RE: that old 12202 forbidden chessnut

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 22 Dec 2005 10:29:09 -0800

*Exactly* where did you install the certificates? 
Every machine has three basic locations:
- user
- computer
- service

Each one of those has "personal" and "trusted root" locations for certificates.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Doige, Clayton [mailto:clayton.doige@xxxxxxxxxxx] 
Sent: Thursday, December 22, 2005 09:51
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: that old 12202 forbidden chessnut

http://www.ISAserver.org

That's the bit I don't get, I went through that document word for word, slowly, 
pedantically, and did exactly what it said. 

At any rate, what I really wanted to get working out of all of this was active 
sync on an IPAQ, which I have managed this afternoon. So I am a happy bunny 
from that perspective. Although I have responded to some of your points below:

Merry Christmas :-) and thanks for the feedback.

Clayton Doige
IT Project Manager
CME Development Corporation
T: 020 7430 5355
M: 07932 653787
E:clayton.doige@xxxxxxxxxxx
W:www.cetv-net.com

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: 22 December 2005 17:30
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: that old 12202 forbidden chessnut

http://www.ISAserver.org

You're clearly *not* following instructions.
CIL... 


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Doige, Clayton [mailto:clayton.doige@xxxxxxxxxxx]
Sent: Thursday, December 22, 2005 07:54
To: [ISAserver.org Discussion List]
Subject: [isalist] that old 12202 forbidden chessnut

http://www.ISAserver.org


Some of you will recall a couple months back me having no success with this 
error at all.

 

Now that things have been quiet around here this week, I have had a chance to 
revisit things.

 

I uninstalled the original certificate authority I had created here, and 
reinstalled one for cme-net.com. I again have gone through Liran Zamir's Step 
By Step Publishing Article for publishing W2K3 OWA over ISA 2K4 using Forms 
Based Authentication.

 

The name on the certificate is registered in DNS, and I can ping that name and 
have it resolve to the correct IP Address from an external computer. I have 
added this name to the ISA Server's host file with the internal 10 range 
address.
[Jim] - stop messing about with the hosts file; this is what DNS is for.

[Clayton] - Under the section in the article I got from isaserver.org called 
Checking Browser connectivity from ISA to the OWA site it states:
"If the ISA Firewall cannot resolve the common name to the exchange ip address 
using DNS, you should edit the ISA firewall's host file..."
 

When I go to the website, I am prompted to verify I want to proceed with the 
untrusted certificate, which I do, and the OWA Form opens on the page, I  then 
put in my username and password (username being domain\user format) and the 403 
Forbidden pops up.
[Jim] - this is where ISA will fail; ISA *must* trust the cert issuer or your 
internal connection will *not* happen

[Clayton] - Fair enough, the article I used referenced importing the 
certificate into the ISA Server, which I did do, admittedly certs are not my 
strong point, but over and above what is in that article, how do I go about 
getting ISA to trust my local CA? In the trusted root section, my cert is 
listed, and I also imported the pfx file into the personal certs container, and 
was able to select it via the listener.
 

Interestingly enough, when I had this error before nothing showed up in the 
Logs of the ISA Server, however now, it comes up with a denied packet 
associated with port 443, https, with the username I am putting in being 
referenced.

 

Is there some other rule that I need to create here?

 

Lastly, when I browse to the OWA site from the ISA Server itself, before the 
certificate prompt comes up, a security warning is displayed stating that 
certificate revocation information for the previous certificate is unavailable 
do I wish to continue. I am guessing this is due to the old cert with that 
internal reference being still hanging around in IE somewhere, but will that be 
contributing to the 12202 issue from the public side?

 

Any help will be greatly appreciated, tomorrow being the last day for me here 
this year, I would like to finish off on a positive.

 

 

Clayton Doige

IT Project Manager

CME Development Corporation

T: 020 7430 5355

M: 07932 653787

E:clayton.doige@xxxxxxxxxxx

W:www.cetv-net.com

 


______________________________________________________________________
This electronic mail message and any attached files contain information 
intended for the exclusive use of the person to whom it is addressed and may 
contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not the intended recipient, 
you are hereby notified that any viewing, copying, disclosure or distribution 
of this information may be subject to legal restriction or sanction. If you are 
not an addressee, please notify the sender immediately by electronic mail and 
delete the original message without making any copies.
_____________________________________________________________________
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
clayton.doige@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
______________________________________________________________________

______________________________________________________________________
This electronic mail message and any attached files contain information 
intended for the exclusive use of the person to whom it is addressed and may 
contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not the intended recipient, 
you are hereby notified that any viewing, copying, disclosure or distribution 
of this information may be subject to legal restriction or sanction. If you are 
not an addressee, please notify the sender immediately by electronic mail and 
delete the original message without making any copies. 
_____________________________________________________________________

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut
• » RE: that old 12202 forbidden chessnut

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---