Please Help: OWA over SSL on SBS 2000

TheMSsForum.com: The Microsoft Software Forum

I'm trying to get Outlook Web Access to run over SSL on
Small Business Server 2000. I tried to follow the steps
indicated in the articles on the isaserver.org site, but
I haven't had any success. So here is the current state:
I can access my company's website at
http://www.mycompany.org both externally and when VPNd to
the server.

When I VPN into the server I can access the OWA site
using https://www.mycompany.org/exchange, and everything
works fine. I can check/send mail, etc. without any
issues.

If try to access the OWA site externally using
http://www.mycompany.org/exchange, I get the expected
error of:
"403 Forbidden - The page must be viewed over a secure
(that is, Secure Sockets Layer (SSL)) channel. Contact
the server administrator. (12211) Internet Security and
Acceleration Server"

When I try to access the site externally using
https://www.mycompany.org/exchange, I get:
"The page cannot be displayed Cannot find server or DNS
Error Internet Explorer "

Here are my settings:
IIS
ExchWeb, Exchange, & public folder Authentication set to
Anonymous & Basic only. Require secure channel (SSL) is
checked and Require 128-bit encryption is checked.

ISA
Under the properties for my ISA server, TCP Port is 80,
Enable SSL Listeners is checked with port 443. The
external listener is setup to use a certificate to
authenticate to web clients. This is the same certificate
that was setup in IIS. The certificate is for the site
www.mycompany.org. Under Authentication Basic with this
domain is checked, and the appropriate domain is filled
in.

My ISA destination set is called OWA and the destinations
in the set are:
Name/IP Range Path
www.mycompany.org /exchweb*
www.mycompany.org /public*
www.mycompany.org /exchange*

My web publishing rule is called OWASSL.
Under the Destinations tab, the rule is set to apply to
the Selected destination set. The name of the selected
destination set is OWA.
Under the Action tab, Redirect the request to this
internal Web server is selected and the value is
www.mycompany.org. Both Send the original host header...
and Allow delegation... are checked. The ports are 80 for
http, 443 for SSL, and 21 for FTP.
Under the Bridging tab, HTTP Requests are redirected as
HTTP, SSL requests are redirected as SSL, Require SSL and
Require 128-bit are both checked.

My hosts file has the following entry (where 192.168.0.1
is my internal IP and is the IP setup in IIS):
192.168.0.1 www.mycompany.org

I'm totally stuck. Any ideas on what I could be doing
wrong? Please help.
Top

Re: Please Help: OWA over SSL on SBS 2000 by Toby

Toby
Wed Aug 20 14:08:54 CDT 2003

Tariq,

Chad's suggestion of a server publishing rule is probably the best if you
only want to host OWA. However, if there is anything else that you want on
your SBS (SSL or not) and you have only a single public IP then web
publishing rules are the way to go. I have two SSL only sites on my box, and
have a web publishing rule for each.

FWIW, I have the cert installed in ISA on the SSL listener as you outline,
and I send the original host header to IIS, but do not delegate basic
authentication. I bridge SSL requests as HTTP and therefore don't need to
bother with putting the SSL certificate in IIS on the OWA website.

Note that this may not be "best practice" but I thought I would share this,
as it works for me.

Toby.

"Chad A Gross" <chad.gross@laytonflower.nospam.com> wrote in message
news:O8t%23qm0ZDHA.2592@TK2MSFTNGP09.phx.gbl...
> Hi Tariq -
>
> You need to create a server publishing rule for https in ISA. When you
> create the new server publishing rule, specify the internal IP of your SBS
> as the internal server, and select HTTPS Server as the protocol, and you
> should be good to go . . .
>
> --
>
> Chad A. Gross
>
> Lerman's Law of Technology: Any technical problem can be overcome
> given enough time and money. Corollary: You are never given enough
> time or money.
>
>
> In news:037f01c36742$965dd4a0$a101280a@phx.gbl,
> Tariq Mohajir <t_mohajir@hotmail.com> posted:
> > I'm trying to get Outlook Web Access to run over SSL on
> > Small Business Server 2000. I tried to follow the steps
> > indicated in the articles on the isaserver.org site, but
> > I haven't had any success. So here is the current state:
> > I can access my company's website at
> > http://www.mycompany.org both externally and when VPNd to
> > the server.
> >
> > When I VPN into the server I can access the OWA site
> > using https://www.mycompany.org/exchange, and everything
> > works fine. I can check/send mail, etc. without any
> > issues.
> >
> > If try to access the OWA site externally using
> > http://www.mycompany.org/exchange, I get the expected
> > error of:
> > "403 Forbidden - The page must be viewed over a secure
> > (that is, Secure Sockets Layer (SSL)) channel. Contact
> > the server administrator. (12211) Internet Security and
> > Acceleration Server"
> >
> > When I try to access the site externally using
> > https://www.mycompany.org/exchange, I get:
> > "The page cannot be displayed Cannot find server or DNS
> > Error Internet Explorer "
> >
> > Here are my settings:
> > IIS
> > ExchWeb, Exchange, & public folder Authentication set to
> > Anonymous & Basic only. Require secure channel (SSL) is
> > checked and Require 128-bit encryption is checked.
> >
> > ISA
> > Under the properties for my ISA server, TCP Port is 80,
> > Enable SSL Listeners is checked with port 443. The
> > external listener is setup to use a certificate to
> > authenticate to web clients. This is the same certificate
> > that was setup in IIS. The certificate is for the site
> > www.mycompany.org. Under Authentication Basic with this
> > domain is checked, and the appropriate domain is filled
> > in.
> >
> > My ISA destination set is called OWA and the destinations
> > in the set are:
> > Name/IP Range Path
> > www.mycompany.org /exchweb*
> > www.mycompany.org /public*
> > www.mycompany.org /exchange*
> >
> > My web publishing rule is called OWASSL.
> > Under the Destinations tab, the rule is set to apply to
> > the Selected destination set. The name of the selected
> > destination set is OWA.
> > Under the Action tab, Redirect the request to this
> > internal Web server is selected and the value is
> > www.mycompany.org. Both Send the original host header...
> > and Allow delegation... are checked. The ports are 80 for
> > http, 443 for SSL, and 21 for FTP.
> > Under the Bridging tab, HTTP Requests are redirected as
> > HTTP, SSL requests are redirected as SSL, Require SSL and
> > Require 128-bit are both checked.
> >
> > My hosts file has the following entry (where 192.168.0.1
> > is my internal IP and is the IP setup in IIS):
> > 192.168.0.1 www.mycompany.org
> >
> > I'm totally stuck. Any ideas on what I could be doing
> > wrong? Please help.
>
>


Top

Re: Please Help: OWA over SSL on SBS 2000 by greentko

greentko
Wed Aug 20 17:56:17 CDT 2003

I'm doing the same right now but i'm a bit stumped now.

I have 2 nics and a router.
I opened up port 443 and forwarded it to the wan nic.

I've been through the "wa over ssl"on MK's site..you rock Mr Chad...

Anyway i used the wan nic 192.168.0.2 as my external ip..or do i need to add
the actual isp ip.

I can't connect to the address https://mailexchange.domain.com i have
created a sub-domain via my isp which points to the ip address.

Is there any thing else i missed.

Thanks....


Top

Re: Please Help: OWA over SSL on SBS 2000 by Tariq

Tariq
Wed Aug 20 19:02:36 CDT 2003

I tried both Chad and Toby's methods and I can't get
either to work. This has been driving me crazy for the
past 3 days. Once again, any and all help is very much
appreciated.
>-----Original Message-----
>Tariq,
>
>Chad's suggestion of a server publishing rule is
probably the best if you
>only want to host OWA. However, if there is anything
else that you want on
>your SBS (SSL or not) and you have only a single public
IP then web
>publishing rules are the way to go. I have two SSL only
sites on my box, and
>have a web publishing rule for each.
>
>FWIW, I have the cert installed in ISA on the SSL
listener as you outline,
>and I send the original host header to IIS, but do not
delegate basic
>authentication. I bridge SSL requests as HTTP and
therefore don't need to
>bother with putting the SSL certificate in IIS on the
OWA website.
>
>Note that this may not be "best practice" but I thought
I would share this,
>as it works for me.
>
>Toby.
>
>"Chad A Gross" <chad.gross@laytonflower.nospam.com>
wrote in message
>news:O8t%23qm0ZDHA.2592@TK2MSFTNGP09.phx.gbl...
>> Hi Tariq -
>>
>> You need to create a server publishing rule for https
in ISA. When you
>> create the new server publishing rule, specify the
internal IP of your SBS
>> as the internal server, and select HTTPS Server as the
protocol, and you
>> should be good to go . . .
>>
>> --
>>
>> Chad A. Gross
>>
>> Lerman's Law of Technology: Any technical problem can
be overcome
>> given enough time and money. Corollary: You are never
given enough
>> time or money.
>>
>>
>> In news:037f01c36742$965dd4a0$a101280a@phx.gbl,
>> Tariq Mohajir <t_mohajir@hotmail.com> posted:
>> > I'm trying to get Outlook Web Access to run over SSL
on
>> > Small Business Server 2000. I tried to follow the
steps
>> > indicated in the articles on the isaserver.org site,
but
>> > I haven't had any success. So here is the current
state:
>> > I can access my company's website at
>> > http://www.mycompany.org both externally and when
VPNd to
>> > the server.
>> >
>> > When I VPN into the server I can access the OWA site
>> > using https://www.mycompany.org/exchange, and
everything
>> > works fine. I can check/send mail, etc. without any
>> > issues.
>> >
>> > If try to access the OWA site externally using
>> > http://www.mycompany.org/exchange, I get the expected
>> > error of:
>> > "403 Forbidden - The page must be viewed over a
secure
>> > (that is, Secure Sockets Layer (SSL)) channel.
Contact
>> > the server administrator. (12211) Internet Security
and
>> > Acceleration Server"
>> >
>> > When I try to access the site externally using
>> > https://www.mycompany.org/exchange, I get:
>> > "The page cannot be displayed Cannot find server or
DNS
>> > Error Internet Explorer "
>> >
>> > Here are my settings:
>> > IIS
>> > ExchWeb, Exchange, & public folder Authentication
set to
>> > Anonymous & Basic only. Require secure channel (SSL)
is
>> > checked and Require 128-bit encryption is checked.
>> >
>> > ISA
>> > Under the properties for my ISA server, TCP Port is
80,
>> > Enable SSL Listeners is checked with port 443. The
>> > external listener is setup to use a certificate to
>> > authenticate to web clients. This is the same
certificate
>> > that was setup in IIS. The certificate is for the
site
>> > www.mycompany.org. Under Authentication Basic with
this
>> > domain is checked, and the appropriate domain is
filled
>> > in.
>> >
>> > My ISA destination set is called OWA and the
destinations
>> > in the set are:
>> > Name/IP Range Path
>> > www.mycompany.org /exchweb*
>> > www.mycompany.org /public*
>> > www.mycompany.org /exchange*
>> >
>> > My web publishing rule is called OWASSL.
>> > Under the Destinations tab, the rule is set to apply
to
>> > the Selected destination set. The name of the
selected
>> > destination set is OWA.
>> > Under the Action tab, Redirect the request to this
>> > internal Web server is selected and the value is
>> > www.mycompany.org. Both Send the original host
header...
>> > and Allow delegation... are checked. The ports are
80 for
>> > http, 443 for SSL, and 21 for FTP.
>> > Under the Bridging tab, HTTP Requests are redirected
as
>> > HTTP, SSL requests are redirected as SSL, Require
SSL and
>> > Require 128-bit are both checked.
>> >
>> > My hosts file has the following entry (where
192.168.0.1
>> > is my internal IP and is the IP setup in IIS):
>> > 192.168.0.1 www.mycompany.org
>> >
>> > I'm totally stuck. Any ideas on what I could be doing
>> > wrong? Please help.
>>
>>
>
>
>.
>
Top

Re: Please Help: OWA over SSL on SBS 2000 by Chad

Chad
Thu Aug 21 22:49:27 CDT 2003

Hi Tariq -

In your first post, you indicated:

> Under the properties for my ISA server, TCP Port is 80,
> Enable SSL Listeners is checked with port 443. The
> external listener is setup to use a certificate to
> authenticate to web clients. This is the same certificate
> that was setup in IIS. The certificate is for the site
> www.mycompany.org. Under Authentication Basic with this
> domain is checked, and the appropriate domain is filled
> in.

Try changing your Authentication from Basic to Integrated and see if that
helps any.

--
Chad A Gross

Lerman's Law of Technology: Any technical problem can be overcome
given enough time and money. Corollary: You are never given enough
time or money.



Tariq Mohajir wrote:
> I tried both Chad and Toby's methods and I can't get
> either to work. This has been driving me crazy for the
> past 3 days. Once again, any and all help is very much
> appreciated.
>> -----Original Message-----
>> Tariq,
>>
>> Chad's suggestion of a server publishing rule is probably the best
>> if you only want to host OWA. However, if there is anything else
>> that you want on your SBS (SSL or not) and you have only a single
>> public IP then web publishing rules are the way to go. I have two
>> SSL only sites on my box, and have a web publishing rule for each.
>>
>> FWIW, I have the cert installed in ISA on the SSL listener as you
>> outline, and I send the original host header to IIS, but do not
>> delegate basic authentication. I bridge SSL requests as HTTP and
>> therefore don't need to bother with putting the SSL certificate in
>> IIS on the OWA website.
>>
>> Note that this may not be "best practice" but I thought I would
>> share this, as it works for me.
>>
>> Toby.
>>
>> "Chad A Gross" <chad.gross@laytonflower.nospam.com> wrote in message
>> news:O8t%23qm0ZDHA.2592@TK2MSFTNGP09.phx.gbl...
>>> Hi Tariq -
>>>
>>> You need to create a server publishing rule for https in ISA. When
>>> you create the new server publishing rule, specify the internal IP
>>> of your SBS as the internal server, and select HTTPS Server as the
>>> protocol, and you should be good to go . . .
>>>
>>> --
>>>
>>> Chad A. Gross
>>>
>>> Lerman's Law of Technology: Any technical problem can be overcome
>>> given enough time and money. Corollary: You are never given enough
>>> time or money.
>>>
>>>
>>> In news:037f01c36742$965dd4a0$a101280a@phx.gbl,
>>> Tariq Mohajir <t_mohajir@hotmail.com> posted:
>>>> I'm trying to get Outlook Web Access to run over SSL on
>>>> Small Business Server 2000. I tried to follow the steps
>>>> indicated in the articles on the isaserver.org site, but
>>>> I haven't had any success. So here is the current state:
>>>> I can access my company's website at
>>>> http://www.mycompany.org both externally and when VPNd to
>>>> the server.
>>>>
>>>> When I VPN into the server I can access the OWA site
>>>> using https://www.mycompany.org/exchange, and everything
>>>> works fine. I can check/send mail, etc. without any
>>>> issues.
>>>>
>>>> If try to access the OWA site externally using
>>>> http://www.mycompany.org/exchange, I get the expected
>>>> error of:
>>>> "403 Forbidden - The page must be viewed over a secure
>>>> (that is, Secure Sockets Layer (SSL)) channel. Contact
>>>> the server administrator. (12211) Internet Security and
>>>> Acceleration Server"
>>>>
>>>> When I try to access the site externally using
>>>> https://www.mycompany.org/exchange, I get:
>>>> "The page cannot be displayed Cannot find server or DNS
>>>> Error Internet Explorer "
>>>>
>>>> Here are my settings:
>>>> IIS
>>>> ExchWeb, Exchange, & public folder Authentication set to
>>>> Anonymous & Basic only. Require secure channel (SSL) is
>>>> checked and Require 128-bit encryption is checked.
>>>>
>>>> ISA
>>>> Under the properties for my ISA server, TCP Port is 80,
>>>> Enable SSL Listeners is checked with port 443. The
>>>> external listener is setup to use a certificate to
>>>> authenticate to web clients. This is the same certificate
>>>> that was setup in IIS. The certificate is for the site
>>>> www.mycompany.org. Under Authentication Basic with this
>>>> domain is checked, and the appropriate domain is filled
>>>> in.
>>>>
>>>> My ISA destination set is called OWA and the destinations
>>>> in the set are:
>>>> Name/IP Range Path
>>>> www.mycompany.org /exchweb*
>>>> www.mycompany.org /public*
>>>> www.mycompany.org /exchange*
>>>>
>>>> My web publishing rule is called OWASSL.
>>>> Under the Destinations tab, the rule is set to apply to
>>>> the Selected destination set. The name of the selected
>>>> destination set is OWA.
>>>> Under the Action tab, Redirect the request to this
>>>> internal Web server is selected and the value is
>>>> www.mycompany.org. Both Send the original host header...
>>>> and Allow delegation... are checked. The ports are 80 for
>>>> http, 443 for SSL, and 21 for FTP.
>>>> Under the Bridging tab, HTTP Requests are redirected as
>>>> HTTP, SSL requests are redirected as SSL, Require SSL and
>>>> Require 128-bit are both checked.
>>>>
>>>> My hosts file has the following entry (where 192.168.0.1
>>>> is my internal IP and is the IP setup in IIS):
>>>> 192.168.0.1 www.mycompany.org
>>>>
>>>> I'm totally stuck. Any ideas on what I could be doing
>>>> wrong? Please help.
>>>
>>>
>>
>>
>> .


Top