Cannot get the reverse proxy to work... ISA 2006

Tuesday, August 18, 2009 1:38 AM

0

I am having trouble after reading to getting the reverse proxy working.

I will start off with basically what I have.

I have two nics. One nic is dedicated to the INTERNAL network (internal IP, subnet, etc).

The other nic is opened up to the entire world.

Now on the networks tab I do not have any Address Ranges specified for the Perimeter since technically tis not perimeter IP's, they are external.

For the Internal I have it set to the network adapter that is assigned to the internal network.

Our ISA 2006 server IS joined to the domain.

I have one Web Listener "No Authentication SSL":

Networks: External (170.94.72.213)

Connections: 'Enable SSL (HTTPS) connections on port: 443

Certificate: Assigned from Digicert

Authentication: No Authentication

Then I have a Web Publishing rule "OCS 2007 R2 Web Downloads"

It is enabled

Action: Allow

From: External

To: OCS2007.adem.arkansas.gov (Request appear to come from the ISA Server computer) <-- this is the INTERNAL server (STandard Edition of OCS2007R2)

Traffic: HTTPS

Listener: No Authenticatoin SSL

Public Name: 'Request for the folloiwng websites' ocsrp.adem.arkansas.gov (you can ping it and get the correct IP.. 170.94.72.213)

Paths: <same as internal> /*

Authentication Delegate: 'No delegation, but client may authenticate directly'

Bridging: Web Server 'Redirect request to SSL port: 443'

Users: All Users

Schedule: Always

Link Translated: 'Apply link translation to this rule'

I have applied this, rebooted, everything!

I cannot even telnet to port 443 on ocsrp.adem.arkansas.gov.

I do not get it. I have checked our CISCO firewall and it is correct. All the ports are opened. I am lost, any help would be grateful! I thought I followed the documentation exactly. Oh by the way, I did use the lcscmd to register OCSRP.adem.arkansas.gov as the external web farm on the OCS 2007 R2 server

Thanks!

All Replies

Wednesday, August 19, 2009 1:15 AM

0

Ok it seems I did some more and finally got to access port 443.

I don't know, maybe it is just me but it seems like it is hit or miss for ISA server. I can change something and it works, then change something else and taht first thing that worked doesn't anymore. Change it back to exactly the way it was and the first thing that did work doesn't anymore!

Anyways...

I got it to connect and saw a "Failed Connection Attempt"

So I pinged my internal OCS server and it was successful. But port 443 to the internal OCS server was not!
So I created an access rule to allow HTTPS to the internal OCS server only from the local host. Now I can hit:

https://<internal standard edition>/GroupExpansion/Int/Service.asmx

BUT I CANNOT hit:

http://<internal standard edition>:443/GroupExpansion/Int/Service.asmx

And it seems ISA server uses the second. Why can one work but not the other one?
Wednesday, August 19, 2009 4:07 PM

0

Can you give the full description of the error message?
Also ensure that you are using ISA 2006 SP1 because prior versions cannot handle SAN certificates very well
- Belgian Unified Communications Community : http://www.pro-exchange.be -
Wednesday, August 19, 2009 5:40 PM

0
Ok I installed SP1 like you mentioned.

I have added *.adem.arkansas.gov (our domain) to the System Allowed Websites.
In the ISA IE I have added this as the proxy: localhost:8080

It is working fine, I can get to microsoft, and
https://ocs2007.adem.arkansas.gov/GroupExpansion/int/service.asmx

But the problem is I cannot get to:
http://ocs2007.adem.arkansas.gov:443/GroupExpansion/int/service.asmx

which is what seems to be ISA is trying to use. So they use a colon:Port instead of HTTPS.
When I get an error back it is:

Network Access MEssage: The page cannot be displayed
The request timed out before the page could be retrieved.

I am new to ISA and trying to figure this out. We purchased it for a Reverse proxy for our OCS 2007 R2 server. HEre is a more detailed message:

Technical Information (for support personnel)
- Error Code 64: Host not available
- Background: The gateway or proxy server lost connection to the Web server.
- Date: 8/19/2009 5:37:55 PM [GMT]
- Server: ocsrp.adem.arkansas.gov
- Source: Remote server
Thursday, August 20, 2009 1:27 AM

0

Ok after that I still gave the Communicator a try and it worked! The reverse proxy thing is still working even though I get that error message from the ISA server.
Thursday, August 27, 2009 12:45 PM

0

So even though you are getting the error. MOC will expand Active Directory Groups? I am just curious.
Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
Wednesday, October 14, 2009 1:45 AM

0
You may see that the error on MOC is gone, because it can successfully Socket-connect to the ISA server. The MOC client doesnt run a test DL expansion, so you will need to test DLExpansion manually.

In addition, I suggest you first add routes on your ISA Server using "route add -p"command, and then reconfigure your internal network (add the routes).

This way you will not have use ISA proxy on your IE settings.

Test the DL expansion web page from the ISA Server (logged in as a user).
- Proposed As Answer by Sri Todi Monday, October 26, 2009 4:17 AM