Re: OWA problem
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 14 Sep 2003 11:20:23 +0200
Ok, I'm lost. Can't get it to work. Now that I corrected the destination
set, I don't get the certificate box anymore, and the page stops loading
with an incomplete source:
====
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>Seite kann nicht angezeigt werden.</TITLE>
<STYLE>A:link {
FONT: 8pt/11pt verdana; COLOR: #ff0000
}
A:visited {
FONT: 8pt/11pt verdana; COLOR: #4e4e4e
}
</STYLE>
<META content=NOINDEX name=ROBOTS>
<META http-equiv=Content-Type content="text-html; charset=Windows-1252">
<SCRIPT>
function Homepage(){
<!--
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm
//For testing use DocURL =
"res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm";
DocURL=document.URL;
//this is where the http or https will be, as found by searching
for :// but skipping the res://
protocolIndex=DocURL.indexOf("://",4);
//this finds the ending slash for the domain
===
The title translates to 'page cannot be displayed'.
The destination set contains three entries, all for the external name of
the OWA box, comprising of the host name and the path eg. /exchange*
The web publishing rule points to that destination set. On the action
page I specified forwarding to internal host, keep original host header
and delegation of authentication. HTTP and SSL are bridged as SSL.
Secure Channel 128 bit is selected, no certificate selected. The rest is
left at it's default settings.
I'm still not sure if I need the filter for port 443 activated. Isn't it
correct that the listener opens the port?
To have it complete, here's the details for the listener:
listen on all IP adresses, SSL enabled, authenticate with certificate
(the right one selected), and standard auth only (correct domain
selected).
Regarding split DNS, I can access the OWA box internally fine, only that
I get a certificate warning box because of the hostnames mismatch.
That's not a problem right now and I'll take care of that later. I'd
really love to see the publishing rule work first.
Without wanting to jump at conclusions, I think the problem might be the
listener or the web publishing rule, and the dial-up configuration.
Currently, the script restarts the webproxy service when a change of IP
adress occured. Maybe this is not enough??
Thanks
Mark
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Posted At: Saturday, September 13, 2003 7:15 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: OWA problem
> Subject: [isalist] Re: OWA problem
>
>
> http://www.ISAserver.org
>
>
> Hi Mark,
>
> OK, that indicates the Destination Set is incorrectly configured.
>
> What are the EXACT details of your Web Publising Rule. Don't
> worry about security through obscurity, it doesn't work ;-)
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: Saturday, September 13, 2003 11:57 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: OWA problem
>
>
> http://www.ISAserver.org
>
>
> Ok, I'll check on the dns later - in the meantime I had a
> chance to look at it from a client directly connected to the
> internet. Same result (403 forbidden, 12202)
>
> Thanks
> Mark
>
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Posted At: Saturday, September 13, 2003 5:43 PM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] Re: OWA problem
> > Subject: [isalist] Re: OWA problem
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Mark,
> >
> > Make sure that you have force basic authentication, and that
> > all machines have the correct CA cert in their Trusted Root
> > Certificate Authorities.
> >
> > Also, make sure you have configured the correct entry in your
> > HOSTS file to support the redirect (unless you've created a
> > proper split DNS, but no one does that expect me and Jim :-)
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> >
> >
> > -----Original Message-----
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: Saturday, September 13, 2003 10:03 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: OWA problem
> >
> >
> > http://www.ISAserver.org
> >
> >
> > These are the complete log entries from one attempt:
> >
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Win32), -, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -,
> > 0, 0, 117, 2627, -, -, GET, -, -, -, 200, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:08, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:29, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -,
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > 282, 1602, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > Inet, 64, -, -, - 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:43:56, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 16:44:17, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -,
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > 536, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > Inet, 995, -, -, -
> >
> > No blocked connection from the filters, and the fws log only
> > shows my rdp connections. On my side, there are no log
> > entries either, just the occasional ping being blocked. And,
> > of course, 443 allowed.
> >
> > The inbound listener is configured for all IP addresses
> > (dial-up) and to accept basic auth only. I had to configure a
> > packet filter for inbound 443 access however to make this
> > "work" actually. Without the filter, I'd be getting host not
> > found errors or just a blank page.
> >
> > Thanks
> > Mark
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > Posted At: Saturday, September 13, 2003 4:33 PM
> > > Posted To: www.isaserver.org
> > > Conversation: [isalist] Re: OWA problem
> > > Subject: [isalist] Re: OWA problem
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Those URLs are the Windows certificate validation mechanism
> > > attempting to obtain the CRL. It's probably not important to your
> > > OWA problem.
> > >
> > > What other failed connections do you find in the logs?
> > >
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > >
> > >
> > > On Sat, 13 Sep 2003 01:14:45 +0200
> > > "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote:
> > > http://www.ISAserver.org
> > >
> > >
> > > Hi guys,
> > >
> > > I have now set up OWA via SSL for the first time. Thanks for the
> > > great article, Tom!
> > >
> > > A problem remains with it which I am not able to locate right
> > > now: when I try to connect to the OWA site from the outside,
> > > I'm presented with the certificate, but as soon as I accept
> > > the connection, I get a 403 error.
> > >
> > > As I can only test from behind another ISA server, I had
> a look at
> > > the logs there and found out that the remote browser issues a GET
> > > for the web enrollment services with the internal name of my OWA
> > > server, which is of course bound to fail:
> > >
> > > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -,
> > > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > > 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > > Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0
> > > (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -,
> > > 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name,
> > > xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -,
> > > myexternal.owa.name:443, -, Inet, 995, -, -, -
> > > 192.168.130.201, anonymous,
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > > 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > > 80, 30, 218, 0, http, -, GET,
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > > 192.168.130.201, anonymous,
> > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > > 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > > 80, 20, 218, 0, http, -, GET,
> > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > > ange.hostn
> > > ame_services.crt, -, Inet, 11004, -, -, -
> > >
> > > Any ideas on this?
> > >
> > > Thanks,
> > > Mark
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory:
> http://www.serverfiles.com No.1
> > > Exchange > Server Resource
> > > Site: http://www.msexchange.org Windows Security Resource
> > > Site: http://www.windowsecurity.com/ Network Security
> > > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email
> > > to $subst('Email.Unsub')
> > >
> > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> > >
> > > All mail from this domain is virus-scanned with RAV.
> > www.ravantivirus.com
> >
> > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: isaserver@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com No.1 Exchange > Server Resource
> Site: http://www.msexchange.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com No.1 Exchange > Server Resource
> Site: http://www.msexchange.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank
> email to $subst('Email.Unsub')
>
Other related posts:
