Welcome to TechNet Blogs Sign in | Join | Help
Wednesday, July 23, 2008 4:52 PM

Publishing Microsoft CRM 4.0 through ISA Server 2006

1. Introduction

 

Last February I collaborated with Henning Petersen from the CRM Team on CRM 3 through ISA Server 2006. After this post, we received a lot of requests for an article on publishing CRM 4 using the Internet Facing Deployment option (IFD). This post is going to answer those requests. For this post we chose to let ISA handle the SSL Certificates as this is the common scenario for ISA deployments although other methods can be used.

We chose to focus this blog on letting CRM handle the authentication while letting ISA handle the SSL session. The main reason for using IFD despite ISA’s ability to provide forms based authentication was that the Microsoft Dynamics CRM Clients for Outlook would run into authentication problems if prompted with an ISA login. In order to get CRM running with IFD a good starting point is to study the IFD guide called How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0 it can be downloaded from the Microsoft Download Center. The deployment guide will allow you to better understand the CRM 4 IFD concepts before you create any publishing rules on ISA Server.

 

2. Adjusting the CRM Server for External Publishing

 

To deploy this scenario the following topology was used:

 

Figure 1 – Topology using CRM IFD with ISA Server 2006.

 

We broke it down the IFD configuration in two parts. Let’s see them:

Part 1 – General Considerations

We created an Organization in CRM 4.0 named “CRM”. to avoid the complication of split DNS, we decided to define the internal domain as .local and the external domain as contoso.com, therefore our first action item was to ensure that the External URL could resolve to the CRM server on the inside of the network. The external URL was defined as crm.contoso.com. CRM 4.0 IFD does a redirect to the External URL thus making it crucial to have name resolution to the external URL from the Inside of the network. The DNS infrastructure for this lab allows the external name (crm.contoso.com) resolves to the internal CRM Server.

Important Notes:

  • If you are using Multi-tenancy in CRM and you are planning on exposing multiple CRM Organizations to the outside world you will need to ensure that you can resolve all names such as crmorg2.contoso.com and crmorg3.contoso.com. (If you are exposing multiple CRM Organizations we recommend that you purchase a wildcard certificate (*.contoso.com) or an individual certificate for each organization.
  • The DNS setup and best practices are not covered in this blog.
  • After we established name resolution for crm.contoso.com on the inside we needed to activate IFD

Part 2 – IFD Configuration

CRM 4.0 IFD can be activated during the install of CRM 4.0 if you are using a configuration file.  Clint Warriner (Escalation Engineer, Microsoft CRM Team) has developed a tool that will allow you to configure CRM 4.0 with IFD after a normal GUI Install of CRM 4.0. For this blog we utilized Clint’s tool in order to enable IFD. The tool can be downloaded from the document named “How to use the Microsoft Dynamics CRM Internet Facing Deployment Configuration tool” In order to run the tool, you should read this document first and also review “Microsoft Dynamics CRM 4.0 Internet Facing Deployment Scenarios”.  Once you have the tool downloaded, place the executable in the tools folder under the Microsoft CRM folders. (i.e. c:\Program Files\Microsoft Dynamics CRM\Tools).  Here it is the screenshot of the currently released tool:

Figure 2 – IFD Tool.

When setting CRM up with IFD Auth we used HTTP on both IFD Domain Scheme (IFD Auth-External) and AD Domain Scheme (AD Auth-Internal). One important feature build into the tool is a DNS check – the check will ensure that the Orgname IFD App Root Domain and IFD SDK Root Domain resolve to the external name (in our example crm.contoso.com).

 

Note: IIS on the CRM Server is not handling the SSL Cert.

 

3. Configuring the ISA Server 2006 Web publishing rule

 

After preparing CRM 4, IFD follow the steps below to configure ISA Server 2006:

 

1.    Right-click on the Firewall Policy, select the option New, and then click Web Site Publishing Rule.

2.    Type the name of the rule, and then click Next.

3.    On the Select Rule Action window, select the option Allow, and then click Next.

4.    On the Publishing Type window, select the option to Publish a single Web Site or load balancer, and then click Next.

5.    On the Server Connection Security window, select the option Use SSL to connect to the published web server or server farm, and then click Next.

6.    On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site. Select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type the server name. If you do not know the name of the server, click Browse to navigate to its location.

