ISA

Showing posts with label ISA. Show all posts

Fix for Cannot Logon to OWA Using ISA 2004

Tuesday, December 22, 2009

A client had a problem where users could not logon to Outlook Web Access (AKA, OWA or Webmail) from the Internet. Users would get the logon page, but would be returned to the same logon page after entering their correct username and password.

Accessing OWA from the internal network would present the same logon page, but the user can successfully logon and access their mailbox. It turns out that the fact that they get the same logon page internally is a clue to the solution. Internal (non-ISA) users will only see the OWA logon page if Exchange is configured to use Forms Based Authentication (FBA). In order for ISA to work properly with OWA, Exchange should NOT be configured for FBA. It should only be configured on the ISA server.

Here's how the two systems should be configured:

Install the Exchange server's SSL certificate in the ISA computer's Personal certificate store
On the ISA server, configure a Mail Server Publishing firewall rule to allow External users to access the OWA server using HTTPS. Configure an OWA web Listener for HTTPS using the Exchange server's SSL certificate that you imported. Configure the Listener's authentication to use OWA Forms-Based. Ensure that ISA is redirecting requests to the SSL port 443 on the Bridging tab.
Ensure that the Exchange server is NOT using Forms Based Authentication. In Exchange System Manager, go to [OrgName] > Administrative Groups > [AdminGroup] > Servers > [ServerName] > Protocols > HTTP. View the properties of the Exchange Virtual Server. Clear the Enable Forms Based Authentication checkbox on the Settings tab.

The customer was using ISA 2004 in front of Exchange 2003, but I assume this problem/solution will also occur with ISA 2006.

How to Install a new Certificate on ISA 2004

Thursday, January 15, 2009

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

Click Start > Run and enter MMC
Click File > Add/Remove Snap-in and add the Certificates snap-in
Select Computer account > Next > Finish > OK
Now your should see Certificates MMC for the local computer, as shown here:

Expand Certificates (Local Computer) > Personal
Right-click Personal and select All Tasks > Import
Browse to the C:\Webmail.cer file you saved earlier
Click Next to store it in the Personal store and Finish to complete the import
Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

Open IIS Manager and navigate to the Default Web Site that uses SSL
In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
Select the certificate you imported
Right-click the certificate and select All Tasks > Export
Click Next and choose Yes, export the private key
Click Next twice and enter a password for the exported file.
Complete the wizard, saving the PFX file in a temporary location
Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

On the ISA server, double-click the PFX file you exported
Follow the Certificate Import Wizard and place the file in the computer's Personal store
Now open the ISA Server Management Console
Select the Firewall Policy
Click the Toolbox tab on the right and expand Web Listeners
Double-click the web listener you want to update to edit it
Click the Preferences tab and click Select
Select the new certificate and close the listener properties
Apply the ISA changes

Finally, you're done!!!

How to Add SMTP Verb Commands to ISA Server 2006

Wednesday, March 5, 2008

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:

PIPELINING

ENHANCEDSTATUSCODES

STARTTLS

X-ANONYMOUSTLS

AUTH

X-EXPS NTLM

8BITMIME

BINARYMIME

CHUNKING

XEXCH50

SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

Can't connect to connect to multi-homed server using RDP

Tuesday, October 2, 2007

The problem: You are trying to connect to a server using the Remote Desktop Connection client (RDP) and you get the following error:

Remote Desktop Disconnected
----------------------------------------------
The client could not connect to the remote computer.

Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection.

Please try connecting again later. If the problem continues to occur, contact your administrator.

If you are using the new Remote Desktop Connection 6.0 Client, the error you get is:

Remote Desktop Disconnected
----------------------------------------------
This computer can't connect to the remote computer.
Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

You checked that Remote Desktop is enabled and you have rights to connect, but it fails every time. What the #$% is going on???

Well, you may have a binding problem with the RDP-Tcp connector. This typically happens with servers with two or more NICs (as is usual with an ISA server). To fix the problem follow these steps:

Logon to the server locally

Click Start, Run, type "tscc.msc /s" (without quotation marks) and click OK

In the Terminal Services Configuration snap-in double-click Connections, then RDP-Tcp in the right pane

Click the Network Adapter tab, select the correct network adapter and click OK

Make sure that you can establish an RDP connection to the server

The change takes effect immediately. No need for a restart.

Don't Use Google for ISA Health Checks

Thursday, August 30, 2007

Have you or your users run across the following lately when accessing Google?

403 Forbidden

Google

We're sorry......

but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected. We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on Google.

The trouble may not be a virus or spyware, it may be your ISA server. One of the features that ISA server offers is HTTP health checks. This allows you to configure a web address that ISA will access on a regular basis and alert you if the response time exceeds the configured threshold.

Google must be getting hit hard with spybots that frequently hit their network. They've taken steps to monitor repetitive access to the same page from a single source IP. When they detect this, they serve up the page above with something akin to CAPTCHA to ensure that a real human is accessing Google and allow you to continue your search.

If this is happening to you, it may be because you've configured your health checks to target Google. Reconfigure your proxy server's HTTP health checks to use another site.

Installing ISA 2004 SP3 Remotely

Thursday, August 16, 2007

I do most of my work remotely using Remote Desktop Protocol (RDP). Best thing since sliced bread!!

Working on ISA remotely can be tricky, especially if the ISA server is the Internet firewall. Anytime you need to bounce the ISA services or the server itself you'll drop the RDP connection. If you're using a current version of Remote Desktop Connection (mstsc.exe), the connection will drop and RDC will automatically attempt to reconnect to the server.

Recently, I had to do some work on a customer's ISA 2004 server that required me to upgrade the server to ISA 2004 Service Pack 3 (you can download SP3 here). Naturally, the installation will stop the ISA services when the upgrade is being performed.

Having tested the SP3 installation in the lab, I found that ISA 2004 SP3 installation takes about 3 minutes, but doesn't always restart the services after the upgrade. To keep from getting "shut out" from further remote administration I ran the following command from the CMD prompt before the upgrade:

shutdown /r /t 300 /f /d p:4:1

This command will forcibly restart the server in 5 minutes (300 seconds) with the shutdown reason of "Application: Maintenance (Planned)". I then proceeded to install ISA 2004 SP3. If the connection is restored after the upgrade, I run the following command from the CMD prompt to abort the server restart: