ChristianR

iTrader: (1)

Hi,

Trying to get SSL to work through our ISA Server to the owa (outlook web access) server.

Before I made it SSL, I could access the owa server from the internet, was working fine, and also could access it internally.

I have installed SSL, with certificate etc, and I can access it secure internally, but not from the internet. I believe it is not passing the ssl connection through to the owa server, as if i still access the owa server from the net without https, i get the default page saying "The page must be viewed over a secure...."

Any suggestions tips hows to's ?

[Edited by ChristianR - 9/5/2002 3:00:48 PM]

Jeff Wiltshire

Allow 443 through the ISA server to the OWA box ?

ChristianR

iTrader: (1)

tried that doesn't work.

Jeff Wiltshire

Try (for testing purposes) allowing the OWA box to access any port to anywhere....

Jeff

ChristianR

iTrader: (1)

may I ask what u r thinking?

Belf

have a look at www.isaserver.org

If they haven't got the answer on there i'd be suprised. I do know that ISA can do all sorts of funky things with SSL such as terminating it on the firewall.

Jeff Wiltshire

Christain

I think (thought I've not used ISA in anger) that the ISA server is probable intercepting the SSL connection and then not passing it on to the OWA server. Opening up all outbound ports from the OWA box will show if the OWA box is trying to start a new session which is failing under the current rule base. Once you've done this check to see if it works or not and then look at the logs to see what traffic goes to/from the OWA server.

I'm not a big fan of Microsoft's 'Security Products' so I don't tend to get involved with them, so you may get a better response from Technet or else where.....



Jeff

Ga22ar

I have this running on my systems at home..

Create a server publishing rule (not the reverse proxy one) and have it send all 443 requests for the specific IP address (my web servers are published externally on different IPs) send it to the internal IP of the OWA box.

Ensure that the incoming SSL web requests are enabled correctly on the ISA server object..

Must admit I cant remember all the exact bits/bobs as I set this up some time ago.. If it can wait I'll audit the config when I get home and post it up..

cheerio

ChristianR

iTrader: (1)

cheers - that will be helpful.

Ga22ar

OK, this is how it is on my system::

Create a Server Publishing rule (Within Publishing)
On the action tab set the internal IP of the server that hosts the OWA
Set the external IP as the IP that hosts on the internet will use to connect to the OWA
Set the mapped protocol as HTTPS Server (which I think is a built in mapping)
The applies to tab can be what you like, however I set it to any request as you never know which IP will be inbound if OWA is being used by roaming uses on the internet.
Save/Apply ensuring the Enable box is checked on the general tab.

Goto the properties of the ISA server Object (first object under Servers and Arrays) that is being used for inbound connections
Select Incoming Web Requests
Check the Enable SSL listeners
Enter a value that is not 443 in the SSL port box, I just added a high digit before 443 so you have something like 9443 or 7443 or 6443 etc etc.. Honestly cant remember why but it works anyway.
If you have mulitple external IPs you might need to set up each address in the "configure listerners individually" box. I found that doing this worked better as I have a DMZ on another subnet so I could be explict about which IPs were deemed external.
I then bounced the proxy and firewall service and it all started working.

As they say, it worked for me...

cheerio

ChristianR

iTrader: (1)

hi - nope still says:

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.



Cannot find server or DNS Error
Internet Explorer

Ga22ar

OK, cant help you further at the mo as the ISA just went pop... Need to fix it

Do you have other 443s going thru the box or is this the first one ?

Is it going thru the ISA ?? - Have you netmon'd the OWA server to see if it receiving connects from ISA on port 443 ?


[Edited by Ga22ar - 9/9/2002 3:09:01 PM]

[Edited by Ga22ar - 9/9/2002 3:11:41 PM]

ChristianR

iTrader: (1)

right in, monitoring alerts -> Alert: Server Publishing Error
The server publishing rule is configured incorrectly.

V.helpful - now to me it seems right, and nothing is listed in the event viewer - any ideas?