Btw, the FQDN I used is not contained in my internal domain, so it should always resolve to an external ip. > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Posted At: Saturday, September 13, 2003 5:43 PM > Posted To: www.isaserver.org > Conversation: [isalist] Re: OWA problem > Subject: [isalist] Re: OWA problem > > > http://www.ISAserver.org > > > Hi Mark, > > Make sure that you have force basic authentication, and that > all machines have the correct CA cert in their Trusted Root > Certificate Authorities. > > Also, make sure you have configured the correct entry in your > HOSTS file to support the redirect (unless you've created a > proper split DNS, but no one does that expect me and Jim :-) > > HTH, > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > Sent: Saturday, September 13, 2003 10:03 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: OWA problem > > > http://www.ISAserver.org > > > These are the complete log entries from one attempt: > > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE > 6.0; Win32), -, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -, > 0, 0, 117, 2627, -, -, GET, -, -, -, 200, -, -, - > 192.168.130.201, anonymous, > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > 16:43:08, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > 80, 30, 218, 0, http, -, GET, > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > ange.hostn > ame_services.crt, -, Inet, 11004, -, -, - > 192.168.130.201, anonymous, > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > 16:43:29, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > 80, 30, 218, 0, http, -, GET, > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > ange.hostn > ame_services.crt, -, Inet, 11004, -, -, - > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -, > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, > 282, 1602, SSL-tunnel, -, -, myexternal.owa.name:443, -, > Inet, 64, -, -, - 192.168.130.201, anonymous, > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > 16:43:56, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > 80, 30, 218, 0, http, -, GET, > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > ange.hostn > ame_services.crt, -, Inet, 11004, -, -, - > 192.168.130.201, anonymous, > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > 16:44:17, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > 80, 30, 218, 0, http, -, GET, > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > ange.hostn > ame_services.crt, -, Inet, 11004, -, -, - > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -, > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, > 536, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -, > Inet, 995, -, -, - > > No blocked connection from the filters, and the fws log only > shows my rdp connections. On my side, there are no log > entries either, just the occasional ping being blocked. And, > of course, 443 allowed. > > The inbound listener is configured for all IP addresses > (dial-up) and to accept basic auth only. I had to configure a > packet filter for inbound 443 access however to make this > "work" actually. Without the filter, I'd be getting host not > found errors or just a blank page. > > Thanks > Mark > > > -----Original Message----- > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > Posted At: Saturday, September 13, 2003 4:33 PM > > Posted To: www.isaserver.org > > Conversation: [isalist] Re: OWA problem > > Subject: [isalist] Re: OWA problem > > > > > > http://www.ISAserver.org > > > > > > Those URLs are the Windows certificate validation mechanism > > attempting to obtain the CRL. It's probably not important to > > your OWA problem. > > > > What other failed connections do you find in the logs? > > > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > > > > > On Sat, 13 Sep 2003 01:14:45 +0200 > > "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote: > > http://www.ISAserver.org > > > > > > Hi guys, > > > > I have now set up OWA via SSL for the first time. Thanks for > > the great article, Tom! > > > > A problem remains with it which I am not able to locate right > > now: when I try to connect to the OWA site from the outside, > > I'm presented with the certificate, but as soon as I accept > > the connection, I get a 403 error. > > > > As I can only test from behind another ISA server, I had a > > look at the logs there and found out that the remote browser > > issues a GET for the web enrollment services with the > > internal name of my OWA server, which is of course bound to fail: > > > > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE > > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -, > > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0, > > 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -, > > Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0 > > (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -, > > 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name, > > xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -, > > myexternal.owa.name:443, -, Inet, 995, -, -, - > > 192.168.130.201, anonymous, > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > > 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > > 80, 30, 218, 0, http, -, GET, > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > > ange.hostn > > ame_services.crt, -, Inet, 11004, -, -, - > > 192.168.130.201, anonymous, > > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003, > > 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -, > > 80, 20, 218, 0, http, -, GET, > > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch > > ange.hostn > > ame_services.crt, -, Inet, 11004, -, -, - > > > > Any ideas on this? > > > > Thanks, > > Mark > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: > > http://www.serverfiles.com No.1 Exchange > Server Resource > > Site: http://www.msexchange.org Windows Security Resource > > Site: http://www.windowsecurity.com/ Network Security > > Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email > > to $subst('Email.Unsub') > > > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > > > All mail from this domain is virus-scanned with RAV. > www.ravantivirus.com > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com No.1 > Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ > Network Security > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: isaserver@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >