John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Blogs

Forms Based Authentication and RPC/HTTP over single IP using ISA 2004

  • Comments 2
  • Likes

You would think that this would be something fairly simple to do.... Well, think again, unless you know. In the scenario I was trying to get working, there are essentially three servers involved - a domain controller running Windows Server 2003, a single Exchange 2003 Server and an ISA 2004 Server.

The goal is to allows users to access the Exchange Server remotely, both via Outlook Web Access and through RPC/HTTP using Outlook 2003.

When you publish OWA (I'm not using a FE/BE [Front-End/Back-End] configuration - just a single Exchange Server) through ISA 2004, the principle is to create a new web listener running on port 443 (SSL) on the ISA Server. You configure the web listener to use forms based authentication (FBA) and forward the requests back to your Exchange Server. I had this going fine without a manual in sight ;-)

However, when it comes to a configuration where you have a single IP address externally, and want to publish RPC/HTTPS also on port 443, you have a problem. You cannot, in ISA 2004, have a web-listener running in both FBA mode and basic authentication.

I was puzzling about this last week, and came close to solving the problem. There wasn't much information I could find out there on the Internet, so my thoughts were to use Basic Authentication on the web listener, and proxy the FBA through another listener. I never quite got there until I found the article below, but the general principle was right.

This article by Tom Schinder "ISA Server 2004: Supporting Both Basic and Forms-based Authentication with a single External IP Address and Web Listener". This article goes through a step-by-step configuration and worked perfectly for me. Lots of screenshots to make it dead obvious what you need to do. The workaround is astonishingly simple in concept, yet resolves what should be such a simple thing to do.

...so here's a small part of my ISA configuration showing it configured

 

...and here's my OWA (with a few bits disguised - afterall, you wouldn't expect me to publicise my inbox contents or external domain name would you??? :-) )

Now for that XBox theme..... When's the XBox 360 theme coming out then, Eileen.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment