http://www.ISAserver.org ------------------------------------------------------- Hi Jim, Thanks for this. I have made further investigations and found that it is just the autodiscover service that is failing - the Outlook Anywhere is actually working if I define the settings manually, including the offline address book etc. The rule that publishes the autodiscover is the Outlook Anywhere rule, and this is set to basic authentication with the web listener set to form based authentication. The rule tests fine on all paths. I checked the logs, and it is giving an access denied error to the autodiscover path, possibly because Outlook isn't trying to authenticate? I can't see any evidence in the logs that ISA is dropping back to basic authentication because of the Outlook HTTP user-agent string. I discovered on this machine that we are pre Outlook 2007 SP1, so just applying all patches before continuing. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 03 April 2009 17:48 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Using FBA/Basic requires that the OL clients use basic as well when they authenticate to ISA. FBA cannot fall back to anything other than HTTP-Basic. It's highly doubtful that your internal clients are using Basic auth, since OL will tend to use RPCoTCP, not RPCoHTTP internally. Use the logging monitor if you want to understand what's failing and when - that's what it's for. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Hodgson Sent: Friday, April 03, 2009 7:33 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Hi Jim, Thanks - that is strange, since the FBA/Basic authentication was what I was using originally on the failed OA connection. Looking into it further, I wonder whether the autodiscover is what is causing the problem? The autodiscover path is by default in that rule if you choose the option to include the extra paths in the wizard. Thanks. Andrew. ________________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx] Sent: 03 April 2009 14:25 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Actually, no. There is a relationship between the external and delegated auth method and these are detailed in http://technet.microsoft.com/en-us/library/bb794722.aspx. Andrew, if you want to use Basic delegation internally, you can only use FBA or HTTP-Basic at ISA. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Moore, Scott A. Sent: Friday, April 03, 2009 6:19 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- From my recollection, the auth method on ISA and on the CAS server must match. I believe I was told this directly from PSS when I worked an issue on a customer engagement for their Outlook Anywhere issues with ISA. That particular customer is using Basic with All Users. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Hodgson Sent: Friday, April 03, 2009 9:01 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Hi, One thing with this is that whichever scenario I use, the Exchange remote connectivity test tool passes on all counts. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Hodgson Sent: 03 April 2009 13:38 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA Hi all, I have successfully got OWA and ActiveSync working using form based authentication. However, there is a problem with the Outlook Anywhere rule: If I set the Outlook anywhere rule to allow all users to connect, and allow clients to authenticate with the published application (thus negating the ISA authentication), everything works perfectly. However, If I choose Basic authentication in the Authentication Delegation tab of the OA publishing rule, then set it so that only authenticated users can connect, Outlook gives an error regarding not being able to find an encrypted connection to the Exchange server. Basic authentication is chosen for the OA on the CAS server. I did think about using NTLM authentication, but as users will use basic authentication either internally or externally (since the OA users are not joined to the domain), I wanted the internal and external view to be the same. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: 02 April 2009 16:04 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- I do it and just have a different rule, however, I use the same listener and IP. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Moore, Scott A. Sent: Thursday, April 02, 2009 10:54 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Separate rules, same listeners and IP. This should give you a primer for everything you need to setup and best practices. http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Hodgson Sent: Thursday, April 02, 2009 10:40 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Question about forms mode authentication for OWA http://www.ISAserver.org ------------------------------------------------------- Hi, I have an ISA Server 2006 SP1 server set up to publish an Exchange OWA instance (running Exchange 2007). I am testing using the forms mode authentication through the ISA box. If I use forms mode on an external web listener, is it correct that the ActiveSync and Outlook Anywhere will not work with this, and that I would need to use a different web listener for these methods? If that is the case, do I need to use another external IP address on the web listener for the ActiveSync/RPC stuff? Thanks. Andrew. -- allpay Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. On 5th March 2009, allpay.net Limited changed its name to allpay Limited. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88. Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@xxxxxxxxxx This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx