All external access broken after upgrading to ISA 2004

Discussion in 'Windows Small Business Server' started by Steve Everington, Aug 8, 2005.

  1. Hello,

    I have just upgraded my SBS 2003 premium edition to ISA 2004 and it appears
    to have broken my OWA access for external clients (it still works ok from
    PC's on the internal network) and the web sites I am hosting.

    Externally, users just get an error 403 Forbidden messge if they enter any
    URL that points to my server.

    Any suggestions much appreciated!

    Regards

    Steve Everington
     
    Steve Everington, Aug 8, 2005
    #1
    1. Advertisements

  2. Hi Steve,

    I'll guess that it's a certificate issue. (as in, didn't save the previous
    cert). What happens if you run CEICW, elect to generate a new cert, and then
    install that cert on a client machine?
     
    Les Connor [SBS Community Member - SBS MVP], Aug 8, 2005
    #2
    1. Advertisements

  3. Steve Everington

    Edward Tian Guest

    Dear Steve:
    Thank you for posting here! Hi Les, thanks for your suggestion!

    Based on my experience, this issue can occur if the URL you use in the Web
    browser to access OWA, RWW and other web sites that does not match the name
    in ISA server 2004 web publishing rules. To resolve this issue, we must run
    CEICW and specify the FQDN that you will use to access the sites as the web
    server certificate. To do so:

    1. On the SBS 2003 Server open the Server Management console. Go to
    Standard Management\To Do List.

    2. Click the "Connect to the Internet" link.

    3. Choose not to change the connection type and click Next. On the Firewall
    page, select "Enable firewall" and click Next (I suppose you have 2 network
    adapters in SBS 2003).

    4. On the "Services Configuration" page, select all the items and then
    click Next.

    5. On the "Web Services Configuration" page, make sure "Allow access to the
    entire Web site from the Internet" is selected. If you select "Allow access
    to only the following Web site services from the Internet", make sure both
    the "Outlook Web Access" and "Remote Web Workplace" items are selected.
    Click Next.

    6. On the "Web Server Certificate" page, choose to create a new Web server
    certificate and then type the public FQDN that you will use to access OWA
    (for example, if your public FQDN that you use to access the sites is
    mail.domain.com, you should type mail.domain.com as the new certificate
    name). If you already requested a certificate with the name
    "mail.domain.com" from a third party CA, you can choose "Use a Web server
    certificate from a trusted authority" and then import the certificate.

    7. Go through the remaining steps. The wizard will automatically configure
    the SBS 2003 Basic Firewall to securely publish the two sites.

    8. If you have a router or hardware firewall, configure it to forward
    inbound traffic on TCP port 80 and 443 to the SBS server's external
    address.

    9. Then check if you can access OWA and RWW using
    https://mail.domain.com/exchange and https://mail.domain.com/remote.

    For more information regarding this problem, see:

    842612 You receive a "403 Forbidden" message when you try to connect to a
    Web
    http://support.microsoft.com/?id=842612

    Please do not hesitate to let me know if you have any further concerns. I
    look forward to hearing from you.

    Have a nice day, Steve! :)

    Best Regards
    Edward Tian(MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Steve Everington" <>
    | Subject: All external access broken after upgrading to ISA 2004
    | Date: Mon, 8 Aug 2005 16:55:15 +0100
    | Lines: 16
    | Organization: Pannell Signs Ltd
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: mailgate.pannellsigns.co.uk 80.177.158.58
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:142389
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Hello,
    |
    | I have just upgraded my SBS 2003 premium edition to ISA 2004 and it
    appears
    | to have broken my OWA access for external clients (it still works ok from
    | PC's on the internal network) and the web sites I am hosting.
    |
    | Externally, users just get an error 403 Forbidden messge if they enter
    any
    | URL that points to my server.
    |
    | Any suggestions much appreciated!
    |
    | Regards
    |
    | Steve Everington
    |
    |
    |
     
    Edward Tian, Aug 9, 2005
    #3
  4. Thanks for the replies.

    Yes - must have been something like you said... I thought I had saved the
    previous cert. but maybe I got it wrong somewhere.

    Anyway, re-ran CEICW, re-published my web server and it all seems to be
    working ok now.

    Thanks again

    Steve Everington
     
    Steve Everington, Aug 9, 2005
    #4
  5. Steve Everington

    Edward Tian Guest

    Dear Steve:
    Thank you for your quick update!
    I'm glad to hear that the problem has been resolved. That's pretty cool! :)

    It''s my pleasure to work with you. If you have any other questions, please
    feel free to let me know. I hope to see you again in the newsgroup.

    Have a nice day, Steve! :)

    Best Regards
    Edward Tian(MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Steve Everington" <>
    | References: <>
    <fF#>
    | Subject: Re: All external access broken after upgrading to ISA 2004
    | Date: Tue, 9 Aug 2005 07:59:55 +0100
    | Lines: 151
    | Organization: Pannell Signs Ltd
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <eJZt0$>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: mailgate.pannellsigns.co.uk 80.177.158.58
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:142632
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Thanks for the replies.
    |
    | Yes - must have been something like you said... I thought I had saved the
    | previous cert. but maybe I got it wrong somewhere.
    |
    | Anyway, re-ran CEICW, re-published my web server and it all seems to be
    | working ok now.
    |
    | Thanks again
    |
    | Steve Everington
    |
    | | > Dear Steve:
    | > Thank you for posting here! Hi Les, thanks for your suggestion!
    | >
    | > Based on my experience, this issue can occur if the URL you use in the
    Web
    | > browser to access OWA, RWW and other web sites that does not match the
    | > name
    | > in ISA server 2004 web publishing rules. To resolve this issue, we must
    | > run
    | > CEICW and specify the FQDN that you will use to access the sites as the
    | > web
    | > server certificate. To do so:
    | >
    | > 1. On the SBS 2003 Server open the Server Management console. Go to
    | > Standard Management\To Do List.
    | >
    | > 2. Click the "Connect to the Internet" link.
    | >
    | > 3. Choose not to change the connection type and click Next. On the
    | > Firewall
    | > page, select "Enable firewall" and click Next (I suppose you have 2
    | > network
    | > adapters in SBS 2003).
    | >
    | > 4. On the "Services Configuration" page, select all the items and then
    | > click Next.
    | >
    | > 5. On the "Web Services Configuration" page, make sure "Allow access to
    | > the
    | > entire Web site from the Internet" is selected. If you select "Allow
    | > access
    | > to only the following Web site services from the Internet", make sure
    both
    | > the "Outlook Web Access" and "Remote Web Workplace" items are selected.
    | > Click Next.
    | >
    | > 6. On the "Web Server Certificate" page, choose to create a new Web
    server
    | > certificate and then type the public FQDN that you will use to access
    OWA
    | > (for example, if your public FQDN that you use to access the sites is
    | > mail.domain.com, you should type mail.domain.com as the new certificate
    | > name). If you already requested a certificate with the name
    | > "mail.domain.com" from a third party CA, you can choose "Use a Web
    server
    | > certificate from a trusted authority" and then import the certificate.
    | >
    | > 7. Go through the remaining steps. The wizard will automatically
    configure
    | > the SBS 2003 Basic Firewall to securely publish the two sites.
    | >
    | > 8. If you have a router or hardware firewall, configure it to forward
    | > inbound traffic on TCP port 80 and 443 to the SBS server's external
    | > address.
    | >
    | > 9. Then check if you can access OWA and RWW using
    | > https://mail.domain.com/exchange and https://mail.domain.com/remote.
    | >
    | > For more information regarding this problem, see:
    | >
    | > 842612 You receive a "403 Forbidden" message when you try to connect to
    a
    | > Web
    | > http://support.microsoft.com/?id=842612
    | >
    | > Please do not hesitate to let me know if you have any further concerns.
    I
    | > look forward to hearing from you.
    | >
    | > Have a nice day, Steve! :)
    | >
    | > Best Regards
    | > Edward Tian(MSFT)
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | > ======================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    | > the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    | > doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | > ======================================================
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | >
    | > --------------------
    | > | From: "Steve Everington" <>
    | > | Subject: All external access broken after upgrading to ISA 2004
    | > | Date: Mon, 8 Aug 2005 16:55:15 +0100
    | > | Lines: 16
    | > | Organization: Pannell Signs Ltd
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | > | X-RFC2646: Format=Flowed; Original
    | > | Message-ID: <>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: mailgate.pannellsigns.co.uk 80.177.158.58
    | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:142389
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Hello,
    | > |
    | > | I have just upgraded my SBS 2003 premium edition to ISA 2004 and it
    | > appears
    | > | to have broken my OWA access for external clients (it still works ok
    | > from
    | > | PC's on the internal network) and the web sites I am hosting.
    | > |
    | > | Externally, users just get an error 403 Forbidden messge if they enter
    | > any
    | > | URL that points to my server.
    | > |
    | > | Any suggestions much appreciated!
    | > |
    | > | Regards
    | > |
    | > | Steve Everington
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Edward Tian, Aug 9, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.