Re: OWA problem
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 14 Sep 2003 11:26:02 +0200
Btw, the FQDN I used is not contained in my internal domain, so it
should always resolve to an external ip.
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Posted At: Saturday, September 13, 2003 5:43 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: OWA problem
> Subject: [isalist] Re: OWA problem
>
>
> http://www.ISAserver.org
>
>
> Hi Mark,
>
> Make sure that you have force basic authentication, and that
> all machines have the correct CA cert in their Trusted Root
> Certificate Authorities.
>
> Also, make sure you have configured the correct entry in your
> HOSTS file to support the redirect (unless you've created a
> proper split DNS, but no one does that expect me and Jim :-)
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: Saturday, September 13, 2003 10:03 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: OWA problem
>
>
> http://www.ISAserver.org
>
>
> These are the complete log entries from one attempt:
>
> 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> 6.0; Win32), -, 9/13/2003, 16:42:45, -, SMS-CO-02, -, -, -,
> 0, 0, 117, 2627, -, -, GET, -, -, -, 200, -, -, -
> 192.168.130.201, anonymous,
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> 16:43:08, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> 80, 30, 218, 0, http, -, GET,
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 192.168.130.201, anonymous,
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> 16:43:29, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> 80, 30, 218, 0, http, -, GET,
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:43:29, -,
> SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> 282, 1602, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> Inet, 64, -, -, - 192.168.130.201, anonymous,
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> 16:43:56, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> 80, 30, 218, 0, http, -, GET,
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 192.168.130.201, anonymous,
> CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> 16:44:17, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> 80, 30, 218, 0, http, -, GET,
> http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> ange.hostn
> ame_services.crt, -, Inet, 11004, -, -, -
> 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 16:44:17, -,
> SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> 536, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> Inet, 995, -, -, -
>
> No blocked connection from the filters, and the fws log only
> shows my rdp connections. On my side, there are no log
> entries either, just the occasional ping being blocked. And,
> of course, 443 allowed.
>
> The inbound listener is configured for all IP addresses
> (dial-up) and to accept basic auth only. I had to configure a
> packet filter for inbound 443 access however to make this
> "work" actually. Without the filter, I'd be getting host not
> found errors or just a blank page.
>
> Thanks
> Mark
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Posted At: Saturday, September 13, 2003 4:33 PM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] Re: OWA problem
> > Subject: [isalist] Re: OWA problem
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Those URLs are the Windows certificate validation mechanism
> > attempting to obtain the CRL. It's probably not important to
> > your OWA problem.
> >
> > What other failed connections do you find in the logs?
> >
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> >
> >
> > On Sat, 13 Sep 2003 01:14:45 +0200
> > "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> >
> > Hi guys,
> >
> > I have now set up OWA via SSL for the first time. Thanks for
> > the great article, Tom!
> >
> > A problem remains with it which I am not able to locate right
> > now: when I try to connect to the OWA site from the outside,
> > I'm presented with the certificate, but as soon as I accept
> > the connection, I get a 403 error.
> >
> > As I can only test from behind another ISA server, I had a
> > look at the logs there and found out that the remote browser
> > issues a GET for the web enrollment services with the
> > internal name of my OWA server, which is of course bound to fail:
> >
> > 192.168.130.201, anonymous, Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.0; Q312461), -, 9/13/2003, 01:01:49, -,
> > SMS-CO-02, -, myexternal.owa.name, xxx.xxx.xxx.xxx, 443, 0,
> > 400, 2330, SSL-tunnel, -, -, myexternal.owa.name:443, -,
> > Inet, 995, -, -, - 192.168.130.201, anonymous, Mozilla/4.0
> > (compatible; MSIE 6.0; Windows NT 5.0; Q312461), -,
> > 9/13/2003, 01:01:54, -, SMS-CO-02, -, myexternal.owa.name,
> > xxx.xxx.xxx.xxx, 443, 0, 375, 2330, SSL-tunnel, -, -,
> > myexternal.owa.name:443, -, Inet, 995, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 01:03:01, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 30, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> > 192.168.130.201, anonymous,
> > CryptRetrieveObjectByUrl::InetSchemeProvider, -, 9/13/2003,
> > 01:03:22, -, SMS-CO-02, -, myinternal.exchange.hostname, -,
> > 80, 20, 218, 0, http, -, GET,
> > http://myinternal.exchange.hostname/CertEnroll/myinternal.exch
> > ange.hostn
> > ame_services.crt, -, Inet, 11004, -, -, -
> >
> > Any ideas on this?
> >
> > Thanks,
> > Mark
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange > Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email
> > to $subst('Email.Unsub')
> >
> > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
> >
> > All mail from this domain is virus-scanned with RAV.
> www.ravantivirus.com
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1
> Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/
> Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: isaserver@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
Other related posts:
