Re: ISA 2006 and EV 2007 help

Andy_Lukens · ‎11-06-2007

I'm trying to get EV 2007 working with ISA 2006. The archive, restore and cancel functions of EV all work as expected, but Archive Explorer and Search Archives do not.

Whenever I select either of those buttons in OWA, it attempts to open a link to https://navault1/EnterpriseVault... instead of https://mail.company.com/EnterpriseVault... If I replace the 'navault1' with 'mail.company.com' in the URL in IE, ISA proxies the request through to Enterprise Vault perfectly.

I've read the relevant section of the manual several times, but it is pretty light on the ISA 2006 and EV 2007 combination. I've also tried modifying the 'Web Application alias' in the OWA section of the mailbox policy and synchronizing, but that doesn't seem to be having any impact.

What am I missing?

Thanks,

Andy

Danny_EV · ‎11-07-2007

Hi,

This appears to be a bug in ISA server. We have had this issue at 2 customers and had opened a call for it at M$. What solved the issue was:

Install latest fix rollup package for ISA
Publish the enterprise vault server directories (as I understand you have already done that)
Publish Exchange through a web site publishing rule (so not an exchange publishing rule!). You can keep the old listener, the bug is in the publishing rule. Delete or disable the old publishing rule.
In the new rule in link translation put an entry which translates the internal enterprise vault server URLs to the published external URLs

Good luck!

Danny

Aasif · ‎11-07-2007

We have also recently deployed EV solution. We are also using ISA 2006 and facing the same problem what Mr. Andy mentioned. OWA works fine except archive & search. Also we cannot access archived messages thru outlook anywhere. Necessary rules have been created on ISA server but still it fails. I can open everything from ISA 2006 but not from internet.

Andy_Lukens · ‎11-07-2007

Thanks Danny. You nailed it, right down to needing to create a new web publishing rule.

I appreciate the help!

gem · ‎05-23-2008

I have a similar problem, we are running OWA 2007, EV 2007 SP2 and ISA 2006. When users try to access the Archive Explorer and Search Archive functions externally (ie through OWA) they get an error page. We do have an additional hardware firewall in addition to ISA. The ISA servers sit in a DMZ. I've done the following:

Configured the web publishing rule to allow access to \EnterpriseVault and set this to use the same Web listener set up for OWA

Its still not working though and I'm wondering what changes need to be made on the hardware firewalls. Has anyone else got this feature working with this kind of setup?

Thanks for any help

Andy_Lukens · ‎05-23-2008

Our ISA servers sit in a DMZ as well and I didn't have to request any changes to be made to the external firewall to support Enterprise Vault. However, port 443 (or 80) needed to be opened back to the EV servers on the internal firewall. You can test if this is the problem by trying to hit the EV server (https://evservername/enterprisevault) from the ISA server using IE.

Danny's steps in this thread really helped, but I struggled with ISA for a long time trying to get this all working.

baxford · ‎05-27-2008

I am also having issues getting EV published through ISA2006/OWA2007. From my ISA box (on the DMZ) I cannot browse using IE to https://evservername/enterprisevault only http://evservername/enterprisevault. When I go to the http page I am prompted to logon.

Andy_Lukens · ‎05-27-2008

You will only be able to connect to https://evservername/enterprisevault if you have configured your Enterprise Vault server with an SSL certificate. That is not part of a standard installation.

baxford · ‎05-27-2008

If I want to install an SSL cert on the EV then would I have to create another listener on ISA with that name? (enterprisevaultserver.domain.com). Right now my Exchange OWA listener is using a cert with webmail.domain.com.

Andy_Lukens · ‎05-27-2008

No, you'll use the same listener; everything is proxied through a mail.domain.com address. High level process:

1) Create a new OWA web publishing rule (don't use the built-in OWA policy)
2) Create link translation on that rule. For example, I have a link translation to replace http://navault1 with https://mail.domain.com
3) Create an Enterprise Vault firewall policy, using the existing mail.domain.com listener, that applies to http://navault1 (for example). Set the internal path on this rule to /EnterpriseVault/* and make sure that you aren't using forms based authentication.

Hope this helps.

baxford · ‎05-27-2008

This is how I have it setup but from inside the building the URL it goes to when clicking on the archive explorer is http://entvaultserver.domain.com/EnterpriseVault/ArchiveExplorerUI...... From outside the building it is still trying the URL above and I get a

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

gem · ‎05-28-2008

As suggested I have tried accessing the URL https://evservername/EnterpriseVault and it says 'page not found'. It doesn't work with http at the front either. These URLs do work internally.

Thanks for any help

gem · ‎05-29-2008

I've noticed that the web listener rule that I'm using (which is also the one for OWA) is set to use HTML Form Authentication and Andy Lukens has said 'make sure that you aren't using forms based authentication'. Is this the cause of my problem? I'm aware that this is turning into an ISA query rather than EV but how can I make another web listener rule that doesn't use FBA when it won't let me have another web listener using the same server and ports? I appreciate any help from anyone who's got this working.

Thanks

baxford · ‎05-29-2008

All I got out of Symantec is "we don't support ISA". Curiously enough they have lots of docs on ISA with OWA2003. It is getting close to the time to return the product and get something that works!

Andy_Lukens · ‎06-02-2008

@baxford wrote:
This is how I have it setup but from inside the building the URL it goes to when clicking on the archive explorer is http://entvaultserver.domain.com/EnterpriseVault/ArchiveExplorerUI...... From outside the building it is still trying the URL above and I get a

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

If I understand correctly, if you access OWA from your internal network, it works but not if you access OWA from outside the network? If so, you need to look at the link translation on the OWA firewall policy in ISA. ISA should be translating entvaultserver.domain.com to the FQDN of OWA.

For example, my Enterprise vault server address is https://navault1.internal.company.com. My OWA address is https://mail.company.com. When I click the Archive Explorer link in OWA, ISA translates it to a link that begins with https://mail.company.com/EnterpriseVault/.... From there, I have a firewall policy which is looking for the internal path of /EnterpriseVault/* that redirects the traffic to https://navault1.internal.company.com.

Andy_Lukens · ‎06-02-2008

@gem wrote:
I've noticed that the web listener rule that I'm using (which is also the one for OWA) is set to use HTML Form Authentication and Andy Lukens has said 'make sure that you aren't using forms based authentication'. Is this the cause of my problem? I'm aware that this is turning into an ISA query rather than EV but how can I make another web listener rule that doesn't use FBA when it won't let me have another web listener using the same server and ports? I appreciate any help from anyone who's got this working.

Thanks

My OWA firewall policy is using forms based authentication, but the Enterprise Vault policy is not.

I ended up creating the OWA firewall policies from scratch, but they looked exactly the same as the policy that ISA would create if you selected the 'Publish Exchange Web Client Access' task in ISA. This is one of the bugs that was described earlier in this thread.

Andy_Lukens · ‎06-02-2008

@baxford wrote:
All I got out of Symantec is "we don't support ISA". Curiously enough they have lots of docs on ISA with OWA2003. It is getting close to the time to return the product and get something that works!

Symantec may not provide support for ISA, but EV works great with ISA, it's just tricky to setup. I will agree that the ISA documentation for EV2007 was woefully inadequate the last time that I looked.

baxford · ‎06-02-2008

Thanks for your help on this. Correct me if I am wrong:

1. I created a new Web Site Publishing Rule (not using the Exchange Web Client Web Access Publishing Rule) for OWA called 'OWA' and matched everything to my old rule including the paths /public/*, /OWA/*, /Exchweb/*, /Exchange/*, /autodiscover/*. This rule is using my 'Exchange' listener which redirects everythign from HTTP to HTTPS and uses Forms authentication. The 'To' tab has "This rule applies to this published site: webmail.company.com and the IP address of my CAS server. The Public Name is set to webmail.company.com. Link translation is setup on this Rule to replace this text (http://enterprisevaultserver.company.com) with https://webmail.company.com.

2. I created a second Web Site Publishing Rule called 'Enterprise Vault' that uses the same 'Exchange' listener and the same To tab and same Public Name -- all webmail.company.com. The paths tab has External Path as <same as internal> and the Internal Path as /EnterpriseVault/*. Authentication is set to Basic.

Singh · ‎06-18-2008

Hi Baxford,

Were you able to fix your ISA problem with this solution?

cleellacer · ‎09-30-2009

Something that has been stated that I ran into was with your rule itself. The company I set this up for does not have their ISA server as part of their domain. Because of this, you have to make a change to allow "All Users" to the User Sets. If you don't, you will be redirected to the link translated page, but will continuously be asked for authentication. Once you add "All Users," the rule works. At least it did for me.

FYI - My OWA also has to allow All Users. Authenicated users will not work because your domain account is not an authenticated user to the ISA server which resides outside of the domain.

VOX

ISA 2006 and EV 2007 help