7.    On the Internal Publishing Details window, in the Path (optional) box, type /*, and then click Next.

8.    On the Public Name Details window, from the Accept requests for dropdown list, select This domain name (type below), and then, in the Public name box, type the public name that matches the certificate that was issued for this URL. Click Next.

9.    On the Select Web Listener window, click New, type the name for this Web listener, and then click Next.

10. On the Client Connection Security window, select the option Require SSL secured connection with clients, and then click Next.

11. Click to highlight the External interface, and then click in Select IP Address.

12. In the External Network Listener IP Selection dialog box, select the option Specified IP addresses on the ISA Server computer in the selected network. In the Available IP address field, select the IP address, click Add, and then click OK. In the Web Listener IP Addresses window, click Next.

13. On the Listener SSL Certificates window, select Use a single certificate for this Web Listener, and then click Select Certificate. Select the certificate that was installed on this ISA Server 2006 computer, and then click Select.

 

Note: If you are running ISA Server 2006 Enterprise with multiple nodes in the array, you need to have this certificate installed on all ISA Servers for it to be considered valid; or you must select “Certificate per IP address”. For more information about SSL Certificate on ISA Server, see “Troubleshooting SSL Certificates” in ISA Server Publishing at Microsoft Technet.

 

14. In the Authentication Settings window, select No Authentication and click Next.

15. On the Single Sign On Settings window disable the checkbox, click Next, and then click Finish.

16. In the Web Publishing Rule wizard, click Next.

17. In the Authentication Delegation window, select the option No delegation, but client may authenticate directly and then click Next.

18. On the User Set window, make sure that All Users is selected, click Next, and then click Finish.

 

Since the purpose of this post is to use CRM 4 IFD is an Internet facing mechanism we will not authenticate on the ISA Server. This is the reason why authentication was disabled on the listener and on the delegation tab.

 

Now that we have everything set up, we can access the site from outside. The logon page that will be presented to the end user comes from the CRM 4 IFD itself and will look like the one below:

Figure 3 – CRM 4 Logon Page.

4. Troubleshooting Tips

 

Most issues you are going to run into is either DNS or authentication related. Most commonly you will be able to trouble shoot authentication from the inside of your network using the external URL. Once the FQDNs resolve, the ISA setup should be straight forward. Most of the authentication issues we have seen can be solved with the bullets listed below.

  • We recommend that you setup an SPN HTTP/ entry under the CRMAppPool account for each orgname you need to access. Ie. HTTP/crm.contoso.com (See “How to use SPNs when you configure Web applications that are hosted on IIS 6.0” “Scenario 2: Access a Web application by using a host header” for additional details. If you are unsure of this action please consult your networking/AD administrators.)
  • Also look into adding host headers for each Org that you will be accessing.

 

Authors

Henning Petersen

Support Escalation Engineer - Microsoft CRM Team

Microsoft – ND

 

Yuri Diogenes

Security Support Engineer – ISA/IAG Team

Microsoft – TX

 

Technical Reviewers

Corey Hanson

Technical Readiness Engineer – Microsoft CRM Team

 

Jim Harrison

Microsoft Forefront (ISA/TMG) Sustained Engineering Team

 

 

Posted by isablog | 4 Comments
Filed under:
Monday, July 21, 2008 7:01 PM

64-bit RPC traffic fails across ISA Sever 2006

1. Introduction

 

This post describes an issue where two 64-bit Windows hosts are failing to communicate to each other using RPC . The hosts each operate in a network physically separated from each other by ISA Server 2006.  Figure 1 illustrates the basic scenario.

 

 

Figure 1 – Sample network diagram.

 

All other traffic allowed between these hosts functioned normally; only RPC calls were failing.

 

2. Identifying the problem

 

The traffic across the networks was working without problems for most of the protocols (ICMP, SMB, DNS, HTTP, etc). Only RPC Calls were failing and the actual RPC error was exposed by using the repadmin /showreps command when run from one DC. We got the error message below:  

 

The replication generated an error (1727): The remote procedure call failed and did not execute.

 

We used KB911799 (method 1) approach to understand where was failing and if ISA Server 2006 was really causing that. The tests showed that the RPC communication was failing only for communications between 64 bit platforms (Windows Server 2008 64 with Windows Server 2008 64, Windows Vista 64 with Windows Server 2008 64bit).

