ISA Server 2004 is Ignoring my Web Publishing Rule

ISA Server 2004 is Ignoring my Web Publishing Rule By Santhosh Sivarajan
By Santhosh Sivarajan

Got Questions about this article? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=21;t=000410 and ask!

I heard the following comment from a few clients: “ISA Server is ignoring my server publishing rule and it is always using the default rule”. This will happen especially if you are working on a complicated network where the ISA firewall and the application servers are on different subnets.

A few of you may already work with this type of complex network and may have encountered this issue. When you contact a support professional with this issue, their first suggestion is going to be “simplify your network”. We all know it is not going to happen. This article will provide a solution to work around this issue. This scenario uses an OWA publishing rule.

I am using the same lab scenarios which I described in one of my previous article (http://www.isaserver.org/tutorials/2004cannotlogon.html) to explain the situation. The figure below shows my lab configuration to explain this issue:

In the above example, you can see that the ISA firewall’s Internal Network (10.10.1.X), Active Directory Domain Controllers (10.10.2.X), Exchange Back-End Machines (10.10.3.X) and Exchange Front-End Machines (10.10.4.X) are on different subnets. I know it is a complicated network but I have worked with a similar network structure at several client sites.

My goal is publishing my OWA (Outlook Web Access) through ISA Server 2004. To publish OWA, I have completed the following task:

  1. Installed Windows 2003 with all services packs
  2. Configured the Windows Routing Table (WRT) as described in my previous article, http://www.isaserver.org/tutorials/2004cannotlogon.html Installed ISA Server 2004.
  3. Created a new OWA Publishing rule to publish my Exchange FE sever (10.10.4.45).

You can follow Tom Shinder’s article to find out more about publishing OWA through ISA Server 2004:http://www.isaserver.org/articles/2004pubowartm.html

At this time we have completed the ISA Server configuration and published OWA through ISA. What will happen if a client tries to access the OWA site? Is it going to work? The simple answer is No. (Again, this problem relates only to a complicated network. If your ISA Server’s Internal network and Exchange FE are on the same subnet or if the ISA firewall is used as the default gateway for Exchange, you are not going to have this issue).

If you monitor the logs on the ISA firewall, you will see it trying to use an OWA publishing rule (Open and Close connections) but then it starts using the Default ISA Server rule (a “clean up” rule) and denying your OWA request.

Here is the explanation why it is not using your OWA pushing rule: when ISA Server receives an OWA request from an external client, the ISA Server changes the original destination address (ISA’s external address) to the published OWA server’s address. This packet also contains the original client source address.

In my scenario, the internal servers, including the Exchange servers have no default route to the internet through ISA Server so it will drop the packet. Our security policy won’t allow us to change the default route on any of my applications servers. What do I need to do to fix this issue? The following section will explain how to work around this situation without making any modifications on the server or on the network:

  1. Open ISA Server Management console.
  2. Select the Firewall Policy in the right pane and in the left pane, right click on the OWA Publishing Rule and go to properties.

  1. Select the To tab in the properties window.

  1. You will see the default configuration under the Proxy Requests to published server section, under Specify how ISA Server forwards requests to the published server, selected Requests appear to come from the original client option. This is displayed in the following screen shot:

Note:


When you create an OWA publishing rule, by default it will select the Requests appear to come from the original client option.

  1. In the Proxy Requests to published server section, under Specify how ISA Server forwards requests to the published server, select the Requests appear to come from the ISA Server computer option.

  1. Click Ok in the OWA Publishing Rule Properties window.
  2. Click Ok in the OWA Publishing Rule Properties window.

  1. Try OWA from the external client machine.

If you monitor the ISA Server activity, you will see it is using the OWA publishing rule instead of the Default rule.

Note

:
If you are using ISA 2000 with SP1, it can be established by modifying the registry. There is not a built-in mechanism or a check box to change this option.

I hope this article will provide a better understanding of publishing rules when you are working on a complicated network. If you have any questions regarding this article, feel free to email me or post a comment on the newsgroup.

Got Questions about this article? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=21;t=000410 and ask!

======================================


About the Author, Santhosh Sivarajan

Santhosh Sivarajan is an Infrastructure and Security Architect in Houston, Texas. His certifications include MCSE (W2K3/W2K/NT4), MCP+I, MCSA (W2K3/W2K/MSG), CCNA, and Network+. He has worked for large networking project companies for the past 10 years. His expertise includes Active Directory, Exchange, Migrations, Microsoft Security, ISA Server, etc.
======================================

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=21;t=000410 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when

Santhosh Sivarajan releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top