I implemented different ISA 2006 Reverse Proxy servers in conjunction with Microsoft Exchange 2003 or Windows Exchange 2007.
Today I configured ISA 2006 with Exchange 2007. I configured the Reverse Proxy server as I did always. And the connection from outside the network works perfectly. On the internal Exchange server I configured Basic and Integrated Authentication on the OWA virtual directory. The problem is that internal users now automatically log in to their webmail box when entering the URL from the Exchange server.
This is not the desired configuration, because internal users should be able to open other people’s mailboxes by logging in as that user. The customer also has an ISA 2006 on the internal network for forwarding proxy purposes.
I decided to publish Exchange 2007 on the internal ISA 2006 server as well. The configuration should use Form Based Authentication (FBA) over HTTP. After configuring and trying the connection, the user can’t access the ISA logon page. In the logging you find that Authentication over HTTP isn’t allowed.
Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)
This is a default setting in ISA 2006 which can be disable. To allow Authentication over HTTP go to the Listener configuration. Go to the Authentication tab and Select Advanced. In the next tab enable the option Allow client authentication over HTTP. This option enables the using FBA over HTTP.
I have deployed more Juniper SA 2000 appliance and in overall I am pleased with the working of the appliance. Sometimes we have minor problems when publishing ICA sessions through the appliance.
My colleagues have customers with connection problems, where suddenly the ICA sessions get disconnected and we cannot find the cause of these disconnects. Load balancing through the SA is also “hard” to configure. You have to define a custom ICA file and add the correct parameters for load balancing the sessions. In our opinion the Juniper SA appliance is a decent SSL VPN appliance, but not suitable for native Citrix environments. In native Citrix environments we prefer Citrix Secure Gateway or Citrix Access Gateway.
Now I recently noticed something strange with the Juniper SA. I am publishing a ICA session with a custom ICA file. The firmware of the Juniper is 5.5R2.1. Now I noticed that it isn’t possible to connect from a Windows 2003 server. When trying to connect you will receive the following error message:
I checked the compatible platforms for Secure Terminal Access and Terminal Services for the 5.5 firmware and yes……Windows 2003 server isn’t supported!!!
Looking at the compatible platform for the latest firmware (6.2) Windows 2003 is supported for Secure Terminal Access and Terminal Services. So I hear you think: JUST UPGRADE THE DAM THING, but I don’t know the impact on the current configuration and published services.
I guess it would be great to check if it is possible to “hack” a Windows 2003 server and adjust the security features of the server. Because I guess that the security policies, introduced in Windows 2003 server, are the cause of not connecting the ICA session.
I hope: TO BE CONTINUED…..