 

Looking to the network monitor trace that was taken from the DC (10.30.30.10) it was possible to see the moment of the failure when the DC from one side is trying to bind to the RPC in the other side:

 

TCP 3 Way Handshake for RPC:

10.30.30.10 10.40.40.16 TCP   TCP:Flags=......S., SrcPort=36457, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=102417964, Ack=0, Win=8192 (scale factor 8) = 2097152

 

10.40.40.16 10.30.30.10 TCP   TCP:Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=36457, PayloadLen=0, Seq=2217804385, Ack=102417965, Win=16384 (scale factor 0) = 16384

 

10.30.30.10 10.40.40.16 TCP   TCP:Flags=...A...., SrcPort=36457, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=102417965, Ack=2217804386, Win=257 (scale factor 8) = 65792

 

RPC Bind Request for the End Point Mapper (End Point Mapper's UUID is E1AF8308-5D1F-11C9-91A4-08002B14A0FA):

10.30.30.10 10.40.40.16 MSRPC MSRPC:c/o Bind:  UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT  Call=0x1  Assoc Grp=0x0  Xmit=0x16D0  Recv=0x16D0

- RPC: c/o Bind:  UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT  Call=0x1  Assoc Grp=0x0  Xmit=0x16D0  Recv=0x16D0

  - Bind: {E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT

     RpcVers: 5 (0x5)

     RpcVersMinor: 0 (0x0)

     PType: 0x0B - Bind

   + PfcFlags: 3 (0x3)

   + PackedDrep: 0x10

     FragLength: 160 (0xA0)

     AuthLength: 0 (0x0)

     CallId: 1 (0x1)

     MaxXmitFrag: 5840 (0x16D0)

     MaxRecvFrag: 5840 (0x16D0)

     AssocGroupId: 0 (0x0)

   - PContextElem:

      NContextElem: 3 (0x3)

      Reserved: 0 (0x0)

      Reserved2: 0 (0x0)

    + PContElem: 0x1

    - PContElem: 0x1

       PContId: 1 (0x1)

       NTransferSyn: 1 (0x1)

       Reserved: 0 (0x0)

     + AbstractSyntax: {E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT

     + TransferSyntaxes: {71710533-BEBA-4937-8319-B5DBEF9CCC36} NDR64

    + PContElem: 0x1

 

 

RPC Bind Response:

10.40.40.16 10.30.30.10 MSRPC MSRPC:c/o Bind Ack:  Call=0x1  Assoc Grp=0x87F3 

- RPC: c/o Bind Ack:  Call=0x1  Assoc Grp=0x87F3  Xmit=0x16D0  Recv=0x16D0

  - BindAck:

     RpcVers: 5 (0x5)

     RpcVersMinor: 0 (0x0)

     PType: 0x0C - Bind Ack

   + PfcFlags: 3 (0x3)

   + PackedDrep: 0x10

     FragLength: 108 (0x6C)

     AuthLength: 0 (0x0)

     CallId: 1 (0x1)

     MaxXmitFrag: 5840 (0x16D0)

     MaxRecvFrag: 5840 (0x16D0)

     AssocGroupId: 34803 (0x87F3)

   + SecAddr: 135

   + Pad2: 0x1

   - PResultList:

      NResults: 3 (0x3)

      Reserved: 0 (0x0)

      Reserved2: 0 (0x0)

    - PResults: Provider rejection, Reason=Proposed transfer syntaxes not supported

       Result: Provider rejection

       Reason: Proposed transfer syntaxes not supported

     + TransferSyntax: {00000000-0000-0000-0000-000000000000} unknown

    + PResults: Acceptance, Reason=n/a

    + PResults: Negotiate Ack, Security Context Multiplexing Supported

 

The DC (10.30.30.10) sends an endpoint request for NTFRS Service UUID: f5cc59b4-4264-101a-8c59-08002b2f8426…

10.30.30.10 10.40.40.16 EPM   EPM:Request: ept_map: NDR, FrsRpc {F5CC59B4-4264-101A-8C59-08002B2F8426} v1.1, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)]

 

..but the DC 10.40.40.16 closes the connection

10.40.40.16 10.30.30.10 TCP   TCP:Flags=...A...F, SrcPort=DCE endpoint resolution(135), DstPort=36457, PayloadLen=0, Seq=2217804494, Ack=102418293, Win=65207 (scale factor 0) = 65207

