ISA 2004 OWA Publishing Problem!

[kinskins01]

HI,



I have ISA 2004 and Exchange 2003 and can't get the OWA to work. Here is the scenario:



The front end firewall is an ASA and is allowing in HTTPS to the DMZ NIC on the ISA. The ISA has two NICs 1 on the LAN and 1 in the DMZ. OWA works from the LAN. I have installed a digital cert from a third party CA on the Exchange server and exported with private keys and imported onto the ISA server. Form based authentication is turned off on Exchange.



ISA publishing rule:

Allow from anywhere , TO the external dns A record that matches the name on the digital cert eg webmail.domain.ie

Listener: External nic, 443, cert webmail.domain.ie, OWA Form based auth, always auth: yes



Public name: request for following sites: webmail.domain.ie



3 paths are in



Bridging 443 and all users



When I browse to

https://webmail.domain.ie

(do not need /exchange as I have edited IIS on Exchange to accept it) from outside of the network I get the login page.



When I enter credentials I get:



Technical Information (for support personnel)

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
It is driving me nuts. I have put an entry in on the host file on the ISA server for webmail.domain.ie and pointed it to the LAN IP of the Exchange server.



In Exchange:



Default Website: Enable Anonymous Access

/Exchange: Basic Auth

/Exch Web: Anonymous

/Public: Basic Auth



I have tried the Monitoring but nothing seems to be happening with it. Have select the publishing rule etc but nothing!



Any help would be grateful

Thanks

 

[rosscopt]

Hi,

I'm having much the same problem, except that it's ISA 2006 and I have no other firewall installed.

I've tried following this doc to no avail:

http://www.microsoft.com/technet/isa/2006/deployment/exchange2003.mspx

I tried doing it myself and got the ISA/OWA logon page, but when I logged in, it through up an error. Now after following the above Microsoft doc, I can't even get the login page! Progress? lol

Hopefully someone will have got this working?

Ta

Ross

 

[Jackandcoke01]

What paths do you have for the allowed URL's?

The reason I ask is, you may want to throw a wildcard in there like:

https://webmail.mydomain.ie/*

Try logging in from an internal PC and watch the URL's that come up after logging in.

My Guess is, if it were an auth issue, you would have seen a different type of error returned.

 

[mofusjtf]

In my experience with ISA 04 I just run the mail server publishing wizard and select OWA and it configured everything for you. Have you tried that or are you configuring ISA manually. The wizard should ask for a cert for OWA.

Also, your rule above states that FBA is set to always yes while you have it off in IIS/Exchange. Enable FBA on OWA and see how that works.

ONe last thing. Try opening all IP traffice from the ASA to ISA on the appropriate IP for OWA and see if that helps. That will allow you to determine if the issue is actually with ISA or with the ASA. You could also try to access OWA from the DMZ.

 

[ITPangaeaArchitect]

the url in the certificate, the request to the OWA server, the request from the client all have to reflect the same name, and most importantly, the web publishing/access rule should reflect the public name. Are all of these statements true?

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.