locked
CWA external not working with ISA 2004 RRS feed

  • Question

  • Hi all,

    I have an issue with CWA on OCS R2, I can access the internal page without issue using the server FQDN and HTTPs. Setup ISA with listener rule and that seems to be working fine as I can telnet and use IE browser to the external address HTTPS://cwa.domain.com, logging confirms traffic getting to ISA and accepted. Using IE or firefox I get the same error as below:

    The page cannot be displayed

    Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

    Try the following:

    • Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
    • Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
    • Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    Technical Information (for support personnel)

    • Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


    I'm using the same internal CA for the HTTPS default website IIS bindings on the CWA server and another cert (with ext FQDN) for the ISA cert. Both have private keys and the local clients are setup with trusted root of this internal CA (as its on the domain). Hope this makes sense, basically I'm using internal CA for all certs related to CWA as company didn't want to pay for a public cert, which we dont really need as long as all clients (and mobiles) are setup with trust of our internal CA - correct?

    Thursday, October 15, 2009 10:22 AM

Answers

  • How do you have your certificates configured?  Versions of ISA previous to 2006 SP1 do not correctly support the SAN field and only recognize the first entry in the field, ignoring the everything else in there, as well as the Subject Name.  So only the first SAN entry would be valid in that certificate.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, October 15, 2009 1:35 PM
    Moderator
  • I've got it working! No idea why I needed the internal rules to allow local host to connect with Internal/CWA server. My boss says the rule should just work without this config and you dont need to be able to access https://intFQDN of CWA server from the ISA box itself as the rule will allow it through for only external connections - which makes sense. We have another ISA config for a different customer and that to allows web browsing and telnet from the ISA itself (host) to the CWA server. I dont like the extra rule which allows host to internal for HTTPs/telnet but at the moment if I take it off, it breaks external access.

    This looks to be the reason: the ISA firewall for our customer has a system policy which allows host (ISA) traffic to the domain that the OCS servers sit in, including CWA. I've setup the same on my ISA box and that works without the Allow Rule (for HTTP/HTTPs/Telnet). It seems the web publishing rule wants to route traffic into ISA, then act as host (looking at the ISA logs, says host) - should this not just route directly to the destination CWA server? Does anyone have ISA setup where you cant access the internal website of the CWA server from the ISA box itself and the external publishing rule still works for CWA?
    Tuesday, October 20, 2009 11:34 AM

All replies

  • How do you have your certificates configured?  Versions of ISA previous to 2006 SP1 do not correctly support the SAN field and only recognize the first entry in the field, ignoring the everything else in there, as well as the Subject Name.  So only the first SAN entry would be valid in that certificate.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, October 15, 2009 1:35 PM
    Moderator
  • Hey Jeff,

    Thanks for the response...

    I ran LCSCMD tool from OCS Std server with command as follows:

    LCSCMD /cert /action:request /friendlyname:"CWA Proxy External" /sn:FQDN of public address /ou:IT /org:Applicable /city:    etc, When you say the first SAN entry, does that mean I'm missing this info on the cert request as only SN stated?


    Found this on technet article re LCSCMD:

    /san

    Specifies a comma-separated list of names to be used in the Subject Alternate Name (SAN) of the certificate. The SN value of the certificate will be automatically added to the SAN if the SAN is non-empty unless the /autoAppendSNtoSAN parameter is specified with a value of FALSE.

    Thursday, October 15, 2009 3:21 PM
  • If we are talking about the certificate on the CWA server itself, then:

    It appears you do not have your CWA certificate created correctly, as it's more complicated than just a single cert with the public name in the SN field.  If this is an SSL cert then you'll need up to four fields, but if it's the MTLS cert than you'll need the server FQDN (not the public name) in the SN field.  CWA requires a certificate for two roles, which can either have their own dedicated certs or share a single cert.

    But if this is the certificate applied to the ISA listener then you'll need to include the additional SAN entries in the cert to support desktop sharing and other R2 features; take a look at this blog article for more details: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, October 15, 2009 3:58 PM
    Moderator
  • Jeff,

    My setup is as follows:

    Cert on ISA listener which is setup as URL, public FQDN, ie HTTPS://CWA.extdomainname.com, I've then got a single SSL cert on the CWA which has the internal FQDN of the server, ie GSWVOCSCWA01.Intdomainname.local - I thought that would be enough as the ISA just re-directs anything with URL HTTPS://CWA.extdomainname.com to the Internal FQDN of server.

    That LCSCMD cert command was for the CWA side, the ISA side. The IIS side (physically on the CWA server) was done via IIS direct to Internal CA.

    I'll have a read of the blog tomorrow and double check all my setup docs/notes. I think its like you say, I'm missing a field within the LCSCMD command for ISA 2004, the public address.

    Thursday, October 15, 2009 4:13 PM
  • I would begin with the ISA Server.

    1. Check that you can browse https://GSWVOCSCWA01.Intdomainname.local from your ISA Server, confirm log-in / DL Expansion
      If you are unable to do so,
      • Add a persistent Route from the ISA Server to the CWA Server (or the subnet), using route add -p
      • Add the routes in ISA Firewall Management
      • Go back to Step 1
        Else Go to Step 2
    2. Check your External Certificate, port 443
    3. Connect to the ISA Server ( telnet xxx.xxx.xxx.xxx 443)
    4. Open your external CWA page
    5. Enable monitoring, as required
    Thursday, October 15, 2009 4:48 PM
  • Hi Sri,

    I've checked and double checked the route from ISA to OCS CWA server, I can even browse the internal web page of CWA from ISA so comms is good and peristent route added previously. I can also telnet to 443 on the public ip for cwa.extdomain.com via IP or DNS FQDN so that side is good. It has to be the funky requirement of ISA 2004 with certs as per Jeff's note previously I guess. I'm just about to read his link...will advise.

    PS Our comms guy has checked routing using logs etc and confirmed traffic getting through, plus we get error which confirms web page attempted connection but failed, so getting to CWA IIS?
    Friday, October 16, 2009 9:22 AM
  • Rats, ran through LCSCMD command again on OCS Std server, made sure /exportable /SAN switches there. Key listed as is SAN (cwa.extdomain.com) and yet it still doesn't work. Firefox comes up with same error as IE, apart from the fact it first states the certificate is from an untrusted source - add exception and it still doesn;t work.

    Error from firefox the same:

    The page cannot be displayed

    Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

    Try the following:

    • Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
    • Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
    • Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    Technical Information (for support personnel)

    • Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
    If I'm getting 403 error, and cert on CWA server itself works when testing via the internal website FQDN, is it an IIS config issue?

    I'm going to check ISA logs but I'm sure its being allowed through as before (or it wouldn't get the 403 error)
    Friday, October 16, 2009 2:44 PM
  • Try to disable Show Friendly Error Messages setting in IE and find what exactly is the error.

    You can also test the External CWA from your own ISA server.

    Check your listener, and see if it forwards /* to the CWA server.

    Friday, October 16, 2009 6:31 PM
  • Hi Sri Tody,

    I like the idea...how do you disable the friendly error messages as a bulk action? I can see the option to remove a specific code but I'd prefer not to do that for the Sites\Communicator Web Access\CWA location\Error Pages...


    You're correct again there, I've checked from ISA and get the same error code as above, 403 forbidden.

    If there's not a method to disable all friendly errors, I'll just remove the 403....

    PS the listener is setup for /* as per install guide for CWA.

    Something has changed, I'm now not able to connect via 80 or 443 from ISA to CWA server but could before - checking with comms. Doesn't help if bods are changing the network config as I troubleshoot lol.

    • Edited by swisstonihasher Monday, October 19, 2009 12:47 PM added note on certs
    Monday, October 19, 2009 12:45 PM
  • Even more confusing now guys, I've just deleted and re-created the CWA rule exactly as it was before but with new listener, now get the following error when trying the external FQDN using SSL:

    The ISA server can resolve the internal IP/Name of the CWA server without problem but I still cannot telnet to it on 80 or 443...

    The website cannot be found

    Explanation: The IP address for the website you requested could not be found.

    Try the following:

    • Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
    • Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
    • Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    Technical Information (for support personnel)

    • Error Code 11001: Host not found
    • Background: This error indicates that the gateway or proxy server could not find the IP address of an upstream (Web) server. This is usually due to a DNS-related error.
    Tuesday, October 20, 2009 9:41 AM
  • Here's goes:

    Added another allow rule to ISA which stated "allow local host to internal", telnet & http/https - the connections from ISA to CWA now work for http and https! I can see the CWA login screen. I still have problems with external connection though, keep getting Error code 11001 host not found.

    Cant see it being a DNS issue as that resolves correctly....will get comms guys to check the public IP allocated to that service is correctly routing.

    Note: the FQDN and IP have been edited as dont like putting this info out on the net...

    he website cannot be found

    Explanation: The IP address for the website you requested could not be found.

    Try the following:

    • Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
    • Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
    • Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    Technical Information (for support personnel)

    • Error Code 11001: Host not found
    • Background: This error indicates that the gateway or proxy server could not find the IP address of an upstream (Web) server. This is usually due to a DNS-related error.




    Also, ISA logging gets the following:

    Failed Connection Attempt GSWISA01 20/10/2009 11:35:50
    Log type: Web Proxy (Reverse)
    Status: 11001 No such host is known.
    Rule: Allow Applicable OCS CWA
    Source: External ( 172.24.4.103:0)
    Destination: ( 193.108.150.*:443)
    Request: GET https://"IntFQDN" :443/
    Filter information: Req ID: 0a996c49
    Protocol: https
    User: anonymous
    Additional information
    • Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322)
    • Object source: Internet Processing time: 1
    • Cache info: 0x0 MIME type:
    Tuesday, October 20, 2009 10:28 AM
  • I've got it working! No idea why I needed the internal rules to allow local host to connect with Internal/CWA server. My boss says the rule should just work without this config and you dont need to be able to access https://intFQDN of CWA server from the ISA box itself as the rule will allow it through for only external connections - which makes sense. We have another ISA config for a different customer and that to allows web browsing and telnet from the ISA itself (host) to the CWA server. I dont like the extra rule which allows host to internal for HTTPs/telnet but at the moment if I take it off, it breaks external access.

    This looks to be the reason: the ISA firewall for our customer has a system policy which allows host (ISA) traffic to the domain that the OCS servers sit in, including CWA. I've setup the same on my ISA box and that works without the Allow Rule (for HTTP/HTTPs/Telnet). It seems the web publishing rule wants to route traffic into ISA, then act as host (looking at the ISA logs, says host) - should this not just route directly to the destination CWA server? Does anyone have ISA setup where you cant access the internal website of the CWA server from the ISA box itself and the external publishing rule still works for CWA?
    Tuesday, October 20, 2009 11:34 AM