Archive for the ‘isa’ Category

ping working, http not?!

Saturday, January 23rd, 2010

problem: ping to a host on the other side of a vpn works, http not.

environment:TMG on both sides, both have multiple external IPs and source side has them distributed over multiple network cards.

solution: Although I disabled web proxying and the network relation between the two vpn sites is routing, TMG still tries to access the target web server using one of it's external IPs. I tested pinging a host on the other side using various source IPs from the source TMG, I figured that only certain IPs work.
I finally configured all IPs onto one nic and it started to work.

Subversion, Apache, XCode (SCM) and ISA 2006

Wednesday, August 5th, 2009

environment:Subversion using mod_svn under apache/linux, hosted behind ISA (doing SSL termination). Using SCM feature of XCode for checkin

problem: login succeeds in XCode, but list fails with Error: 175002 (RA layer request failed) Description: REPORT request failed and 403 Forbidden (The server denied the specified Uniform Resource Locator

solution: For the firewall policy rule that forwards to the server hosting subversion add "" (e.g.,,...) to the public names.

Waiting for a reply from Microsoft if there is a better way of doing this (e.g. * [this is an invalid public name] or similar).

Nokia Mail for Exchange, Exchange and Client Certificates

Saturday, June 13th, 2009

problem: Mail for Exchange on Nokia mobile phones should authenticate using Client Certificates and username/password against Active Sync of Exchange 2003, to make sure that username/password is not enough to access corporate data.


  1. Create client certificates for the Nokia phones. I did it using Microsoft Certificate server. To do so, go to http://ca-servername/certsrv and "Request a certificate", "User certificate" and hit the submit button (this will create a certificate and the associated private key for the authenticated user). Then hit "Install this certificate" and "yes". Now start "certmgr.msc" (Start\run) and select "Certificate/Current User". Under Personal/Certificates you should find your newly created certificate. Right-click, "All Tasks", "Export...", select "Yes, export the private key" and provide an export password (keep in mind, that you need to enter it on the Nokia phone). Store the .pfx somewhere
  2. Transfer the .pfx file using Nokia PC Suite to the mobile phone
  3. On the nokia phone go: "Menu", "Office", "File Manager" and open the just transferred .pfx file
  4. Enter the export password and select "Save"
  5. Provide a keystorage password (Schl├╝sselspeicher-Passwort in german). This MUST have a length of 6.
  6. Ok and return to the home screen
  7. Now go: "Menu", "System", "Settings", "General", "Security", "Certificate Management", "Personal Certificates", "Options", "Move to Phone Certificates", "Yes" and enter the keystorage password. This makes sure, the user does not have to enter the password for the private key at every sync.
  8. Configure Mail for Exchange as usual. You should find enough information on google/bing on this topic.

To actually authenticate Mail for Exchange/Phone using the certificate I used ISA 2004.
Create an SSL Listener and enable Authentication using Certificates. Make sure the root certificate (or the cert used for signing your client certs) is installed as "Trusted root certificates" in the "Computer Certificates". I then authenticated against Active Directory and ISA will use NTLM/Integrated Security to authenticate as the actual user against Active Sync. On the Exchange Front-End IIS on the "Microsoft-Server-ActiveSync" directory "Integrated Authentication" must be enabled. I forgot if the ISA server must be trusted for delegation for this scenario, but if you have any trouble, check the logs and google/bing for "Trusted for delegation ISA spn".

Note: this setup still requires the username and password to be correctly configured in Mail for Exchange.

ISA 2006 and Active Directory Replication

Thursday, January 29th, 2009

environment: The following servers are in place AD1, ISA1, ISA2, AD2. AD1 is behind ISA1; AD2 is behind ISA2; ISA1 and ISA2 are connected via VPN.

ISA 2006 (without SP1)

problem: during dcpromo

The operation failed because:

Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=net on the remote AD DC Ensure the provided network credentials have sufficient permissions.

"The remote procedure call failed."

solution: Go to to ISA1 and ISA2. Right mouse click the rule responsible for VPN traffic. Select "Configure RFC protocol" and uncheck "Enforce strict RPC compliance"

Updating to ISA 2006 SP1 finally fixed it.

Windows IPSec (configured via ISA Server 2006) debugging

Tuesday, December 30th, 2008

netsh ipsec dynamic set config ikelogging 0

results in %SYSTEMROOT%\Debug\Oakley.log

OpenVPN Server on Gentoo, Vista Client and ISA 2006

Sunday, May 6th, 2007

environment OpenVPN Server on Gentoo, Windows Vista Client, ISA 2006

problem Establish VPN tunnel from Vista to Gentoo


Server Install

  • emerge openvpn and read the output about /etc/init.d
  • Make sure you got CONFIG_TUN (details)
  • Create keys and /etc/openvpn/hostname.conf files. A sample can be found here.

Vista Client Install

  • Install at least OpenPVN 2.1_rc2 download because of this
  • copy client.crt, client.key, ca.crt and optionally ta.key from your server /usr/share/openvpn/easy-rsa/keys/
  • create hostname.ovpn in C:\\Program Files\\OpenVPN\\config and make sure to run the editor as administrator due to UAC. A sample can be found here.

actual problem I'd like to publish OpenVPN with a "Web Publishing Rule" on ISA 2006 and have ISA 2006 forward to the right machine
based on the domain. It sniffed the traffic and OpenVPN doesn't send a SSL "Client Hello" message at the beginning, but some other message tagged as "SSL Continuation" in Wireshark.

After thinking a little more, the scenario I'd like to implement wont be possible anyway, because ISA 2006 gets the domain from the HTTP traffic (details) and not from the SSL/TLS layer. Maybe a something similar to Apache/OpenVPN port sharing would be possible with a custom filter in ISA...

Terminal Service Gateway on Longhorn published with ISA 2006: not working

Sunday, May 6th, 2007

environment ISA 2006, Terminal Service Gateway on Longhorn Beta 3

problem Tunneling RDP through HTTP/HTTPS. e.g. forwarding applications through http.

story First of all I couldn't get my wildcard certs working, I replaced it with FQDN certs and got a little further.

The above described scenario is NOT supported. See here why and how in more detail.

Virtual Server 2005 R2 SP1 RC1 – Upgrade

Monday, April 30th, 2007

environment Windows 2003 SP2, ISA Server 2006, Virtual Server 2005 R2 SP1 pre-RC1

story I upgraded to Virtual Server 2005 R2 SP1 RC1 remotely - somewhere in the middle, my Terminal Service Client connection disconnected - *PANIC*. But just keep calm and wait. I guess the network connection get shutdown due to some driver installation - the server became ready again by itself. I didn't need a reboot.

Gallery and Login/Logout Problem – Caching in ISA Server 2005 R2

Saturday, April 21st, 2007

environment gallery, ISA Server 2005 R2, WebSite hosted on Apache using http, publish through ISA with https.

problem login/logout issue. User logs in. Clicks the gallery logo in the top left. Gets the guest front page. If the user visits a sub page it works again... and for some not...

solution Turn of reverse proxy caching in ISA. Configuration/Cache/Cache Rules. Create a new rule including the server that hosts the web site. Check "Never cache the response" and disable http caching.

dnsmasq and dns servers for specific domains

Sunday, April 15th, 2007

environment OpenWrt, dnsmasq

problem A dns server for a specific domain (e.g. is either not available from outside OR due to firewall/vpn restrictions has a different ip than publicly available

solution Edit dnsmasq.conf and add