 

10.30.30.10 10.40.40.16 TCP   TCP:Flags=...A...., SrcPort=36457, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=102418293, Ack=2217804495, Win=257 (scale factor 8) = 65792

 

10.30.30.10 10.40.40.16 TCP   TCP:Flags=...A...F, SrcPort=36457, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=102418293, Ack=2217804495, Win=257 (scale factor 8) = 65792

 

The key element in the above trace is the Provider Results, that appears as Provider rejection, Reason=Proposed transfer syntaxes not supported. Briefly this means that the DC 10.40.40.16 appeared to reject the bind request from DC 10.30.30.10 because the proposed transfer syntax is no supported. But this was not actually the DC 10.40.40.16 that sent that, that was ISA Server, let's understand why.

 

Note1: for a complete list of the meaning of each rejection reasons review Section 2 of the ISO 8823 standard.

 

3. RPC Filter

 

If you review the RPC Architecture you will notice that there is a component that belongs to the rpcrt4.dll called Marshalling Engine.  This component is responsible for providing a common RPC interface between RPC clients and servers through NDR (Network Data Representation). There are two transfer syntaxes variations for the NDR:

 

·         NDR20 – Used in 32-bit Architecture.

·         NDR64 – Used in 64-bit Architecture.

 

When two 64bit Windows Operating System are communicating using RPC they will negotiate the marshalling engine to use.  Since they both prefer NDR64, this is likely to be the format used. Natively, ISA Server 2006 RPC Filter doesn’t support NDR64; therefore the RPC Filter will reject any RPC communication which uses NDR64.

 

4. Resolution

 

To fix the problem you should install ISA Server 2006 SP1.

 

 

Author

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront (ISA/TMG) Team

 

Technical Reviewers

Jim Harrison

Microsoft Forefront (ISA/TMG) Sustained Engineering Team

 

Doron Juster

Microsoft Forefront (ISA/TMG) Sustained Engineering Team

 

Posted by isablog | 0 Comments
Filed under: ,
Monday, July 21, 2008 1:18 PM

Change Tracking - Enterprise viewer

The Change Tracking tab is part of the ISA management console. But, it is implemented as an HTML files, and can operate outside the management console. To demonstrate this, I'll show how to use it as an enterprise Change Tracking viewer.

The Hook
If you look in C:\Program Files\Microsoft ISA Server\UI_Htmls\ChangeTrackingTab.htm, you'll notice that it has a body_onload() function, and that this function calls ChangeTracking_onload() if it exists. Also notice that it includes a script tags that tries to load ChangeTrackingAdditions.js. So, all we need is to create our own ChangeTrackingAdditions.js with ChangeTracking_onload() in it, and it will be called!

The Code
So, let's try it. Put the following into C:\Program Files\Microsoft ISA Server\UI_Htmls\ChangeTrackingAdditions.js:

function ChangeTracking_onload()
{
    if (WithinSnapin())
    {
        return; // Don't interfere with regular Management operation
    }

    var fpc = new ActiveXObject("FPC.Root");
    // To connect to remote CSS, call fpc.ConnectToConfigurationStorageServer here

    var entLog     = GetCTLog(fpc.Enterprise);
    var arrLogs    = GetCTLogCollection(fpc.Arrays);
    var entPolLogs = GetCTLogCollection(fpc.Enterprise.Policies);

    insertTableHTML(arrLogs, entPolLogs, entLog);
}
    
function GetCTLogCollection(CTContainerCollection)
{
    var logs="";
    var oEnum = new Enumerator(CTContainerCollection);
    for( ; !oEnum.atEnd(); oEnum.moveNext() )
    {
        logs = logs + GetCTLog(oEnum.item());
    }
    return logs;
}

function GetCTLog(CTContainer)
{
    try
    {
        var vendorSet = CTContainer.VendorParametersSets.Item("{1234C1BD-2502-4BDA-8EAD-B2DE4DD84A7D}");
        return vendorSet.value("changes");
    }
    catch (err)
    {
        return "";  // No CT log in this container
    }
}

Now, launch ChangeTrackingTab.htm from Windows Explorer.

  • You'll get an Internet Explorer yellow warning bar where it warns you from active content. You can allow just this once, or cancel this warning for good: Internet Options -> Advanced -> Security section -> check "Allow active content to run in files on My Computer".
  • You'll also get a warning that "An ActiveX control on this page might be unsafe…". This refers to the script's use of the ISA FPC.Root control - we can trust it, right?
  • And now, you get change logs from all your arrays, enterprise and enterprise policies, all together!

 

This concludes the Change Tracking series. I hope you enjoyed it. Happy ISAing!


-Jonathan Barner, ISA Sustained Engineering Team

Posted by isablog | 0 Comments
Filed under:
Monday, July 21, 2008 1:13 PM

Change Tracking - Configuration via Script

Change Tracking configuration is stored together with ISA configuration, in a VPS (Vendor Parameter Set). Note that it's a different VPS than the change log! As we already know, you can configure Change Tracking either on the array or on the enterprise. This is implemented as one VPS for each array, and one for the whole enterprise.

You can configure enable/disable Change Tracking via a script which changes these VPSs. Note that the following script always changes the enterprise VPS on ISA Enterprise Edition - changing that to change just the current array is left as an exercise to the reader.

const fpcIsaStandardEdition = &H10&
const fpcIsaEnterpriseEdition = &H20&

Set fpc = CreateObject("FPC.Root")
If fpc.IsaEdition = fpcIsaStandardEdition Then
    Set VendorSets = fpc.GetContainingArray.VendorParametersSets
Else
    Set VendorSets = fpc.Enterprise.VendorParametersSets
End If

On Error Resume Next
Set VendorSet = VendorSets.Item( "{123558F0-6D04-4781-AC2B-5C54DCEDBCFD}" )
If Err.Number <> 0 Then
    Err.Clear
    On Error GoTo 0
    Set VendorSet = VendorSets.Add( "{123558F0-6D04-4781-AC2B-5C54DCEDBCFD}" )
End If
On Error GoTo 0

VendorSet("Enabled") = True
'VendorSet("AskDescription") = False
'VendorSet("MaxEntries") = 1000

VendorSets.Save 0, 0

WScript.Echo "Change Tracking is now enabled"

 -Jonathan Barner, ISA Sustained Engineering Team

Posted by isablog | 0 Comments
Filed under:
Saturday, July 19, 2008 7:55 AM

Change Tracking - Modifying the Viewer

We've tried to get the Change Tracking viewer to cater to most people's needs. But you may have needs that it doesn't meet. Fortunately, you can customize the viewer to fit your needs!

As we already know, the Change Tracking log is stored as XML, which you can save using simple scripts. If you look at one such log, you'll notice that each log entry contains a "computer" attribute, which is the computer name on which the change was made.

Suppose you want to see this "computer" attribute in the log viewer. All you need to do is just modify the XSL file that transforms the log XML into viewable HTML:

  1. Open C:\Program Files\Microsoft ISA Server\UI_Htmls\ChangeTracking.xsl in notepad or any other text editor.
  2. Find the line that puts the username in the User column. It looks like this:
    <xsl:value-of select="@user" />
  3. Replace it with lines that put the username and computer name:
    <b>user: </b><xsl:value-of select="@user" /><br />
<b>computer: </b><xsl:value-of select="@computer" />
  4. Save. Now hit refresh on the Change Tracking viewer, and you'll see the change!

 

Further customizations are left as an exercise to the astute reader. Hint: Try playing with the <xsl:sort> line.

 

-Jonathan Barner, ISA Sustained Engineering Team

Posted by isablog | 0 Comments
Filed under:
Thursday, July 17, 2008 1:17 PM

Change Tracking - Other Uses

One of the unexpected uses I've found for Change Tracking is to learn how UI changes are translated to COM-level changes. For example, how is this radio button stored?


Let's enable Change Tracking, make some changes and try:

Policy Rule [PubExch] [PublishedServerType] changed from [fpcWebServerThruHTTP] to [fpcWebServerThruBothHTTPAndSSL]

Ah. All we need it to search for the property PublishedServerType, and there's our answer.

 

Another use is to find out what changes are made to ISA configuration outside the UI. For example, what does ISA setup, and specifically SP1 setup, do?

To check:
1. Install an ISA CSS
2. Enable Change Tracking on the Enterprise, apply.
3. Install an ISA Server, using a an ISA CD with SP1 integrated to it (See Administrative Installation section in KB885957).
3. Look at Change Tracking log of the new array:

 

You see several entries made by msiexec.exe (which is the process which runs ISA setup). You see that it makes some changes to logs and computer sets. You also see the new events and alerts added in SP1, and a new UUID added to the Exchange RPC Server protocol.

You can use the same technique to see what your 3rd-party add-on keeps in the ISA storage!


 

-Jonathan Barner, ISA Sustained Engineering Team

Posted by isablog | 0 Comments
Filed under:
Thursday, July 17, 2008 1:07 PM

ISA Server 2006 SP1 - Test Button Issues

One of the features released in ISA Server SP1 is the Test Button feature. Its major purpose is to test the compatibility between an ISA Web publishing rule and the published Web server. Test Button works well in common deployment scenarios; however, in some fairly uncommon cases it might report inconsistent results, when it reports success to an ISA Server computer, while a user will fail to connect to the published server[i].

The main reasons for these inconsistencies are:

1.       Test Button doesn’t check rule conflicts. For example, when ISA Server has a “Deny All” rule prior to the publishing rule, a user won’t be able to access the published server even when Test Button reports success.

2.       Test Button doesn’t check the listener configuration. For publishing to succeed both rule and listener configurations must be valid. However, since Test Button checks only the rule configuration, the listener may have a wrong configuration (expired certificate, listening on a wrong network, etc).

3.       Directory content is published by means of a wildcard.
For example, there is a directory (e.g. pics/) containing some files (e.g. photo1.jpg, photo2.jpg) which are accessed from outside by direct links (e.g. http://www.contoso.com/pics/photo1.jpg). The publishing can be done in two ways:

·         Explicitly – by means of two publishing paths: pics/photo1.jpg, pics/photo2.jpg. In this case Test Button won’t have issues.

·         Implicitly – by means of a published path which includes all files and subfolders using /* (e.g. /pics/*). In this case Test Button will explicitly test the directory and even though it may report success, the user can still encounter problems related to the existence/access permissions of the content itself (e.g. photo1.jpg returns an HTTP response 403 or 404).

4.       HTTP response 403 (forbidden) for a directory published with wildcard. When testing a directory published with trailing /* (e.g. /pics/*) an HTTP response 403 is always regarded as success, assuming that the real publishing target is not the directory, but rather its content. However this approach can be misleading: when the Web server directory requires secure channel (SSL), but the ISA Server attempts to access it by means of HTTP, the response will also be 403. In this case Test Button will also report success, although the publishing will fail.

5.       Published path can’t be verified if one of the parent directories requires authentication. For example, if the published path is /ExistingDirWithAuth/NonExistingDir/*, the published server will respond with an HTTP response 401 (Authorization required) with no hint about NonExistingDir existence or permissions. In this case if the authentication delegation scheme meets the published server requirements, Test Button will report success, but a user might fail to access the resource.

6.       Client information is required.

a.       Forward original host name option is selected in the web publishing rule, but no public names are defined. In this case Test Button will forward FQDN of the ISA Server, which might be different from the name a user might use.  (A user may use any host name which successfully translates into the IP address that ISA Server listener is listening on.)

b.      Requests appear to come from the original client. This option is currently ignored by Test Button, while it can affect the publishing success for different users IP addresses.

7.       FBA is supported only for Exchange 2003 and Exchange 2007. While Test Button recognizes Forms Based Authentication (FBA) for Exchange 2003 and Exchange 2007 and warns a user when an incompatible authorization delegation scheme is used, it is currently unaware of FBA in other products (e.g. SharePoint 2007).

 

These limitations should be considered by the ISA Server administrator when there is inconsistency between Test Button results and an actual user experience.

 

Dima Datsenko

Software Development Engineer, ISA Server Sustained Engineering

[i] There are rare cases when a published Web server may be configured to accept some host name unknown to Test Button. In such cases Test Button might fail, but a user will still succeed in connecting to the published server.

Posted by isablog | 1 Comments
Filed under:
Wednesday, July 16, 2008 8:22 AM

Change Tracking - Odds and Ends

Date & Time
The Change Tracking log viewer show the date and time of every change.

Change Tracking time column

  • The time is recorded as UTC (Coordinated Universal Time), and displayed using the current computer's time zone.
  • The time format is determined by the user's long date & time format. If you want, you can change them from Control Panel -> Regional and Language Options -> Customize: