Microsoft Forefront TechCenter >

Forefront Forums >

Read Only - Forefront Edge Security - Publishing >

Publishing OWA and RDWeb on the same listener.

Publishing OWA and RDWeb on the same listener.

Sunday, July 25, 2010 5:48 AM

0

Hello all,

How do you publish the RDWeb rule that requires it's listener to have no authentication and still use OWA with a Forms based listener?

Apparently you can't change the RDWeb port without consequences of the RDWeb site being broken.

These are separate servers in the same internal domain, if that matters.

All Replies

Tuesday, July 27, 2010 2:57 PM

0

I am a little upset about the fact that this question has gone so long without being answered. It's hard to imagine that nobody has run into this problem before.

RDWeb on the same network as OWA and other https rules that require FBA.
Wednesday, July 28, 2010 6:51 PM

Moderator

0

Sorry the delay to get in to this.

FBA will fallback only to basic, so if you need one publishing rule to use anonymous and another to use FBA then you will need to have two listeners.

HTH,

Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Wednesday, July 28, 2010 8:54 PM

0

Maybe you can tell me how to get RDGateway to use one of the auth types for the listener and still have RDGateway function.
Thursday, July 29, 2010 3:14 AM

Moderator

0

AFAIK RDGateway behaves just like TSGateway for the authentication part, which means that on ISA (or TMG) it needs to be anonymous as we explain here http://technet.microsoft.com/en-us/magazine/2008.09.tsg.aspx.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Thursday, July 29, 2010 2:38 PM

0

I saw something as relevant on that page..

If you continue to look at the logging, you should see the other RPC over HTTP verb, RPC_OUT_DATA. It is important to be aware of which HTTP methods are used, which are RPC_IN_DATA and RPC_OUT_DATA for RDP/HTTP, because if you have the HTTP Filtering configured to block these methods, the traffic will be blocked on ISA Server. If you would like to lock down your environment, you can configure the RDP/HTTP Web publishing rule to allow only these two methods. For more information on the HTTP methods typically used for publishing, you should read the article "HTTP Filtering in ISA Server 2004" at technet.microsoft.com/library/cc302627 .

How am I supposed to stop this blocking? Because I am getting blocks on RPC_OUT and RPC_IN.
Thursday, July 29, 2010 2:49 PM

Moderator

0

Not all errors that you see in the logging realtead to RPC over HTTP are valid errors. Please read http://blogs.technet.com/b/isablog/archive/2007/06/25/rpc-over-http-logging-wildness.aspx to see how to interpret the logs for RPC over HTTP traffic. Also, this doesn't seems to be relevant for your issue, since you are mainly dealing with a two authentication needs that can't be fulfilled on one single listener.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Thursday, July 29, 2010 2:57 PM

0

So, I really don't understand what I am supposed to do here.. Can this be done or not? Imagine my frustration of hammering away at this for a week now and being no further along than I was when I started.

Also:

TMG Denies it with this:

Denied Connection TZPLCHVTPA-TMG 7/24/2010 3:09:11 PM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: External (74.79.79.174:49499)
Destination: Local Host (192.168.1.30:443)
Request: RPC_IN_DATA http://rdp.mydomain.com/rpc/rpcproxy.dll?localhost:3388
Filter information: Req ID: 07f93917; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

AND THIS:

Denied Connection TZPLCHVTPA-TMG 7/24/2010 3:09:11 PM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: External (74.79.79.174:49500)
Destination: Local Host (192.168.1.30:443)
Request: RPC_OUT_DATA http://rdp.mydomain.com/rpc/rpcproxy.dll?localhost:3388
Filter information: Req ID: 07f93919; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Thursday, July 29, 2010 3:02 PM

0

Different forum; same answer.

A single authentication type is tied to listener so you need two listeners. This means using two IP addresses, or two discrete ports on the same IP address (the former being the preffered method). You then use a listener with the appropriate authentication type for each of the services you require.

Cheers

JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Thursday, July 29, 2010 3:03 PM

Moderator

0
You need two listeners to do what you want:

> 1 Listener for OWA using FBA as Authentication method.

> 1 Listener for RDG where you allow anonymous.

You can use the same port (HTTPS - 443 for example) as long as they are using different IPs.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
- Marked As Answer by abuttino Thursday, July 29, 2010 3:11 PM
- Unmarked As Answer by abuttino Thursday, July 29, 2010 3:13 PM
Thursday, July 29, 2010 3:16 PM

0

Actually, before I mark this an answered...

Is there any way possible to do this with an one external IP from the FiOS router?

Verizon is extremely backed up and it'll take me a month to get them out here.

I mean 2 externals for tmg and one external for the fios router
Thursday, July 29, 2010 3:20 PM

Moderator

0

There is if you use a different port. Let's say your OWA rule use HTTPS but on port 444, which means that your users will have to type the address:

https://mail.company.com:444/owa

Then use the regular port 443 for your RDG listener.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Thursday, July 29, 2010 3:23 PM

0

Well, this turns back into a RDGatway issue then.. Because RDGateway will not communication on any other port than 443.
Thursday, July 29, 2010 3:24 PM

Moderator

0

That's why I said to change the OWA listener, not the RDG. Keep RDG on the 443 and change the OWA listener to another port. The only downside on this is that users will have to type the port number on the URL (as I said previously).
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Thursday, July 29, 2010 3:27 PM

0

What about outlookanywhere and activesync?
Thursday, July 29, 2010 3:29 PM

Moderator

0
If they are using the same listener is OWA then you are going to have the same problem as RDG. In other words: if this is your scenario you will need a second IP to use on the second listener.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
- Marked As Answer by abuttino Thursday, July 29, 2010 3:36 PM
Thursday, July 29, 2010 3:37 PM

0

thanks for your patience and time on this thread
Thursday, July 29, 2010 3:44 PM

Moderator

0

You are very welcome.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
Thursday, July 29, 2010 5:15 PM

0

I would love to figure out how I had this working with TMG once before and now it doesn't because I separated the servers.

It used to be all on one server.

Frequently asked questions - Forums help