Forefront Edge Security - Publishing Forum

Cannot open Office documents when publishing Sharepoint through ISA 2006 with OTP/RADIUS

Mon, 03 Aug 2009 12:45:59 Z

Hi all,

This is a bit of a tricky one which is slowly driving me mad. I am not sure whether this is more ISA than Sharepoint but I thought I would start here.

In a nut shell we have published our intranet site externally using ISA 2006 and are authenticating users against a RADIUS server with a token OTP solution. Everything appears to work fine until we try to open/edit a Word/Excel doc and we first are hit my a normal domain authentication prompts before finally after a minute or two of thinking about it Excel and Word both display an embedded (slightly mangled) ISA FBA form in the middle of the document....unsuprisingly this does not work when you try and authenticate.

I understand that this is because when an Office document is open from Sharepoint this is opened in a new Internet session and ISA therefore throws up an HTML Authentication Form again requesting the OTP (along with the AD credentials as we have configured it). In its wisdom it presents the form within the Office document deeming it next to useless.

Our environment is trypically Office 2007, IE7 or IE8. I have tested it on IE6 as well, this just fails to open the document without presenting the embedded form. Testing with the RADIUS authentication off we can successfully open the document, though we still get prompted with an additional authentication prompt which we would like to erradicate if possible to create a seamless user experience.

Any ideas would be much appreciated.

Chris

Routing Internal clients web traffic as original IP to External

Sat, 28 Nov 2009 11:03:44 Z

Hi All,

Following is my network

1. Clients (192.168.150.x) connect TMG on web proxy.
2. TMG (Internal IP: 192.168.200.1 and External IP: 192.168.50.1) ,which has NAT relationship between Internal to external forwards web traffic to Juniper firewall as ISA external IP.
3. But Juniper does not see the clients original IP and thinks its server IP address an routes data to leased line instead of adsl.

my issue is how to route client traffic to adsl and server traffic to leased line

thanks
uady

ISA Error HTML Pages and the 1359 (500) error

Mon, 23 Nov 2009 10:20:19 Z

Hi,

Would appreciate some help on the following please.......

When on ISA 2004 we had been using some modified ISA Error Pages to give some more descriptive/relevant information to users accessing our website for certain errors - this included displaying errors when pages could not be found including when our app was down. We have recently moved to ISA 2006 EE and use Web Farms to load balance and publish the website. It looks like due to this, when the app is now unavailable ISA recognises this due to the connectivity verifiers and publishes - Error Code: 500 Internal Server Error. An internal error occurred. (1359). Is there a way we can intercept this and show the same modified error html page(s) as before or are we stuck with the above error?

Many thanks,
Rich

RD Web Access through ISA 2006

Thu, 12 Nov 2009 14:20:40 Z

Hi

We are trying to access Remote Web Access from Internet. Ther server is Windows 2008 R2 and behind the ISA 2006. I am using Windows 7 client - Remote apps and Desktop connection.

When I try to setup URL https://tsweb.domain.com/RDweb/Feed/Webfeed.aspx I get "An error occured. Contact your system administrator.

I found following log from ISA

Denied Connection
Log type: Web Proxy (Reverse)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: TS Web Access
Source: External (xxx.xx.x.xx)
Destination: (xxx.xx.xxxx.xxx:443)
Request: GET https://servername.domain.com:443/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=%2fRDWeb%2ffeed%2fwebfeed.aspx
Filter information: Req ID: 0a6fd796; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=yes, logged off=no, client type=public, user activity=yes
Protocol: https
User: domain\username I just tested accessing URL https://tsweb.domain.com/RDweb/Feed/Webfeed.aspx from external and it gives follwoing error.

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Note: If I test from internal network I could successfully configure the Remote Apps and Desktop connection wizard and everything works fine.

I guess I'll need to do some configuration on IIS on RD Web Access server.

Please advice

Thanks, Prakash

500 Internal Server Error and active Sync

Sun, 30 Sep 2007 07:08:25 Z

I have an issue with my ISA 2006 server single nic

The ISA server is placed in the DMZ and publish single Exchange 2003 server. OWA, RPC/HTTP and ActiveSync are published successfully

OWA and Outlook RPC over HTTP/S is working fine.

But users are getting some errors while they are using their mobiles

"Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The data area passed to a system call

is too small. (122)"

ISA HTML Logon Times

Wed, 04 Nov 2009 16:03:37 Z

Environment:
Server 2008 x64 Domain Controllers (qty 3)
ISA Server 2006 SP1 Enterprise (qty 2) - running on Windows Server 2003 x86 SP2
ISA configured in single NIC configuration

Issue:
We have a very simple test ISA setup, but would like to roll into production usage at some point. I have a single web listener configured to provide forms based authentication. I have two web publishing rules configured to provide proxying to our internal Exchange Client Access Servers for Outlook Web Access and Exchange ActiveSync. When the web listener is configured with the "Allow users to change their passwords" setting, the logon time increases to approximately 59 seconds. When the web listener is not configured with the "Allow users to change their passwords" setting, the logon time is less than 1 second.

Why does this setting increase the logon times so much? Where can I look at to troubleshoot and determine root cause? Suggestions welcome.

Trevor

Link translation for PerformancePoint dashboards

Mon, 10 Nov 2008 21:37:10 Z

All,

I have a PerofrmancePoint dashboard published on an internal SharePoint server using a web part. The SharePoint server is configured to accept HTTP. I'm publishing this server with ISA 2006 and require all client connections to use HTTPS. So the topology is as follows:

[WEB CLIENT] <-- HTTPS --> [ISA 2006] <-- HTTP --> [ SHAREPOINT (MOSS) ]

Its a pretty straightforward setup and I'm using the SharePoint publishing wizard to make this hapen. However, it looks like PerformancePoint uses absolute URLs for certain dashboard elements. This is bad becuase it prevents many of the controls from working. These absolute URLs are likely found in client-side Javascript (AJAX).

Other folks have run into a similar issue and have solved it using link translation capabilities found in 3rd party applicances, like F5. I want to solve this using ISA 2006, but have been having a hard time figuring it out. I can confirm that I have all the necessary content types enabled for link translation (including application/x-javascript) and link translation is enabled for the publshing rule. I have tried various custom link translations but none seem to work.

What do I need to do to ensure *everyting* in the data stream gets translated from http: to https: so that the client is always using the correct protocol?

Below are some details of what I'm seeing on the client side. You will notice the virtual directory at play here is _wpresources. Interestingly enough, some of that seems to be working for image/gif content types, which are highlighted in green.

1          False    +0.000 s                  0.000 s        GET     (Cache)                     0         image/gif                 https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/toolbarItemhover.gif
- 00:00:02.059    Home - Adatum Intranet (Count=53, Sent=57.53 K, Received=190.65 K, ElapsedTime=3.635 s)
2          False    +0.000 s                  0.141 s        GET     401                         16.35 K   text/html                 https://adatum.com/default.aspx
3          False    +0.141 s                  0.046 s        GET     304                         2.36 K    text/css                  https://adatum.com/_layouts/1033/styles/core.css?rev=5msmprmeONfN6lJ3wtbAlA%3D%3D
4          False    +0.141 s                  0.046 s        GET     401                         1.26 K    text/html                 https://adatum.com/_layouts/1033/init.js?rev=ck%2BHdHQ8ABQHif7kr%2Bj7iQ%3D%3D
5          False    +0.188 s                  0.046 s        GET     401                         1.26 K    text/html                 https://adatum.com/_layouts/1033/core.js?rev=S5dt4K8TJGVTYU9HrW6enw%3D%3D
6          False    +0.203 s                  0.031 s        GET     304                         2.35 K    application/x-javascript https://adatum.com/_layouts/1033/ie55up.js?rev=Ni7%2Fj2ZV%2FzCvd09XYSSWvA%3D%3D                                                                                                                                                                                                                       7          False    +0.219 s                  0.030 s        GET     401                         3.18 K    text/html                 https://adatum.com/_layouts/1033/search.js?rev=yqBjpvg%2Foi3KG5XVf%2FStmA%3D%3D
   8          False    +0.266 s                  0.015 s        GET     304                         482       text/css                  https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ppsDashboard.css
   9          False    +0.266 s                  0.030 s        GET     304                         473       text/css                  https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/bsm.css
   10         False    +0.266 s                  0.030 s        GET     304                         477       text/css                  https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/bsmMenu.css
   11         False    +0.281 s                  0.015 s        GET     304                         483       text/css                  https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ParameterTree.css                                                                                                                                                                            12         False    +0.312 s                  0.016 s        GET     304                         346       application/x-javascript https://adatum.com/WebResource.axd?d=mCVG8mnkNmX1Ns-A-EjGOA2&t=633351544768437500
   13         False    +0.328 s                  0.218 s        GET     304                         11.30 K   application/x-javascript https://adatum.com/WebResource.axd?d=3WgfFqpkseMrTxpw4reeBQ2&t=633351544768437500
   14         False    +0.344 s                  0.015 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=TTJgkLM18dS1mcebgiUFPf-w5HQQ_QjU3HObJ7Vjxgcnl15YHUMHHmB2_V2_FmYuvFvnr-Oup9w5_ueI_k0S9z1OsTdEGstb8Zz_55ylM6A1&t=633613878810846148
   15         False    +0.406 s                  0.016 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=TTJgkLM18dS1mcebgiUFPf-w5HQQ_QjU3HObJ7Vjxgcnl15YHUMHHmB2_V2_FmYuvFvnr-Oup9w5_ueI_k0S94DORph4DfRwsP5qCuciYd1BvrFsLtNOLaaUtN-7cB6I0&t=633613878810846148
   16         False    +0.422 s                  0.015 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=7E83-fE6t839HHGHys3Zjs-5-EcYiLMejW91rZz0fSR-KbBMTm5z-JGgKcLJkmhHIvuC5Ejz8PHIx4T-Z6z7JiViWFUjDWl3uLPtnwrQbTiwiPnI6Y4X88AgXOo0_oCGSYiu1DpPuOr_yMCevS2RzgBqeX3M1ZFtkzTm3IPRKtGhLemMm8mk-9a9fCHiLfg6OC3CMbyekBuzZSHWvqErJg2&t=633613931471211673
   17         False    +0.453 s                  0.015 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=7E83-fE6t839HHGHys3Zjs-5-EcYiLMejW91rZz0fSR-KbBMTm5z-JGgKcLJkmhHIvuC5Ejz8PHIx4T-Z6z7JiViWFUjDWl3uLPtnwrQbTiwiPnI6Y4X88AgXOo0_oCGSYiu1DpPuOr_yMCevS2Rzjdy59Vo3EzuLWf2KMdKW75Be_n7iIRYfZbo3tjzFkkMf-2z6TKEjn0ncnBRjYKdzg2&t=633613931471211673
   18         False    +0.468 s                  0.031 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=7E83-fE6t839HHGHys3Zjs-5-EcYiLMejW91rZz0fSR-KbBMTm5z-JGgKcLJkmhHIvuC5Ejz8PHIx4T-Z6z7JiViWFUjDWl3uLPtnwrQbTiwiPnI6Y4X88AgXOo0_oCGSYiu1DpPuOr_yMCevS2Rzjdy59Vo3EzuLWf2KMdKW75mCc24JZXq-YKAU6PRYd1F-QKtueJF2rziG2I8gIBwBw2&t=633613931471211673
   19         False    +0.531 s                  0.015 s        GET     401                         1.26 K    text/html                 https://adatum.com/ScriptResource.axd?d=7E83-fE6t839HHGHys3Zjs-5-EcYiLMejW91rZz0fSR-KbBMTm5z-JGgKcLJkmhHIvuC5Ejz8PHIx4T-Z6z7JiViWFUjDWl3uLPtnwrQbTiwiPnI6Y4X88AgXOo0_oCGSYiu1DpPuOr_yMCevS2RzjeWd-_zIaJoXLT0otuFGhhZF9mFirhA9HngyOmWi1MFlWWfwWBNanUQnCFBah3MzQ2&t=633613931471211673
   20         False    +0.562 s                  0.000 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/blank.gif
   21         False    +0.562 s                  0.015 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/menudark.gif
   22         False    +0.562 s                  0.015 s        GET     (Cache)                     337       image/gif                 https://adatum.com/_layouts/images/helpicon.gif
   23         False    +0.562 s                  0.077 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/titlegraphic.gif
   24         False    +0.578 s                  0.015 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/gosearch.gif
   25         False    +0.578 s                  0.015 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/whitearrow.gif
   26         False    +0.578 s                  0.031 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/recycbin.gif
   27         False    +0.578 s                  0.031 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/Menu1.gif
   28         False    +0.578 s                  0.046 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/siteTitleBKGD.gif
   29         False    +0.593 s                  0.031 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/topnavselected.gif
   30         False    +0.593 s                  0.046 s        GET     304                         673       image/gif                 https://adatum.com/_layouts/images/siteactionsmenugrad.gif
   31         False    +0.593 s                  0.063 s        GET                                 0         image/gif                 https://adatum.com/_layouts/images/pageTitleBKGD.gif
   32         False    +0.593 s                  0.063 s        GET     304                         337       image/jpeg                https://adatum.com/_layouts/images/topshape.jpg
   33         False    +0.609 s                  0.046 s        GET     304                         337       image/jpeg                https://adatum.com/_layouts/images/navshape.jpg
   34         False    +0.609 s                  0.061 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/navBullet.gif
   35         False    +0.640 s                  0.031 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/pagebackgrad.gif
   36         False    +0.656 s                  0.031 s        GET     401                         3.23 K    text/html                 https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ppsd-throbber.gif
   37         False    +0.671 s                  0.016 s        GET     304                         337       image/gif                 https://adatum.com/_layouts/images/quickLaunchHeader.gif
   38         False    +0.905 s                  0.344 s        POST    ERROR_INTERNET_FORCE_RETRY 27.07 K   text/html                 https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/RenderingService.asmx/CreateRenderingInstructions
   39         False    +1.342 s                  0.311 s        POST    ERROR_INTERNET_FORCE_RETRY 76.26 K   text/html                 https://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/RenderingService.asmx/CreateRenderingInstructions
   40         False    +3.511 s                  0.015 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageStatusFilter.gif
   41         False    +3.511 s                  0.031 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageCollapseAll.gif
   42         False    +3.526 s                  0.031 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageExpandAll.gif
   43         False    +3.526 s                  0.063 s        GET     403                         1.02 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageDefaultRollup.gif
   44         False    +3.526 s                  0.016 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageWorstChild.gif
   45         False    +3.526 s                  0.016 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/ImageIndicatorCount.gif
   46         False    +3.526 s                  0.046 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/icon.filtermode.gif
   47         False    +3.526 s                  0.078 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/minus.gif
   48         False    +3.542 s                  0.061 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=6c5da588-2f57-4ab6-ae75-ce135347978d&band=2
   49         False    +3.557 s                  0.046 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=c51c9d42-dbba-4460-b6be-e944eaf3acbf&band=3
   50         False    +3.557 s                  0.015 s        GET                                 0         (None)                    http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=ce0a7f56-5cc1-41ee-ba6b-9e5c13e335db&band=2
   51         False    +3.557 s                  0.046 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=6c5da588-2f57-4ab6-ae75-ce135347978d&band=3
   52         False    +3.573 s                  0.047 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=39d4ee5d-6e2d-4c8f-86e3-11e5ef9599a6&band=5
   54         False    +3.589 s                  0.031 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=3a930edc-8979-40c4-9808-dacc8555351b&band=3
   55         False    +3.604 s                  0.031 s        GET     403                         2.26 K    text/html                 http://adatum.com/_wpresources/Microsoft.PerformancePoint.Scorecards.WebParts/3.0.0.0__31bf3856ad364e35/IndicatorImage.aspx?id=6c5da588-2f57-4ab6-ae75-ce135347978d&band=1

:: Travis Nielsen

TMG HTTP web publishing

Fri, 28 Aug 2009 16:37:50 Z

Greetings All,

inside server|TMGB3|Perimeter|Cisco ASA-5510|Internet
I deleted the Perimeter network that the installation wizard created so now everything on the outside is considered External.

I installed tmg beta 3 and created a web publishing rule for HTTPS and that works fine. Now I want to publish my CRL pages so I need to create an HTTP web publishing rule for that. I create the rule and the rule gets ignored. All I see in the logs is:

Denied Connection XXXSS03 8/28/2009 9:22:47 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External (72.25.192.4:28783)
Destination: Local Host (172.16.0.10:80)
Protocol: HTTP

I guess I am missing something somewhere. Is there something special that needs to be done to allow HTTP inbound beyond the creation of a web publishing rule?

Also: Is this the only place to get support for TMG?

Thanks for any help, Anthony Murfet

tmurfet

Help

Mon, 02 Nov 2009 15:34:17 Z

I need some or any programs like isa server do you know about this?

Publish additional external website through Forefront Edge Security

Sat, 17 Oct 2009 16:49:47 Z

Hi experts,

I have recently switched from SBS 2003 premium to following setup:

EWBS 2008 with Management, Securits and Messaging Servers (obviously ;-) ). The WEBS is an clean, new install on new hardware, the "old" SBS 2003 is still up'n running, though disconnected from the external network and also physically separated from the new WEBS network. On WEBS, OWA & sharepoint-publishing work fine, I don't know of any major errors or misconfiguration.

This said, I have one problem though which I haven't been able to figure out. We used to host another, additional website with some further information for customers (site2.dyndns.org). On the new WEBS-setup, I have copied the website-files to the Messaging Server and added the site there in IIS manager. Furthermore, I have added a Website Publishing rule on the Security server in Forefront TMG. I have configured everything like I used to have on my "old" ISA 2004, but I simply can not access the site from the internet. Since I have spent the last two days trying out, it's useless to state here the many things I have tried to get this to work.

Maybe some expert here can lead me through the necessary steps & settings to get this to work.

ANY help is greatly appreciated,

thanks & greetings from Southern Germany

Mark

Denied Connection - 12232

Wed, 14 Oct 2009 11:03:34 Z

Hi,

We have a web publishing rule that has worked fine for weeks/months. For the last few days the external application that regularly connects to our internal application via https POSTS (for which we have a web publising rule) I've noticed is getting a "Denied connection - 12232 The Server denied the specified URL" in our ISA. The URL in the error log seems to be correct (the domain name is correct as per the listener and public name tabs and the path match that in the path tab, all be the case does not match but it never has and I believe ISA does not bother about case sensitivy in the path).
Nothing has changed on our ISA server (connectivity verifiers to our back end servers all seem ok). The publishing rule does apply to a user in our AD that has a client certificate associated to it for when the source application connects to it - this cert hasn't expired.

Is there any other 'debugging' I can do or other ISA logs I can interrogate (the above errors are from the ISA monitoring section of ISA).
Also, when the denied connection is getting hit saying 'the server' denied the URL, is ISA 'the server' that is doing the denial or the destination server?

Many thanks

Allowing POP3-access through Forefront TMG

Sat, 17 Oct 2009 17:08:11 Z

Hi experts,

I have recently switched from SBS 2003 premium to WEBS 2008.

Besides sending and receiving our regular company mails with exchange, we have some legacy mail accounts with our old provider, which we used to pull through the SBS PO3-connector and route to the corresponding exchange mail boxes (one POP3-account to one Eschange-user). According to my knowledge, WEBS lacks the POP3 connector I knew from SBS, but I have found a third-party-tool to do the job. The tool (Pullution from Sodacore) is installed on the Messaging server, and I have defined an access rule in Forefront TMG on the Security server to allow POP3-traffic to and from the Messaging server. However, Pullution can't connect through to pop.provider.de, no matter how I configure the access rule on the Security server (currently, I have copied the rules for SMTP and modified the protocoll). I used to have a similar rule on our ISA 2004 on the SBS to allow certain clients to collect POP3 through Outlook, so I don't really know why this rule on FTMG doesn't work.

Maybe some expert here can lead me through the necessary steps & settings to get this to work.

ANY help is greatly appreciated,

thanks & greetings from Southern Germany

Mark

PS: And yes, I know about the downsides of PO3, please no discussion about it - it's a political decission that "we have to" keep the old mail accounts.

ISA 2006 Reverse proxy and user (x.509) certificates

Fri, 16 Oct 2009 20:55:33 Z

We need to publish an internal system that will require a user (x.509) certificate for authentication.

Is there anything special we need to do on the ISA publishing rule to ensure the requests/responses for the user certificate get passed appropriately?

Publishing TS Webaccess / TS 2006Gateway with ISA

Sat, 10 Oct 2009 17:21:51 Z

Hello

I have a TS Gateway with TS Webaccess Role on a Windows Server 2008 sp1. We have anoter TS Server which has Windows 2008 sp1 installed. We have published multiple application on the TS Webaccess pages. From the LAN everything works fine.
Now we would like to publish the TS Webaccess to the Internet vis ISA 2006. We would like to authenticate on the weblistener with a smart card and then start the application on the TS Gateway with a second login.Unfortunaltey I can not achieve this.
I configured the listener for SSL Client Authentication and defined the Web Publishing Rule under the Users Tab to grant access to all authenticated Users. The setting for the delegation ist set to No delegation, but client may authenticate directly. This szenario works, when the TS Webaccess Page Authentication is set to anonymous enabled.

After authentication with the smart card to access the TS Webaccess Page
I start a TS Webaccess Application and get immediatly the following error message:
"The computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance"

When i check the ISA Monitor I can see that the ISA blocks this traffice, because it is not authenticated

I have already checked different articles and blogs in the internet and on technet: http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx
but could'not help.

Maybe I'm running in the wrong direction and my szenario is no supported.
Can somebody help me - Thanks in advance.

Best Regards - Bueschu

Bueschu

WCF NET.TCP Through ISA 2006

Tue, 13 Oct 2009 17:29:50 Z

I'm currently working on a proof of concept for a application that has been written to use the NET.TCP protocol using WCF. We're currently looking at configurations that would allow us to make those URL's (net.tcp://external.host.name:8820/Blah) available externally and then allow them to connect through to the internal host using the ISA basically as a port proxy. I currently have our ISA system configured using a Perimeter configuration. I've defined the new protocol as well as a non-webserver publishing rule. In the firewall logs I basically get the following:

8820 Unidentified IP Traffic (TCP:8820) Denied Connection Default rule 192.123.123.160  External Local Host

The configuration we have would basically result in the external hostname resolving to the Perimeter IP address on the ISA. Internally the IP on the second network interface in the ISA is in the internal range of IP's. The ISA internal IP is on the same subnet as the internal server hosting the WCF services. Based on the error in the log I'm under the assumption that the ISA is not really listening to port 8820 despite the listener configuration that is setup to do so. Any connection (external or otherwise) basically results in a failure and it never picks up the correct firewall rule that has been defined.

I've yet to really find a net.tcp example configured through an ISA to work from. This is my first real in depth exposure to the ISA itself, so if I've made some newbie mistake feel free to let me know where I likely went wrong in the configuration.

Thanks in advance.

ISA 2006 Routing Problem

Wed, 14 Oct 2009 09:40:26 Z

Have ancountered a problem with routing traffic from ISA 2006 (LocalHost) to Publish Server. Example: Exchange 2007 forwards traffic to a Public IP address, this intern is NATTED from our ISP to ISA's external NIC (Exchange is able to send External and Internal Outbound mail but unable to recieve External Inbound Mail). I can see the traffic hitting the box but am unable to forwards the traffic from the Local Host to the Published Server (Sitting behind ISA), This problem is persistant with all existing NAT translations that existed on our Linux Firewall. This problem also occurs when traffic cannot be routed from the LocalHost ISA to our Internal Web Server.

Your urgent assistance is need to resolve this problem.

allow http https requests from isa server to specified sites

Tue, 13 Oct 2009 16:57:52 Z

when I tring to conect to my mail web site ( https://mail.*****.com:9068 ) direct from router it is open but behiend ISA it is not open.

so how can allow http https requests from isa server to specified site

client (HTTP, HTTPS Request) ---------> ISA server ---------> https://mail.*****.com:9068 ????????????

* My ISA version 2004 with last update and worked as a web proxy

OWA in TMG

Mon, 14 Sep 2009 12:24:55 Z

Hi,

I have a question regarding the TMG 3 beta,

I have a test enviorment:
DC                      192.168.1.10 GW:192.168.1.1
Exchange 2007     192.168.1.11 GW:192.168.1.1
TMG Beta3            192.168.1.1 (internal NIC) , 10.0.0.176 (external NIC0

becuse I don't have any certificate, I want to test the owa with http: so I did create an owa rule:

source network: anywhere
destenation network: mailserver.mydomain.local, and also use the IP address of exchange 2007 192.168.1.1, public naame: All request, No delegation and client can not autenticate directlly, and users: All users
weblistener: listen on port 80, users: all users, networks: external, autentication; no autentication.

but when I try to access the owa from external net 10.0.0.0 I get the error page cannot display.

Any idea why is this heppeing? or could some one direct me on how exactly to do this in right way?

Thanks,

Shahin

Shahin

Problem publishing a non-web server with ISA 2006

Mon, 28 Sep 2009 19:18:30 Z

Hello,

I run ISA Server 2006 with SP1 which has 3 network interfaces - Internal, External and Perimeter. Internal is a network with public addresses, Perimeter is a private network. Network rules are Internal to External - Route, Perimeter to External - NAT.

I need to publish a RDP server which is in the Internal network to the Internet. I have done the following:

1. Access rule from ISA Server (Localhost) to Internal RDP Server. Outbound RDP (Terminal Services). Applied and tested - I can open RDP session to the Internal server from ISA Server console.
2. Access rule from External to ISA Server (Localhost). Outbound RDP (Terminal Services). Applied.
3. Non-web server publishing rule. Properties are as follows. Traffic: RDP (Terminal Services) Server. From: Anywhere. To: Internal server IP address; Requests appear to come from the original client. Networks: External. Schedule: Always.

For my test Terminal Services at the ISA Server were disabled - nothing listened to tcp:3389 before the ISA rules were configured.

Everything is applied. Now I try to connect with Remote Desktop client to ISA Server external interface. I don't get connected. telnet ISA_Server_external_interface 3389 promptly (no timeout) returns Connect failed error. At the same time ISA Server monitor logs 3 successful pairs of Initiated Connection / Closed Connection events. Network sniffer shows 3 SYN packets followed by ACK-RST packets. So, the ISA Server actively refuses the connection. Why?

Tried the same setup with a RDP server located inside the Perimeter network - it works fine.

What could be the problem? Any ideas are appreciated.

The OS is Windows Server 2003 SP2. I have other publishing rules on the same server, all of them are web servers from both Internal and Perimeter networks - they work fine. Only the non-web publishing doesn't work.

Alex

how to install certificate

Thu, 17 Sep 2009 12:52:34 Z

Hi,

We have a test domain with Exchange 2010 and ISA TMG beta3, the internal domain mydomain.local, external domain www.mydomain.com.
I got a SSL certificate mail.mydomain.com, now can some one direct me to an step-by-step doc on what should I do next?

