OWA SSL Bridge?!?
- From: Michael <freakywinston@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 25 Mar 2005 16:20:43 -0800 (PST)
Hey all,
I emailed a few weeks ago with a pretty crazy scenario (multiple listeners FBA
and Basic Authent etc, etc.) and as I kept adding more policies/configs - I
started to dig a hole and was only going deeper and deeper. I thought I should
go back to a basics! Re-work a simple ISA setup... I tried, as you all have, to
use intuition, this list, ISAServ.Org, and hands on experience, and at times to
perhaps Wing It, but again, the digging a hole thing! Now this is a long mail,
I appologize, and have read the manuals, as well, MANY printed ISAServer.Org
articles - I am so frustrated due to the thought I am missing, perhaps, a
simple "thing"...
So here's the deal, I am in a test environment consisting of a Back End
Exchange Box and a Front End Exchange box (both W2K3), another W2K3 Box is the
ISA 2004. Within ISA - 2 NICS (for simplisity - one NIC named LAN on the "10s"
network and the other named Internet on the "192" network). I have configured
an Enterprise CA on another W2K3 Box. Since all of these machines are in the
same A.D.Domain the Root Cert has been confirmed to reside in all machines'
Trusted Root Authorities. I have requested a Certificate for the OWA Website
(Named - Mail.Widgets.Net) and configured Basic Authentication sucsessfully...
To confirm this, I can sit on a LAN based XP Laptop and resolve to OWA
(configured as Basic Authent. with required SSL) HTTPS://mail.Widgets.Net (The
Split DNS solution and the redirected Default.Htm on the LAN/OWA web site is
functioning, again I can connect, no ISA involved at this point). I then
exported the Cert with Private key in tow from OWA and Imported into the ISA
store, again "no errors". Now, I have issued the Certificates, imported the
certificates, created Firewall Policy and Web listener by using Tom's
"Configuring ISA Server 2004" book - litterally reading word for word setting
the lab up (Chapters 6,7,8) trying to make sure I am not a moron, and ignoring
any experience I may have -yes debatable- also used Tom's four part series
"Publishing OWA sites Using ISA 2004" from ISA.Org, as well a couple Microsoft
papers at the same time to compair "notes" again, I'm missing SOMETHING!?! So
FINALLY here's the question:
I am confirming a sucessful SSL session from the XP Laptop when its moved to an
INTERNET based client ( for example, Netstat on both ISA and external Client
good- Point is I am NOT getting the dreaded 500/Certificate Naming errors).
What I am getting- after trying to authticate using the authentication dialog
prompt: "401unauthorized error - server requires authorization to fulfill the
request. Access to the Web server is denied." This error is when I have in the
properties of the OWA Listener set to Basic Authentication AND the Require All
Users to Authenticate "Clicked". Now when I go into the properties of my
Published Mail/Firewall Policy (NOT the listener) and simply Click/Enable
Forward Basic Authenticaion credentials (Basic Delegation) leaving the listener
properties in the same config mentioned above, I recieve the same 401 error.
Finally, the last "scenario": if I disable the Require all Users to
Authenticate (properties of the listener), and leave enabled the Forward/Basic
Delegation on the Firewall Policy I recieve the following; "Error Code: 403
Forbidden. The server denied the specified Uniform Resource Locator (URL)".
Again, I have spent many hours reading/researching, what each "Click, Option,
and/or setting does" Tom's Config ISA 2004 book IS GREAT, but I abviously am
misundertading somthing... A simple check box? Pehaps it is the named
certificate, or the aths Tab on the Policy... I really DID check and triple
checked this... I litterally am going bonkers with this, and can't walk away...
Thank goodness for Ghost and test images!!!
Anyway, if any of you can, or are willing - any thoughts? I know that this is
"consulting" and at times the long questions like this one are hell... but I
really am starting to see double!
Thanks all,
Mike
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
Other related posts:
