Mike l. . r , 2012-06-09 20:43:26
I have an HP DL320 ISA 2004 appliance deployed in a pilot environment with a
single NIC, in a workgroup. The system will be deployed in production in a
DMZ as an OWA reverse proxy.
In the pilot my back-end Exchange server is 10.10.10.5, and the ISA server
is 10.10.10.1. My XP workstation is 172.16.1.1. My back-end Exchange system
is currently part of a FE/BE configuration, with the FE system in the DMZ.
The ISA 2004 system will be replacing the FE system, and I hope to eliminate
the FE/BE arrangement alltogether and just reverse proxy to the back-end.
The FE/BE configuration I am speaking of in this pilot is in production. I
have merely installed an ISA 2004 server on the wire to test – under the
assumption that this should work. The real AD/DNS name of the back-end
server is mail15.mydomain.org.
On the XP box I create a hosts file entry for mail.mydomain.org and point it
to 10.10.10.1. On the ISA server I create a hosts file entry for
mail.mydomain.org and point it to 10.10.10.5.
I create a single mail server publishing rule for OWA on ISA using
mail.mydomain.org as both the published mail server and the public web site
name. Other than the default rule, this is the only rule in the FW policy.
I am using an HTTPS listener configured with a Verisign SSL cert matching
mail.mydomain.org. Bridging is to the client only, and I send everything to
the backend Exchange server via TCP/80.
I have tried both forms based auth and basic auth with no luck. ISA will
serve me the page for both, but in the log, when it attempts to connect to
the BE Exchange server, I get nothing but failed connection attempts.
My confusion is in trying to understand which auth method will send
everything to the back-end and which implies that ISA will perform the
authentication? And, does the fact that this system is in a workgroup have
any bearing on either auth method? Does this ISA box need to be in the
domain to work at all?
Also, why can I not get this ISA box with this single rule to proxy anything
to the backend?
I have read in another thread that FBA requires that ISA perform all
authentication. If this is true, then I would rather avoid that method,
since what I really need is for all traffic to traverse TCP/80 on the
back-end, or SSL if I implement that.