Announcement

Collapse
No announcement yet.

My Exchange Publishing nightmare...please help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • My Exchange Publishing nightmare...please help

    Current setup:

    mail_srv01 - EX2000 This is the old mail server but still runs the certificate services
    mail_srv02 - EX2000 This is the replacment we had to build when mail_srv01 was having issues
    mailcas01 - EX2007 This is the new exchange server running Win2K8, this has the Client Access and Hub transport roles
    mailmbx01 - EX2007 This is the new exchange server running Win2K8, this has only the mailbox role installed

    All of the above servers are on the same subnet and AD site.

    We also have a ISA2006 server in our DMZ with one network card, in the publishing configuration as per the pre-set from the Network option.

    We also have an SSL generated by our CA server installed on the CAS and ISA server.

    As I understand it you can not have FBA auth on both EX2007 and ISA2006, you have to have one or the other.

    Since we want internal and external users to have the FBA login, I am struggling to find out the best way to do this.

    From the guides I have read to use FBA on ISA you need to set exchange to Basic Auth, which is fine, but then internal users do not get the nice login page.

    One solution would be to route internal users to our ISA server in the DMZ and have everyone login that way, the only issue with that, is our firewall would not be able to cope with that amount of traffic without causing problems.

    What I tried yesterday was first to create a second website on the mailcas01 and set that to basic auth, I managed to achieve that, but due to the way that ISA works with the publishing rules it would not work correctly.

    Following that I installed the client access role on the mailmbx01 server, with the intent on setting the auth to basic and pointing the ISA server at the mailmbx01 server, however when a user tried to log into mailcas01 they got a 403 error, removing the client access role from the mailbox server fixed this.

    I have got to the point that my head hurts with all this, and I need some help, so can someone please suggest how I can have a login for both internal and external users that displays the same customised login page.

    So any help is appricated

    Many thanks

    Dave

  • #2
    Re: My Exchange Publishing nightmare...please help

    I think you're stuck with either creating a second website or having one group of users using Basic Authentication.

    The normal way round this with ISA would be to create 2 web listeners, one for External Users and one for Internal Users, to spread the load a bit. Unless the server is really low spec it should handle it no problem. However this only works with a multihomed ISA Server, as a unihomed ISA Server sees EVERYTHING that isn't itself as one network. Here's the isaserver.org article for reference, although it's no use to you unless you plan to change ISA to be an Edge firewall rather than a reverse proxy.

    I assume you have too many users for it to be practical to get all of the internal clients using Outlook and that's why you are trying to do this?
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: My Exchange Publishing nightmare...please help

      Originally posted by cruachan View Post
      I think you're stuck with either creating a second website or having one group of users using Basic Authentication.

      The normal way round this with ISA would be to create 2 web listeners, one for External Users and one for Internal Users, to spread the load a bit. Unless the server is really low spec it should handle it no problem. However this only works with a multihomed ISA Server, as a unihomed ISA Server sees EVERYTHING that isn't itself as one network. Here's the isaserver.org article for reference, although it's no use to you unless you plan to change ISA to be an Edge firewall rather than a reverse proxy.

      I assume you have too many users for it to be practical to get all of the internal clients using Outlook and that's why you are trying to do this?
      Thanks for replying.

      We have approx 1000 users we on our system, the hardware that ISA sits on is more than capable, however the Firebox firewall is not upto the task of handling that many users, and we do not have the money to replace it at the moment.

      During our weekly breakfast we came up with this plan, which I am hoping will work.

      Build a new 2008 server that has Client Access, Hub Transport, Mailbox, Unified messaging with FBA set for internal users.

      We then create a second 2008 server with only the Client Access rules turned on and set this to basic authentication.

      On the ISA server we push the traffic to the second server which should work, however how will the SSL work? As both servers would have a differnet SSL installed?

      Dave

      Comment


      • #4
        Re: My Exchange Publishing nightmare...please help

        Originally posted by Dave_Lincs View Post
        Thanks for replying.

        We have approx 1000 users we on our system, the hardware that ISA sits on is more than capable, however the Firebox firewall is not upto the task of handling that many users, and we do not have the money to replace it at the moment.
        Personal opinion, but I wouldn't replace the Firebox. I'd bin it and use ISA as an Edge Firewall. I understand though that there are bound to be political reasons against doing that.

        You could also (again ISA reconfiguring here!) use ISA as a back firewall behind the Firebox, so that only Internal users loop through the ISA and only external traffic comes through the firebox.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: My Exchange Publishing nightmare...please help

          Originally posted by cruachan View Post
          Personal opinion, but I wouldn't replace the Firebox. I'd bin it and use ISA as an Edge Firewall. I understand though that there are bound to be political reasons against doing that.

          You could also (again ISA reconfiguring here!) use ISA as a back firewall behind the Firebox, so that only Internal users loop through the ISA and only external traffic comes through the firebox.
          We were looking at replacing it with an Cisco ASA server, but as you say replacing a hardware firewall with a Microsoft product would not be a good step in the eyes of mangement, even through I am sure ISA is more than capable.

          So in your suggestion I would forward port 443 from the Firebox to the ISA server which would be the back firewall which would then pass the traffic to the client access server? Would this give the external users the ISA login or the Exchange login page?

          Thanks

          Dave

          Comment


          • #6
            Re: My Exchange Publishing nightmare...please help

            If you change ISA to be the back firewall then everything from the internet hits the firebox, and gets passed to the ISA if allowed by the firebox. Internal users would hit the ISA first on the way out, so assuming that the OWA URL is the same for all users then all users would get the ISA OWA login. The only difference is that internal and external clients would use seperate web listeners, one listening on the external network (forwarded from the firebox) and one listening on the internal network.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: My Exchange Publishing nightmare...please help

              Originally posted by cruachan View Post
              If you change ISA to be the back firewall then everything from the internet hits the firebox, and gets passed to the ISA if allowed by the firebox. Internal users would hit the ISA first on the way out, so assuming that the OWA URL is the same for all users then all users would get the ISA OWA login. The only difference is that internal and external clients would use seperate web listeners, one listening on the external network (forwarded from the firebox) and one listening on the internal network.
              Thanks for your suggestion about using ISA as a back firewall, however after lengthy talks over coffee, we decided that it would be unwise in doing that method for various reasons.

              So we have come up with a new solution of which I have attached an image for.

              I have created the MAILSRV1 server already that the CA, Hub, UM, Mailbox roles on in the same AD site as the current CAS and Mailbox servers, which is set to form based authentication, I will then modify MAILCAS01 to be set to basic authentication and move the mailboxes onto MAILSRV1 from MAILMBX01, once I have moved the users I will remove MAILMBX01 from the Exchange environment.

              I then can setup ISA to talk to MAILCAS01 for external users.

              Now in theory that should all work yes?

              However I have run into some issues with it. On the MAILSRV1 server, in ESM under client access there is the /owa folder but not the /exchange /public /exchweb so if a user goes to https://mailsrv1/exchange it will not load a page, however I need users to get to that page so they can be redirected to our old EX2000 server, while users are migrated across.

              However since MAILCAS01 was the first CAS to be created it has the folders I am missing on MAILSRV1.

              So any ideas on this?

              Many thanks

              Dave
              Attached Files

              Comment

              Working...
              X