RE: OWA page not displayed Outside

Hello Jim,

Thank you for posting here.

From your post, I understand that when attempting to access OWA from
external side, following error is encountered:

11001: Host not found.

Firstly I would like to confirm that when running CEICW, did you select "Do
not change¡­" option? I suggest you re-run CEICW again without selecting
"Do not change¡­" option and ensure to publish the OWA site.

If the issue persists, please try the following steps to narrow down this
issue:

Suggestion 1: Increase the value of Connection limit time
=====
Open the ISA Server management console, navigate to Configuration->
General-> Define Connection Limits-> Connection Limit-> Limit the number of
connection-> Connection limit per client (TCP and non-TCP).

Please increase the value to 160. If the original value is 160, please
uncheck the "Limit the number of connections" option.

We need to restart the ISA firewall service after modifying the value of
the connection limit time.

Suggestion 2: Clear the ISA Cache
=====
In addition, I would like to suggest you clear the ISA Cache, you can
perform the following steps:

1. On the ISA Server computer, stop the Microsoft Firewall service. To do
so:
1). Click Start, click Run, type services.msc in the Open box, and then
click OK.
2). Right-click Microsoft Firewall, and then click Stop.

2. Start Windows Explorer.

3. Locate the Urlcache folder.

4. In the Urlcache folder, locate the file that has the .cdat file name
extension.

5. Right-click the .cdat file, and then click Delete.

6. When you are prompted to confirm the removal of the .cdat file, click
Yes.
If you are prompted to delete the .cdat file because it is too big for the
recycle bin, click Yes.

7. Restart the Microsoft Firewall service.

More information:
How to delete the Web cache in Internet Security and Acceleration Server
2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;838248

Then try to access the problematic page again, does the problem persist?

If the problem persists, can you tell me if you have configured the
internal client as both the web proxy client and firewall client?

To be a Web Proxy client, please open IE, click Tools->Internet Options,
and click Connections->LAN Settings, configure ISA server as your Proxy
server (you can enter either the computer name or the internal IP of the
ISA server, port 8080 by default.)

To be a Firewall client, the workstation needs to have the ISA Firewall
Client software installed.

Suggestion 3:
=====
1. Open the ISA Server management console, navigate to "Firewall Policy".
On the right pane, double click the "SBS Internet Access Rule". Go to the
Users tab, you will find that the default setting is applied to "SBS
Internet Users", please change it to "All Users" and then move it to the
top and click "Apply" to save the settings.

2. Open ISA2004 Management Console, in the left panel, expand to
Configuration->Networks. Under "Networks panel", double click "Internal".
Switch to "Web Proxy" panel, click "Authentication?". Uncheck the "Require
all users to authenticate" option, and then click "Apply" to save the
settings.

Suggestion 4:
=====
Please try the following steps to configure the problematic web site for
direct access.

a. Open ISA management console, expand the server name. Expand the
Configuration node and click the Networks node.

b. In the details pane, click the Networks tab and then double click the
Internal Network.

c. In the Internal Properties dialog box, click the Web Browser tab. On the
Web Browser tab, click the Add button.

d. In the Add Server dialog box, select the Domain or computer option and
enter the name of the site that you want Direct Access to be used. Enter
dsc2g.co.clark.nv.us (or *.co.clark.nv.us) in the text box, click OK. Click
Apply to save the changes and then update the firewall policy.

e. Then go to the client computer, double click on the Firewall client icon
in the system tray Click the Test Server button. This forces the Firewall
client to pull the new configuration information from the ISA firewall.
Click Close in the Testing ISA Server dialog box when the test completes,
then click the Apply button in the Microsoft Firewall Client for ISA Server
2004 dialog box.

Click the Web Browser tab. Confirm that there is a checkmark in the Enable
Web browser automatic configuration checkbox and click Configure Now, and
then click OK in the Web Browser Settings Update dialog box.
Then click Apply and then click OK in the Microsoft Firewall Client for ISA
Server 2004 dialog box.

More information:

Configuring Sites for Direct Access
http://www.isaserver.org/articles/2004directaccessp1.html

Then access the site again, will the problem be resolved?

Suggestion 5:
======
This problem could also be caused by the EDNS0 query.

Windows Server 2003 supports Extension Mechanisms for DNS (EDNS0) function
which permits the use of larger User Datagram Protocol (UDP) packet sizes.
However, some firewall programs or routers may not permit UDP packets that
are larger than 512 bytes. As a result, these DNS packets may be blocked.

