Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Publishing
>
OWA in TMG
OWA in TMG
- Hi,
I have a question regarding the TMG 3 beta,
I have a test enviorment:
DC 192.168.1.10 GW:192.168.1.1
Exchange 2007 192.168.1.11 GW:192.168.1.1
TMG Beta3 192.168.1.1 (internal NIC) , 10.0.0.176 (external NIC0
becuse I don't have any certificate, I want to test the owa with http: so I did create an owa rule:
source network: anywhere
destenation network: mailserver.mydomain.local, and also use the IP address of exchange 2007 192.168.1.1, public naame: All request, No delegation and client can not autenticate directlly, and users: All users
weblistener: listen on port 80, users: all users, networks: external, autentication; no autentication.
but when I try to access the owa from external net 10.0.0.0 I get the error page cannot display.
Any idea why is this heppeing? or could some one direct me on how exactly to do this in right way?
Thanks,
Shahin
Shahin
All Replies
- Use the TMG logs and network capture tool to see if the client even communicated with TMG and if so, what was the result of that attpemt.
The "page cannot be displayed" error page hides a multitude of problems, making it essentially worthless.
Jim Harrison Forefront Edge CS Shahin,
If I understand you correctly you want to use passthrough authentication for now and you want to use HTTP?
On the Listener, under Authentication, Advanced, make sure you check "Allow client authentication over HTTP."
Also, you said above that you have "No delegation and client CANNOT authenticate directly". Try changing that to "No delegation, but client may authenticate directly."
If that is still failing get some captures.- Hi Keith,
Thanks for your reply,
I did check: "Allow client authentication over HTTP." and change the delegation to:"No delegation, but client may authenticate directly.", but still I can not access the OWA, any idea?
Thanks,
Shahin
Log type: Firewall service Status: The policy rules do not allow the user request. Rule: Default rule Source: External (10.0.0.173:56548)
Destination: Local Host (10.0.0.176:80) Protocol: HTTP 
Additional information - Number of bytes sent: 0 Number of bytes received: 0
- Processing time: 0ms Original Client IP: 10.0.0.173
Shahin - There may be a problem with your Listener.
Is anything showing up under Alerts as far as Resource Allocation Failure? Is IIS running on the same machine? If it is, stop it, set to manual, and restart Firewall Service. - HI Keit,
Thanks again for your update,
you are right, IIS is runing on the same server I did disable is and restart all of the services, now when I try to access the owa I get othere error, and that is good becuse it means the ISA accept the connection on port 80 the error that I get in the browser says:
- Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
p.s. let me also say this again that we are in the test enviorment,and becuse I have no certificate, that is way I am trying to test the OWA with http on port 80
and the ISA logs says:
Denied Connection NTS53 16-9-2009 14:22:14 Log type: Web Proxy (Reverse) Status: 12202 The Forefront TMG denied the specified Uniform Resource Locator (URL). Rule: Default rule Source: External (10.0.0.173) Destination: Local Host (10.0.0.176:80) Request: GET http://10.0.0.176/owa Filter information: Req ID: 164024bb; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous - Additional information
- Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
- Object source: (No source information is available.)
- Cache info: 0x0
- Processing time: 1 MIME type:
Shahin - Shahin, What is in your Public Name tab on this rule? Looks like you are trying to access it by IP address. Make sure that 10.0.0.176 is in your Public Name tab.
- When you ran the publishing wizard did you select Exchange 2007 Outlook Web Access.
If you selected Exchange 2003 /owa is not part of the paths.
KONAB - Also, the request is indicated as "http://10.0.0.176/owa".
If the rule "public name" doesn't include that IP address, the request will be rejected (as it should - using an IP address in the public name is asking for a hack attack).
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Monday, October 05, 2009 2:21 PM
