Hello,
right now I'm in the process of moving from ISA2000 to ISA2006
Standard but I'm having trouble to get SSL-Briding to work with
the publishing of Outlook Web Access (Exchange 2003 SP2).
Outlook Web Access is published on ISA2000 with SSL-Bridging as
well and works without any problems.
The Folders /exchange/, /exchweb/ and /public/ on the Exchange-
IIS are configured with a certificate and set up for basic auth.
As I stated above, this works fine with a web publishing rule on
ISA 2000.
In ISA2006, I've done the following steps to publish OWA (I used
the wizard):
- I created an Exchange Publishing Rule with SSL and spelled the
internal site name exactly as it appears on the IIS certificate.
- The public name references to an existing DNS record for the ISA
server.
- I've created a new Web Listener with SSL for the external IF and
configured it with a suitable certificate (where the common name
references to the name I entered under "public name").
- I chose HTML Form Authentication with Active Directory without
Single Sign Logon.
- Authentication Delegation is set to Basic Authentication and for
testing purposes all authenticated users are permitted.
After saving the rule I'm able to connect to the ISA server and the
OWA Form appears in the browser and lets my type in credentials.
So far, so good. Now to the problem:
Right after entering my credentials and hitting the "Logon" button
it appears to be that nothing is happening.
After about a minute of waiting the browser (respectively the IIS)
runs in an Internal Server 500 error which states that the
configured amount of HTTP requests has exceeded and I should get
in touch with the server administrator.
With ISA servers logging turned on during the minute of waiting I
experience about 10.000 (!) connection attempts in regard to OWA
which occur in a loop until the Server 500 error appears.
With Wireshark I was able to examine that the loop is about the
SSL-Negotiation between the ISA-Server and the Exchange-Server:
01 ISA --> Exchange TCP 4258 > https [SYN] Seq=0 Len=0 MSS=1460
02 Exchange --> ISA TCP https > 44258 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
03 ISA --> Exchange TCP 44258 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
04 ISA --> Exchange TLSv1 Client Hello
05 Exchange --> ISA TCP [TCP segment of a reassembled PDU]
06 Exchange --> ISA TLSv1 Server Hello, Certificate, Server Hello Done
07 ISA --> Exchange TCP 44258 > https [ACK] Seq=103 Ack=1784 Win=65535 Len=0
08 ISA --> Exchange TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
09 Exchange --> ISA TLSv1 Change Cipher Spec, Encrypted Handshake Message
10 ISA --> Exchange TLSv1 Application Data
11 Exchange --> ISA TLSv1 Application Data
12 Exchange --> ISA TCP https > 44258 [FIN, ACK] Seq=2162 Ack=954 Win=64582 Len=0
13 ISA --> Exchange TCP 44258 > https [ACK] Seq=954 Ack=2163 Win=65157 Len=0
14 ISA --> Exchange TCP 44258 > https [FIN, ACK] Seq=954 Ack=2163 Win=65157 Len=0
15 Exchange --> ISA TCP https > 44258 [ACK] Seq=2163 Ack=955 Win=64582 Len=0
Right after that, everything is starting from the beginning until
the Server 500 error shows up.
However, I don't see any problems in the trace. SSL-Negotiation
works and in 10 and 11 SSL-encrypted traffic is sent!
If I disable SSL-Bridging and only use SSL between the client on
the Internet and the ISA server everything works just fine.
But with SLL being used between ISA and Exchange on the internal
network I run straight into this problem.
Might it be possible that I need to change settings on the Exchange
IIS-Server in order to get it working with ISA2006? Since with
ISA2000 it works fine even with SSL between ISA and Exchange enabled.
Any suggestions are highly appreciated.
Michael