Thanks,

Shahin

Shahin

ISA Block Legitimate LDAP traffic form Exchange 2003 in DMZ

Mon, 14 Sep 2009 14:25:39 Z

Hello
i have a situation with Exchange 2003 /windows 2003 in a three way DMZ scenario - one NIC to the LAN, one to the DMZ and one fo Internet Access (DMZ access LAN by Routing, not by publishing)
sometimes Exchange stop working and investigating i find that ISA block LDAP TCP traffic, both on port 389 that on 3268. UDP Traffic is not blocked.
sometimes this block cause also the block of oll the traffic from the DMZ Exchange Server and the only way to solve this is a restart of Exchange and Isa Service on respetcive machine.
when this happen in the event viewer of ISA Server Machine i find:

The number of concurrent TCP connections from the source IP address 192.168.2.2 exceeded the configured limit. As a result, ISA Server will not allow the creation of new TCP connections from this source IP. This IP address probably belongs to an attacker or an infected host. See product documentation for more info about ISA flood resiliency.

what can be the cause? is a exchange or a isa Issue?
why ISA truncate GOOD LDAP TCP traffic ?

Davide Gatta

ISA 2006 Perimeter Template - Is Proxy ARP supported?

Wed, 16 Sep 2009 18:01:01 Z

I need to publish some services using the Perimeter (3 leg) DMZ configuration and the services I am publishing must have public addresses (no NAT). I currently have single /28 block of public addresses. Does ISA 2006 support Proxy ARP and allow me to divide my /28 block into two /29 subnets (with one on the Internet interface and one on the Perimeter interface - and Proxy ARP "hiding" the fact that I have subneted from my ISP) or do I have to obtain a second public block of IPs from my ISP and have them route the new block through external IP of the ISA server?

ISA 2004 published OWA producing a 403

Tue, 15 Sep 2009 09:22:10 Z

I have setup the publishing of Outlook Web Access through our ISA 2004 box. The name it is publishing OWA under is different from that of the certificate as we wish to ensure the connection works prior to replacing the existing setup (which is using the certificate name).

The rule is setup to publish using HTTPS but pass connections through to the Exchange server using HTTP (one step at a time and all that). Connections are received by owa2.domain.co.uk but then passed on to owa.domain.co.uk, an entry exists in the hosts table for this.

Attempts to connect first produce an expected certificate warning, but upon choosing to continue a 403 Forbidden error crops up

The logs on the ISA server look as follows

Original Client IP	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Transport	MIME Type	Object Source	Source Proxy	Destination Proxy	Bidirectional	Client Host Name	Filter Information	Network Interface	Raw IP Header	Raw Payload	Source Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type	Log Time	Destination IP	Destination Port	Protocol	Action	Rule	Client IP	Client Username	Source Network	Destination Network	HTTP Method	URL
82.133.108.155				ISA2004BOX	-		TCP	-						-				13644	0	0	0	0x0 		0x0	0x0	Firewall	15/09/2009 10:09:02	172.172.172.172	443	HTTPS	Initiated Connection		82.133.108.155		External	Local Host	-	-
82.133.108.155				ISA2004BOX	-		TCP	-						-				13644	2000	712	1782	0x80074e20 FWX_E_GRACEFUL_SHUTDOWN		0x0	0x0	Firewall	15/09/2009 10:09:04	172.172.172.172	443	HTTPS	Closed Connection		82.133.108.155		External	Local Host	-	-
0.0.0.0	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)	No	Reverse Proxy	ISA2004BOX		owa2.domain.co.uk	TCP			-	-		-	Req ID: 02b70e13 	-	-	-	0	1	2264	573		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x0	0x0	Web Proxy Filter	15/09/2009 10:09:06	172.172.172.172	443	https	Denied Connection	Default rule	82.133.108.155	anonymous	External		GET	http://owa2.domain.co.uk/
82.133.108.155				ISA2004BOX	-		TCP	-						-				13645	0	0	0	0x0 		0x0	0x0	Firewall	15/09/2009 10:09:06	172.172.172.172	443	HTTPS	Initiated Connection		82.133.108.155		External	Local Host	-	-
82.133.108.155				ISA2004BOX	-		TCP	-						-				13646	0	0	0	0x0 		0x0	0x0	Firewall	15/09/2009 10:09:06	172.172.172.172	443	HTTPS	Initiated Connection		82.133.108.155		External	Local Host	-	-
82.133.108.155				ISA2004BOX	-		TCP	-						-				13645	0	397	294	0x80074e20 FWX_E_GRACEFUL_SHUTDOWN		0x0	0x0	Firewall	15/09/2009 10:09:06	172.172.172.172	443	HTTPS	Closed Connection		82.133.108.155		External	Local Host	-	-
82.133.108.155				ISA2004BOX	-		TCP	-						-				13646	2000	1067	2703	0x80074e20 FWX_E_GRACEFUL_SHUTDOWN		0x0	0x0	Firewall	15/09/2009 10:09:08	172.172.172.172	443	HTTPS	Closed Connection		82.133.108.155		External	Local Host	-	-
82.133.108.155				ISA2004BOX	-		TCP	-						-				13621	0	0	0	0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED		0x0	0x0	Firewall	15/09/2009 10:11:40	172.172.172.172	80	HTTP	Denied Connection		82.133.108.155		External	Local Host	-	-

Adding the Exchange server to the ISA's allowed sites shows that it is able to successfully make the connection to that server on port 80.