I would like to suggest you try the following steps:

1. Insert SBS 2003 CD2, navigate to \Support\Tools\ Double-click
suptools.msi to install the Windows 2003 support tools.

2. At a command prompt, type the following command, and then press ENTER:

"dnscmd /config /enableednsprobes 0" (without the quotation marks)

The following information appears:

Registry property enableednsprobes successfully reset.
Command completed successfully.

After you run this command, Windows Server 2003 DNS no longer advertises
its EDNS0 capabilities.
As a result, the Windows Server 2003 DNS server will not be sent UDP
packets that are larger than 512 bytes.

For more information, please refer to this KB article:

828263 DNS query responses do not travel through a firewall in Windows
Server 2003
http://support.microsoft.com/?id=828263

If the problem persists, please help me gather the following info:

1. Would you please let me know your public domain name of the server?

2. Is web proxy enabled on the SBS Server itself in IE?

3. When did the problem begin to occur?

4. How many NIC does the SBS Server have?

5. Please gather ISA info and ISA log to me for further analysis:

a. Open ISA 2006 management console.
b. Expand the server node and highlight 'Monitoring'.
c. In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
d. In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
e. Switch to the 'Fields' tab, and then click 'Select All'.
f. Click OK, and then click 'Apply' to save changes and update the
configuration.
g. Click 'Configure Firewall Logging'. Do step d~f to enable the full
logging options for firewall logging.

Prepare to take the trace:

a. Temporarily stop the Firewall service to clear the current existing W3C
logs: Monitoring->Services tab, and then right click 'Microsoft Firewall'
to choose 'Stop'.
b. Go to the log saving directory and clean any existing .W3C logs. By
default, the logs will be saved to 'C:\Program Files\Microsoft ISA
Server\ISALogs'. (Some MDF may not be able to deleted, that's normal.)
c. Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

Reproduce the problem:
a. Go to the client computer. Try to access the MSN.
b. Go back to the ISA server. Stop the 'Microsoft Firewall' service. Open
Windows Explorer, navigate to the ISA log file folder. Collect the recent
w3c files. Save them to a zip package as 'isalogs.zip'. Start the
'Microsoft Firewall' Service.
c. Send the zip packages to me at v-mzhuan@xxxxxxxxxxxxx

NOTE: Please let me know the client workstation's IP address.

2. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/tools/isainfo.zip

2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2006-<computer-name>.log and ISAInfo2006-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-mzhuan@xxxxxxxxxxxxx

3. Meanwhile, please follow the link and download and run the Microsoft
Internet Security and Acceleration (ISA) Server Best Practices Analyzer
Tool and then send me the results (XML format):

http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-
91EC-0829E5F84063&displaylang=en

Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: OWA page not displayed Outside
| thread-index: AciJKUnZr/V6pvltT1KctABViV3R+w==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmltIFByZW5kZXJnYXN0?=
<JimPrendergast@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1D613448-DB89-427A-97DB-315345FF6B64@xxxxxxxxxxxxx>
| Subject: RE: OWA page not displayed Outside
| Date: Tue, 18 Mar 2008 11:53:00 -0700
| Lines: 48
| Message-ID: <6C91C0D4-5CB1-4963-8FFB-4F5BE37456CA@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:98872
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Sorry meant to give more information
|
| 1/ if you launch IE on the server and browse to:
| https://domainname.local/exchange. where domainname.local
is
| the local domainname
| You are displayed the except the cert page you can
the
| accessed and browse OWA, so it all works
|
| 2/ if you launch IE on the server and browse to:
| https://certDN.com/exchange. where certDN.com is
the
| email domain name which is also used in the CEIW wizard in the firewall
| section to generate the certificate.
| You are displayed the except the cert page you can
the
| accessed and browse OWA, so it all works
|
|
|
|
|
|
|
|
|
| "Jim Prendergast" wrote:
|
| > Hi hope someboday can help.
| >
| > OWA works OK on the internal LAN, but fails externally with Error Code
| > 11001: Host not found.
| >
| > SBS Prem 2003
| > CEIW wizard run OK.
| > Internal Server board with two NICS
| > ISA installed.
| > Draytek 2800
| >
| > Compared to our other SBS sites and cannot see any difference. They all
work
| >
| > Run the logs on ISA and get the following
| >
| > 0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1;
..NET
| > CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) No Reverse
| > Proxy MORESERVE moreremote.co.uk TCP Internet - - - - - - 0 1 2223
562 11001
| > 0x0 0x40 Web Proxy Filter 18/03/2008
| > 18:01:43 192.168.1.2 443 https Failed Connection Attempt SBS OWA Web
| > Publishing
| > Rule 82.163.58.67 anonymous External GET
http://publishing.Morelands.local:443/exchange
| > Any idea how to pinpoint the fault???
|

.