAN on the "10s" network and the other named Internet on the "192" network). I have configured an Enterprise CA on another W2K3 Box. Since all of these machines are in the same A.D.Domain the Root Cert has been confirmed to reside in all machines' Trusted Root Authorities. I have requested a Certificate for the OWA Website (Named - Mail.Widgets.Net) and configured Basic Authentication sucsessfully... To confirm this, I can sit on a LAN based XP Laptop and resolve to OWA (configured as Basic Authent. with required SSL) HTTPS://mail.Widgets.Net (The Split DNS solution and the redirected Default.Htm on the LAN/OWA web site is functioning, again I can connect, no ISA involved at this point). I then exported the Cert with Private key in tow from OWA and Imported into the ISA store, again "no errors". Now, I have issued the Certificates, imported the certificates, created Firewall Policy and Web listener by using Tom's "Configuring ISA Server 2004" book - litterally reading word for word setting the lab up (Chapters 6,7,8) trying to make sure I am not a moron, and ignoring any experience I may have -yes debatable- also used Tom's four part series "Publishing OWA sites Using ISA 2004" from ISA.Org, as well a couple Microsoft papers at the same time to compair "notes" again, I'm missing SOMETHING!?! So FINALLY here's the question: I am confirming a sucessful SSL session from the XP Laptop when its moved to an INTERNET based client ( for example, Netstat on both ISA and external Client good- Point is I am NOT getting the dreaded 500/Certificate Naming errors). What I am getting- after trying to authticate using the authentication dialog prompt: "401unauthorized error - server requires authorization to fulfill the request. Access to the Web server is denied." This error is when I have in the properties of the OWA Listener set to Basic Authentication AND the Require All Users to Authenticate "Clicked". Now when I go into the properties of my Published Mail/Firewall Policy (NOT the listener) and simply Click/Enable Forward Basic Authenticaion credentials (Basic Delegation) leaving the listener properties in the same config mentioned above, I recieve the same 401 error. Finally, the last "scenario": if I disable the Require all Users to Authenticate (properties of the listener), and leave enabled the Forward/Basic Delegation on the Firewall Policy I recieve the following; "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL)". Again, I have spent many hours reading/researching, what each "Click, Option, and/or setting does" Tom's Config ISA 2004 book IS GREAT, but I abviously am misundertading somthing... A simple check box? Pehaps it is the named certificate, or the aths Tab on the Policy... I really DID check and triple checked this... I litterally am going bonkers with this, and can't walk away... Thank goodness for Ghost and test images!!! Anyway, if any of you can, or are willing - any thoughts? I know that this is "consulting" and at times the long questions like this one are hell... but I really am starting to see double! Thanks all, Mike --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site!