I'm unsure why the connection attempts are falling to the default rule.

exchange 2010 and TMG

Mon, 14 Sep 2009 12:55:14 Z

Hi,

We try to publish Exchange 2010 in TMG beta 3, but on the page where we can select the exchange server, there is no exchange 2010, only exchange 2007, 2003, 2000 and 5.5.

can I use Exchange 2007, to publish exchange 2010 OWA?

Shahin

ISA 2006 publishing Servers

Sat, 12 Sep 2009 09:21:59 Z

Hi, I have just built an ISA2006 SP1 Server Standard Edition
I have assigned 10.10.X and 10.140.x to the internal network and the last Interface is External.
I have created an Inbound network rule from the External Interface to both the Internal Interfaces with a network relationship of Route.
I have created a Friewall rule policy to allow RDP Server protocol (inbound) from External to Internal networks.
I have tested the rule using the Traffic simulator and it returns a success feedback.
Thought all of the above was done, I still cannot access my internal server via RDP.
Can you tell me if I have left something out?

ISA 2006 Custom Login Pages using Single Network Adapter Template

Tue, 01 Sep 2009 11:37:16 Z

We're trying to publish various SharePoint sites through ISA 2006 configured to use the 'Single Network Adapter' template. Ideally, we'd like to show a branded login page (e.g. different corporate logo, etc) for each different published URL.

Following the steps in "Customizing HTML Forms in ISA 2006" (technet.microsoft.com/en-us/library/bb794733.aspx) we created our customized pages. In ISA we've tried having the pages being triggered using the "Use Custom Form" area of the Publishing Rule. Once a custom form has been set, the customized login page shows up for all URL's passing through ISA, regardless of whether they have the "Use Custom Form" setting configured or not.

The most confusing thing is that if I switch ISA to use the "Front Firewall" Network Template, leaving all the other settings unchanged, things work perfectly. I'm unable to find any documentation that says custom forms don't work when using the Single Network Adapter template so I'm hoping someone here can shed some light.

Cheers.

Limit the number certificates shown in the client certificate prompt when published through ISA 2006?

Thu, 10 Sep 2009 03:09:31 Z

I'm using smart card authentication and login for everything on my domain. Each smart card has 3 certificates loaded on it (ID Cert, Email Signature Cert and Encryption cert). Currently, I have a MOSS farm published through ISA 2006 that is doing all of the Smart card authentication via KCD which is all working correctly. When the site prompts for the client certificates, I am shown 2 possible certs.. the ID cert and the Signature cert. Both will work and allow access to the site, if configured correctly. What I would like to accomplish is to only show the ID certificate to the user instead so they don't see another certificate option.

I've looked through IIS and ISA settings, but have not seen anything thus far. Curious if there was a way for ISA to filter the list of if this is strictly a client thing.

Thanks!

OWA2003 not authenticating blank password

Thu, 02 Apr 2009 06:40:26 Z

Hi

OWA 2003 is published through ISA 2006. From external OWA does not authenticated user with no/blank password but internally it allows.
Users with passwords have no problem in accessing it.

Any help would be appreciated.

Thanks
Harpreet

Can't edit Filtering on published web server

Tue, 08 Sep 2009 15:24:40 Z

We are running ISA 2006 as an edge firewall and web proxy. I'm trying to enable High Bits for URLs on a published web server, but neither the "Configure HTTP" context menu is available for the firewall rule, nor is the "Filtering" button enabled on the Traffic pane of the rule's properites dialog (Traffic is using the defalut HTTP protocol.) How can I get to the dialog that has the checkbox for contolling the high bits?

Thanks

Active Sync Publishing problem with ISA 2006

Mon, 07 Sep 2009 06:19:46 Z

Dear all,

I have a problem regarding publishing Active Sync with ISA Server with single NIC and Exchange 2003.
On the first firewall only https to the ISA server is allowed. On the second Firewall only https from the ISA Server to the Exchange Frontend Server is allowed.
The ISA server is not a member of the domain.
The following picture is an overview of the problem:

If I now try to connect with an Active Sync mobile, I see in the log, that the mobile tries to connect to the exchange server with the user "anonymous". My question is now, what do I have to configure, that it works without problems. At the moment I used the publishing template from the ISA server. I have also a valid certificate for the ISA server for the external DNS entry. Do I have to have a valid certificate for the Exchange frontend on the ISA server? I imported the computer certificate from the Exchange server on the ISA server.

Thank for your help, Nils

edit: I just have seen, that now the ISA server denies all connection coming from my mobile with the default rule (https denied) although I have created the web listener with basic authentication and also the publishing rule for the active sync.

edit: I just solved the problem with the denied connection, but now my mobile is showing the folling error described in this KB article: http://support.microsoft.com/kb/919864/en-us Is it possible to solve the problem with this hotfix?
Although the ISA server logs the following: http://XXX/Microsoft-Server-ActiveSync?User=XXX&DeviceId=E1502EXX3CF40&DeviceType=PocketPC
The mobile is giving a username, why does the log on the ISA server say "Client Username=anonymous"?

edit: If I run the TestExchangeConnectivity, the following error occurs: "An HTTP 500 was returned to ISA because the certificate on the published server doesn't match the name in the publishing rule." I have imported the certificate from the Exchange frontend on the ISA server. Which name in the publishing role is meant by the error?

ISA 2006 Denied Connection

Mon, 07 Sep 2009 04:58:52 Z

Hi
i am geting following Log monitoring

192.168.255.255 137 NetBios Name Service Denied Connection Default rule 172.16.x.x

Team Leader

Publish OWA

Tue, 01 Sep 2009 14:35:33 Z

Hi,

I want to publish OWA of exchange 2007 through ISA 2006, I don't have any trusted Certificate, could any one direct me to a tutorial on how to do this with self creating CA?

