RE: OWA, SSL, and ISA

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 6 Aug 2003 13:18:02 -0500

Hi Matt,

I agree, it does look like a Q307347 issue. Is your Exchange server
fully service packed?

Double check the AddFrontEndHttpsHeader entry in the Registry and make
sure its there. I don't think you need to restart the server, but its
worth a shot :-)

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Bailey, Matthew [mailto:MBailey@xxxxxxxxxxx] 
Sent: Wednesday, August 06, 2003 1:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


Killing one problem at time.

I changed the bridging tab on the Web Publishing Rule to redirect SSL to
HTTP.  I can now reach https://URL but I ge t the "This page contains
both secure and nonsecure items" pop-up.  I would like to get rid of
this.  It seems that this falls under Q307347 but we have Feature Pack 1
installed.

Any ideas?

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 06, 2003 10:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


Hi Matt,

Read through:

http://isaserver.org/tutorials/error505.html

And we'll take it from there.

Tom
Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Bailey, Matthew [mailto:MBailey@xxxxxxxxxxx] 
Sent: Wednesday, August 06, 2003 12:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


Not enough coffee yet this morning..Here is the error message from IE:

500 Internal Server Error - The target principal name is incorrect.
(-2146893022)
Internet Security and Acceleration Server

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



-----Original Message-----
From: Bailey, Matthew 
Sent: Wednesday, August 06, 2003 10:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


One other thing I meant to mention, this Exchange 2000 OWA not Exchange
2003 OWA.  I don't think it will matter for this but just in case....

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



-----Original Message-----
From: Bailey, Matthew 
Sent: Wednesday, August 06, 2003 10:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


I did find the helpful but I have fun into a problem.  I configured
everything similar as your walk-through with one exception: on the Web
Publish Rule I didn't check "require secure channel (SSL) for published
site" or "require 128-bit encryption".  We want to give users warning
that we are switching to https vs http and give them time to update
their bookmarks before we force them to https.  

Here is my problem.  I can't reach the https URL.  I can reach the OWA
server directly from inside ISA via SSL and the http URL is still
working (inside and out).  Aside from the restart of the web proxy
service while configuring the Incomming Web Requests, is there a need to
restart the services at the end of the process?

Where else could I have gone wrong?

Thanks,

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, August 05, 2003 4:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


Hi Matt,

No problem! :-)  If you find the articles helpful, let us know. If
there's something missing, let me know and I'll fix them up.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Bailey, Matthew [mailto:MBailey@xxxxxxxxxxx] 
Sent: Tuesday, August 05, 2003 5:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


I thought to check the isaserver.org site after posting my question
*doh*.  I haven't had time to read the "lackluster" series of articles
but I will.  It appears that is the best way for me to proceed at this
point.

Thanks,

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, August 05, 2003 3:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA, SSL, and ISA


http://www.ISAserver.org


Hi Matt,

The problem with Server Publishing is you lose a LOT of security. You
can use the RRAS port forwarding mechanism and get the same level of
functionality. 

Notice I say level of functionality, since Server Publishing won't add
any ISA Server firewall based security at all. If you want to get your
money's worth, you'll use Web Publishing and SSL to SSL bridging, as
described in some lackluster series of articles someone wrote on
Publishing OWA recently ;-)

The KB 307347 is a non issue. Just install Feature Pack 1, or create the
Registry entry. And if you do SSL to SSL bridging (like you should) its
not an issue at all, because SSL to SSL bridging solves the problem
completely without requiring the registry fix.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Bailey, Matthew [mailto:MBailey@xxxxxxxxxxx] 
Sent: Tuesday, August 05, 2003 4:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] OWA, SSL, and ISA


http://www.ISAserver.org


I have my OWA server published through ISA using KB Article 290113.  We
are now adding a SSL Cert to the server and want to publish it through
ISA.  It appears there are 2 methods for doing it:

1. Export the SSL Cert to ISA
2. Use a server publising to publish the SSL website

It appears the that Option 1 has a few issues with it namely KB 307347
and increased overhead.  I am leaning towards using a server publishing
rule to do this but I have a concern.  

I want to continue to use http while I test the https connections and it
will take some time for all my users to convert over to using https. How
will setting up the server publish described in KB 298900 effect the
current web publishing of the same site on port 80?  Can they live in
harmony?

Links for the articles mentioned above:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;298900
http://support.microsoft.com/default.aspx?scid=kb;en-us;307347

Thanks,

- Matt

Matthew Bailey
LAN Engineer
CSK Auto, Inc.
Voice: 602.631.7486
Fax: 602.294.7486



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mbailey@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mbailey@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mbailey@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mbailey@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mbailey@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: