|
 |
 |
 |
 |
 | Membership: |  | Latest:Svein Erik |  | New Today:13 |  | New Yesterday:4 |  | Overall:23076 |
|
|
|
|
 |
 |
|
 |
|
|
| Mariette Knap | 12627 |
| Marina Roos | 12282 |
| Eriq Neale | 2105 |
| Michael Patrick | 1906 |
| Stan Guinn | 1843 |
| Robert Pearman | 1724 |
| Nick Pieters | 1425 |
| Stewart Brown | 609 |
| Kevin D. | 563 |
| william warren | 548 |
|
|
|
|
|
 |
|
|
Welcome unauthorized visitor
|
|
|
 |
|
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
|
|
|
|
 |
|
|
Small Business Server Support Forum
|
|
|
 |
|
 |
Author |
Messages |
|
 |
Chester Hull 
United States
Member since
4/28/2005
Registered Users
Posts: 30
 |
| 5/29/2008 05:03 AM |
|
For the life of me, I can't get this macbook air (the only Mac on the network) to connect to OWA through Firefox, and therefore, I also can't get Entourage to connect.
I've followed Eriq Neale's setup documents for Entourage. I've followed the documents here on Smallbizserver.net to setup my SBS box for Macs, and I've followed Eriq's documents on connecting a Mac to the SBS environment. I can browse the shares on the server just fine, I just can't do email!
I've setup a DHCP reservation for the Mac, and a rule in ISA 2004 to allow that reservation group full access. So I'm now browsing the web with Firefox (or Safari).
What am I missing? I'm about to go bald on this one!
i've tried and tried to import the certificate from the server. I had it on there once, tried deleteting it, and re-adding it, but something is messed up, as re-adding it fails. (using CertGUI)
Any help would be MUCH appreciated!
Chester |
|
|
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 5/29/2008 09:00 PM |
|
To Clarify....
I can use the MacBook to connect to OWA just fine when I'm OUTSIDE the network. But when I'm ON the network, I can't connect to OWA.
Hopefully that will help clarify, and not further muddy the waters!
Can ANYONE help?
Chester
|
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 5/30/2008 02:43 PM |
|
Are you attempting to use the same URL to access OWA both inside and outside the network? If so, your issue is one of network lookup and access. Take a look at my last post in the thread http://www.smallbizserver.net/Forums/tabid/53/forumid/36/postid/87116/view/topic/Default.aspx. It details how to create a record in DNS to allow the Mac to use the public URL for OWA on the internal network and get an internal IP address to respond instead of an external IP.
Here's what's happening. Let's say your internal network is 192.168.16.2, and your external server IP is 71.1.1.1 (bad example, but you'll get the idea). When you look up https://mail.domain.com/exchange, the public DNS address should resolve to 71.1.1.1. If you're able to access OWA from outside, then this is working correctly. But when you're on the inside network, this will NOT work.
ISA expects that any request for the public IP address will be coming from the external network, not the internal network. When the Mac is connected locally and has an IP on teh 192.168.16.x network, then tries to access 71.1.1.1, ISA sees the request for 71.1.1.1 on the external interface with an internal IP address and drops the connection because it sees that as a spoofing attack. Some routers/firewalls will accept a request for the public IP address from an internal IP, but they shouldn't. This is normal behavior for ISA.
So you have two options. One is to follow the instructions I've outlined in the other thread. That's a way to have the Mac look up mail.domain.com and get an internal 192.168.16.x address returned instead of the public 71.1.1.1 address, which ISA will never see. The other is to tell the Mac user to use a different address when accessing OWA inside the network (i.e., server.domain.local). To avoid user confusion, I recommend setting up the internal address instead.
HTH...
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 5/30/2008 02:59 PM |
|
Eriq,
Thanks for the reply. I've created the zone in DNS, and now I'll get the user to try to connect from their Macbook.
Theoretically this would solve the problem for both OWA as well as Entourage access, correct?
Chester
|
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 5/30/2008 03:11 PM |
|
Yep, that will definitely resolve the Entourage issue, too.
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 5/30/2008 04:42 PM |
|
Eriq,
Hmm, no luck. I followed your instructions to add the Forward Lookup zone, and had the user open Firefox, and go to the https://FQDN/exchange. It says the same thing. 403 Isa blocked request. So I didn't even have them try Entourage.
What am I missing?
Chester |
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 5/30/2008 04:49 PM |
|
let's start with the basics. Please do the following on the Mac:
1. Open the Macintosh HD icon.
2. Open the Applications folder.
3. Open the Utilities folder.
4. Open the Terminal application.
5. Type ifconfig and press enter.
Copy and paste the output from the ifconfig tool back here. Then:
6. Type ping FQDN and press Enter (where FQDN is the public DNS name of the server).
7. After a couple of responses, press Crtl-C to stop the ping output.
What is the IP address listed in the ping output?
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 5/30/2008 05:05 PM |
|
Eriq,
Thanks. Sometimes the basics is the best place to start!
I'm remote, so I can't paste the "ifconfic" results here, but the IP address of the unit is 192.168.16.60. That's a reservation in the DHCP scope, specifically for that Mac.
However, I think you got me! When we ping the FQDN, the IP address comes back as the public IP, not the internal IP of the SBS server. Shouldn't that come back as the internal IP of the server (192.168.16.2), since I did the Forward Lookup Zone? If so, then it's obvious that I didn't follow your directions on that post! I'll go back and redo that.
Chester
|
|
|
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 5/30/2008 05:45 PM |
|
ok, I re-did the Forward Lookup zone, and now we can use Firefox to go to https://FQDN/exchange, and get to OWA!
So I ran Entourage, and it works, but each time I open it, i get this error: "Unable to establish secure connection to office.vastaffingchoice.com because the server name or IP address does not match the name or IP address on the server's certificate. If you continue, the information you view and send will be encrypted, but will not be secure." The only options are "OK" or "Cancel". When we click "OK", everything does work correctly.
In trying to connect, I did load the self-signed certificate onto the macbook, and actually did it a couple different ways. Why am I getting this error, and how can I correct it?
Also, I checked the DNS Events log in the DNS managment console, and I see this error:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4521
Date: 5/30/2008
Time: 11:08:29 AM
User: N/A
Computer: SBS1
Description:
The DNS server encountered error 32 attempting to load zone office.vastaffingchoice.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
|
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 5/30/2008 06:37 PM |
|
The errors in Entourage are unfortunately expected and you cannot work around them. it's another ISA thing. Briefly, ISA listens on the public IP address with the public FQDN SSL certificate. Internally, the IIS SSL certificates do NOT have the public FQDN name in them. This is so ISA can decrypt incoming conections to see where they go, then reencrypt them to pass them on to IIS. So when Entourage connects internally, it's expecting to see an SSL cert with the public FQDN in the list of cert names, and it's not there. Hence the error (I called Bob, but Bill answered the phone).
not sure about the DNS errors off-hand, will have to look at those later when I can get to resources to dig into that further.
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 6/02/2008 03:27 AM |
|
Eriq,
Thanks very much for all your help. The strange and frustrating thing is, I run a Mac on my own SBS network, and I don't get the error in Entourage, and I also didn't have to setup the Forward Lookup zone.
The Mac just connects to OWA inside and outside my network beautifully!
So when I went to work on this client, I matched the settings, and ran into all kinds of problems!
We have the client's Mac connected to OWA inside and outside the network, and we have Entourage working (except we keep getting the error upon opening Entourage)
Any idea what would make the difference? The ONLY thing I can think of, is our SBS server has a router in front of it, and the client's SBS server has no router, just straight from the External NIC to the DSL modem. The Static IP lives on the External nic.
Anyway, if you had a thought, I would appreciate it!
Thanks!
Chester |
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 6/02/2008 07:48 PM |
|
The issue is with ISA. If you're not running ISA in your office, you're going to be less susceptible to the issue. What that tells me, though, is you have a firewall/router that's allowing spoof attacks, and that could be a cause for concern. A business-class firewall should never respond to a request directed at the public IP interface from an internal workstation. If you were running ISA, or had a business-class firewall, you'd have the same issue as this client.
HTH...
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Chester Hull
United States
Member since
4/28/2005
Registered Users
Posts: 30
|
| 6/02/2008 08:36 PM |
|
Eriq,
Thanks. I'm learning! (i think!)
Well, I am running ISA on my network as well. It's the same setup. Exept there is a router in front of my ISA, and the client's ISA is at the very edge of the network, with no router.
Anyway, I'll check into some of what you shared, and see if I can decipher what's happening.
Thanks for all your help!
very much appreciated!
Chester |
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.7
|
|
|
|
|
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
- No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
- No Flaming or Trolling.
- No Profanity, Racism, or Prejudice.
- Site Moderators have the final word on approving/removing a thread or post or comment.
|
|
|
|
|
|
|