OWA on internal network, but not on external???

[danomac]

Well, the subject line sums it up pretty much, but here is some more info:

I have a instantssl certificate installed. I don't believe it is the cause of the problem.

Internally,

https://<servername>/exchange

works fine.

We do not have a registered domain name and have been using the ip address to try to access OWA.

Externally,

http://<externalip>

works, shows a basic page.

http://<externalip>/exchange

does NOT work, displays &quot;The page cannot be displayed. Cannot find server or DNS error.&quot;

https://externalip>/exchange

does NOT work, same error.

Port 443/80 has been opened in packet filters (predefined - HTTP/HTTPS server).

Web Publishing Rules:
-All destinations
-Redirect to 192.168.10.2 (IIS machine)
-Bridging: HTTP:80, SSL:443, FTP:21
-Redirection: HTTP as HTTP, SSL as SSL
-Applies to any request

Exchange virtual dir has been set to require ssl; anonymous access is off, basic authentication & integrated windows authentication.
Content is coming from m:\<domain>\mbx

Am I missing something? I don't know what to check next!

Daniel.

 

[danomac]

Well, when I disabled the requirement for SSL, it seems to work again.

I'm guessing something is happening to the SSL request. Any ideas?

Daniel.

 

[SgtB]

Are you seeing packets being dropped when you try to use https? If you are, then double-check your https rules.

If the https requests are being allowed, and are being forwarded, then it sounds like it might be an SSL problem. ________________________________________
Check out

http://www.security-forums.com

 

[danomac]

Nope no packets are being dropped.

I think part of the problem is SSL; but I think I should try to get approval for a FQDN. Oh well. It seems using our IP address won't work with ssl.

Thanks,

Daniel.

 

[SgtB]

I'd do some more research into that. I've looked around a little, and some sites say you need a FQDN, some sites say you don't, and some sites say you can use an alias to make it work.

I'm not sure what platform or SSL package you're using so I can't help much, but I'd dig a bit deeper before asking for a FQDN. ________________________________________
Check out

http://www.security-forums.com

 

[danomac]

SgtB,

Using W2K Server, IIS 5, ISA Server 2K.

It seems that now I looked at it a bit more, that there is a problem with it forwarding from the ISA server to IIS. I changed a few settings to terminate SSL at the ISA server and create another connection to IIS; but then I get an error 500: The target principal name is incorrect.

I found out from isaserver.org that it is indeed a FQDN problem... it will go away once we have it.

It seems that there is a header mismatch when ISA creates a new SSL link to IIS.

For reference:

http://www.isaserver.org/tutorials/error505.html

 

[SgtB]

Glad your problem will (should) be fixed soon.

As a side note, I'm assuming one of the interfaces on your server will be facing the internet. If this is the case, I'd put IIS on its own server, and put it behind the ISA server in a DMZ.

Running ISA and IIS on the same server is a no-no in my opinion. ISA+IIS=Security issues. Of course this is just my opinion. Plus there are some conflicts between which services listen on which ports.

I think its best practice to seperate your webservers from the firewall...no matter what firewall or web server you're running. Either way....your call.

http://www.isaserver.org

is a great site for anything ISA related. ________________________________________
Check out

http://www.security-forums.com

 

[danomac]

Unfortunately we use SBS2000...

We don't have the $$$ to change to a full suite of IIS/ISA/Exchange/SQL server right now. As we grow this will obviously change...

Thanks for the replies BTW...

Daniel.