RE: Remote access to Exchange through ISA 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Oct 2005 02:32:35 -0500
Hi Stefaan,
I solve this problem in my deployments by using secure Exchange RPC publishing.
Nice thing about it is that all versions of Outlook is supported, and it works
from almost every location. Sadly, there are still a few locations that have
benighted admins who have dopey hardware firewalls that don't understand RPC.
But I've had a lot of success on the road with secure Exchange RPC only.
Tom
________________________________
From: Stefaan Pouseele [mailto:Stefaan.Pouseele@xxxxxxx]
Sent: Mon 10/17/2005 2:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Remote access to Exchange through ISA 2004
http://www.ISAserver.org
Hi,
I've a lab environment for testing out OWA and RPC over HTTPS and run
into a problem I can't seem to solve. Here is the setup:
WKS ---+
+--- [ISA] --- Internet --- WKS
ADC ---+ !
DNS
- WKS is a XP SP2 workstation that is moved between the Internal and the
External network. The goal is obviously that the user should not change
anything in the configuration on his workstation.
- DNS is the public DNS server (split DNS).
- ADC is the Active Directory controller, internal DNS server, Exchange
Server and Web server for OWA site and the RPC proxy. So, everything on
one and the same box!
I can get either the OWA access or the RPC over HTTPS working without
problem but not both at the same time due to certificate limitations.
Let's elaborate a little bit on this:
1. The ISA server as client (To tab in Web Publishing) does NOT support
wildcard certs. So, what you put in the To tab must match EXACTLY the
common name in the cert presented by the web server.
2. The ISA server as server (Web Listener) does support wildcard certs.
3. In ISA server the Basic and FBA authentication are mutual exclusive
on the same listener.
4. In the configuration of RPC over HTTP in Outlook you need to make
sure that the FQDN used as Principal name for proxy server (msstd:FQDN)
matches EXACTLY the common name on the cert. So, for a wildcard cert it
must be '*.domain.tdl' and no other cert such as 'exchange.domain.tdl'
is accepted. In other words, no real support for wildcard certs.
To summarize, without FlexAuth from Collective Software or implementing
http://www.isaserver.org/tutorials/2004pubowamobile.html you need to
have two Web listeners, one for OWA with FBA and one for RPC over HTTPS
with Basic Auth. No big deal at all. So, problem solved? Not quite...
When the user moves his laptop from external to internal, either the OWA
access will complain about the certificate or RPC over HTTP will not
work depending on which certificate is assigned to the internal Web
server. You can only assign one cert to a web site (in this case the
default web site). So, a possible solution is to have two web sites on
the same server and therefore two IP addresses, two listeners and two
certs on the internal web site too; one for OWA and one for RPC over
HTTP.
The problem is I can't seem to find out how to reconfigure or install
the RPC virtual directory so it does not run on the default website, or
how to reconfigure Exchange so that the virtual directories do not run
on the default website. Can this be done? Take note I don't know much
about IIS or Exchange!
Thanks,
Stefaan
----------------------------------------------------------------
Disclaimer
De informatie in dit bericht is uitsluitend bedoeld voor de geadresseerde en
kan vertrouwelijke en/of bevoorrechte gegevens en/of door
intellectuele-eigendomsrechten beschermde informatie bevatten.
Als u niet de geadresseerde bent, gelieve dit bericht te verwijderen en de
afzender te verwittigen. U mag dit bericht niet gebruiken, wijzigen, dupliceren
of verspreiden, noch de inhoud ervan bekendmaken aan een derde.
De veiligheid of juistheid van e-mailberichten kan niet gegarandeerd worden,
vermits de informatie onderschept, verbasterd of vernietigd kan worden, zoek
kan raken, te laat of onvolledig kan aankomen of virussen kan bevatten.
Cevi NV aanvaardt geen enkele aansprakelijkheid voor verlies of schade die op
enigerlei wijze te wijten is aan het gebruik van het medium. Eventuele
standpunten of meningen in dit bericht zijn die van de auteur en geven niet
noodzakelijk die van Cevi NV of zijn verbonden ondernemingen weer.
Bijgevolg bindt dit e-mailbericht Cevi NV niet, tenzij het een uitdrukkelijke
andersluidende verklaring van een gemachtigde vertegenwoordiger bevat.
Cevi NV, Bisdomplein 3, 9000 Gent - tel. 09 264 07 01 - Rek. nr. 091-0015991-15
RPR Gent - BTW BE 0860.972.295 - cevi@xxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