Thanks,

Shahin

Shahin

Publishing sites with single IP

Tue, 01 Sep 2009 09:10:57 Z

Hi,

we are in testing face of ISA 2006, in a test envoirmant, I did setup a network with 4 servers, one is 2008 R2 DC and DNS the secound server is a member server with Exchange 2007 SP1 and the 3rd server is 2008 R2 with ISA 2006 SP1, the ISA has 2 NIC's the external nic has just one public IP (39.1.1.1.) the 4rd server is a mamber server that is a webserver.

we have 4 diffirent websites 2 on the exchange server (just for testing purpose) and 2 on the webserver, we want to access these website from external netwerk (internet), is it possible to publish these 4 websites that are on 2 diffirent servers just useing a single Public IP of external NIC?

Thanks,

Shahin

Shahin

ISA2006 publishing Windows Media Services.

Mon, 31 Aug 2009 12:03:50 Z

Hi all,

I hope some of you can help me with the following:

I have a Sharepoint Farm published by ISA2006. This works great and everything runs as expected.
We recently setup a Windows Media Server on Server 2008 and and use this to publish videos on Sharepoint.
I've used the publish a server wizard to publish the RTSP protocol and it works no problem.

Now my question:

How can i authenticate users on this machine? When the server is published you can just type in the URL for the movie and it works, this is not something i want.
I want it to only play movies when people are authenticated by ISA. Using digest or NTLM auth on the streaming server results in a login window popup. This is less than ideal.

My thinking is as follows:

User logs into sharepoint using ISA FBA.
These credentials should also be used to authenticate on the WMS server. ie no login popups.

Anybody know what i need to do to get this working as seamlessly as possible?

Kind regards,

Kor

PUblishing to specific private IP for an IPSEC VPN partner

Sun, 16 Aug 2009 20:56:45 Z

I have an edge only two member load balanced ISA 2004 EE array with only internal and external interfaces. I have a partner site that I need to create an IPSEC VPN tunnel with. They route to a network that has the same IP scheme that I have on my internal LAN, so we will need to NAT to each other. He is going to NAT his side behind a 150.30.0.0/16 and needs me to NAT behind 10.163.195.16/29 (this range works for me).

I've created many IPSEC VPNs before but none where the other side routed to a network with the same IP scheme as ours. I've never published a server to a private IP address. The only thing I've published was my e-mail server to a public address.

How do I publish an internal server to a specific private IP address for an IPSEC VPN partner site to access? I'm assuming I will need to add an IP address to one of the NICs? If so which one, the external or internal? I guess I'll need to set up a NAT route rule between the VPN network and my internal?

Any help would be appreciated.

Oh, I forgot to mention; this is not a web publishing rule, but needs to be a server publishing rule for a protocol that I will define.

Leonard McCoy

Publish OWA on ISA 2006 with HTTP and not HTTPS

Mon, 31 Aug 2009 14:08:10 Z

Hi,

We are going to deploy ISA 2006 in our enviorment, I have to publish our exchange server 2007 for using OWA, I did check the net and every where talking about publishing with SSL, but we dont have a CA or lets say, we do not need any CA, and we want to access the OWA just with HTTP, could some one direct me to some tutorial on how to publish OWA throuw HTTP instead of HTTPS.

Thanks,

Shahin

Shahin

ISA 2006 SSL Bridging

Tue, 04 Aug 2009 05:10:05 Z

Hi all.

This moment I try to publish OWA using SSL Bridging, but when I check the option "Use certificate to authenticate to the SSL Web Server" and then click the option "Select" I get this messages "No valid certificate were found on the servers in this arrays". Please help me... How to create this certificate to complete this procedure. I was reading some articules and these mention about server certificate for ISA 2006, I guest this certificate is different that web listener? How to create this server certificate for ISA 2006?

please give me any idea.

thks.

The security certificate presented by this website was not issued by a trusted certificate authority.

Tue, 18 Aug 2009 06:30:37 Z

HI. I am using ISA 2006 with windows 2003 std sp2. I published a website on the server with https but get the error above. when i surf the website on the webserver it works fine but not when i surf it from the isa server or external. When I test the rule it give me the error below:

Testing URL https://myhost.mysite.com:6443/
Category: Published server certificate error
Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

The site is published on port 6443 on both the isa server and the web server. The digicert root authority certificate is installed in the "trusted root authority ceritifcates" container on both servers. The certificate *.mysite.com is installed on the "personal" container on both servers and on the IIS website on the webserver.

Any ideas are welcome. thank you.

Morné Fourie AFRIDATA.net Cell: +27 83 283 5893 Office: +27 83 283 5893 Fax: 086 658 5062 Email: morne@afridata.net

2 factor authentication for SharePoint Server 2007 publishing

Tue, 04 Aug 2009 08:05:51 Z

Hi All
I need to publish SharePoint Server 2007 using 2-factor authentication (certificate for computer and FBA for user). Does ISA or TMG provide this functionality or not?

MCSA, CCNA

Can't dis-able forms based authentication on exchange and have OWA work as well

Wed, 12 Aug 2009 14:49:19 Z

Hi,

I set up our OWA and all was working well until an application my company developed for internal use lost some functionality. I discovered the problem was that i had disabled the forms based authentication on exchange 2003 for the OWA to work through isa 2006, naturally you can see that with it enabled the App works and OWA doesn't and the opposite occurs when FBA is disabled. Is there a way around this? I have read that you can disable FBA on isa but that it won't help my OWA not working.

Any help would be appreciated