ISA 2006 - Access to internal HTTPS Site blocked by system rule

Hi all and thanks in advance.

long story short I have an ISA 2006 (existing), with a one leg configuration (one network adapter) on which I am trying to publish exchange 2010. The ISA acts as a proxy and I am having two issues:

- after creating the publishing rules the external clients cannot access exchange

- internal clients with proxy server enabled cannot access exchange (the owa https webpage for example)

so troubleshooting the issue I see that from the ISA computer I cannot browse to that https://mail.domain.com/owa address, which I should. and looking at the monitoring I see that it's being blocked by a system rule "system: allow http/https from isa server..."

I have firewall access rules that allow all outbound traffic from the localhost to the internal network so why would a system rule block it?

also I noticed that the internal network object covers all available IPs (from 0.0.0.1 to 255.255.255.254 with the exception of the loopback 127.x.x.x range).

any ideas on what might be causing this?

I've tried to exclude that mail.domain.com from the proxy on the ISA but no luck with that. And I do have the feeling that without having the ISA being able to browse to https://mail.domain.com/owa I will never get external access to work.

happy input would be much appreciated.

January 9th, 2014 4:20pm

Just wanted to add some address ranges. the ISA is on the 10.1.0.x network and the exchange is on the 10.1.1.x network.

the ISA resolves the mail.domain.com to 10.1.1.1 which is the exchange IP address. and from the ISA I can ping that address. I just cannot access it via HTTPS because it's blocked by the system rule mentioned above.

when monitoring external access, the connection gets to the ISA (it's being nated there), and the ISA IP is 10.1.0.1 and I see in the destination IP of that connection the ISA IP 10.1.0.1 and not the 10.1.1.1 of the exchange. not sure if this is also an issue.

the publishing rule "To" configurations point both to the name mail.domain.com and I have also specified the internal address there, 10.1.1.1. so I really think that the publishing rule is not the problem, as I cannot even browse from the ISA to the Exchange on the mail.domain.com address.

again any input would be much appreciated.

thanks

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2014 4:49pm

Hi,

If you really find a system policy is blocking HTTP/HTTPS from ISA localhost to internal. You need to change or delete this rule. Since system policy has higher priority, even if you create an access rule, it will not work.

when monitoring external access, the connection gets to the ISA (it's being nated there), and the ISA IP is 10.1.0.1 and I see in the destination IP of that connection the ISA IP 10.1.0.1 and not the 10.1.1.1 of the exchange Since you have published your exchange server, external client can only see ISAs IP on internet.

As you mentioned before, I must make sure ISA can access exchange server firstly.

Please try to disable system policy and create an access rule.

In Single network adapter scenario, there is no concept about external. There are just localhost and internal in this environment.

In addition, Singe NIC model cannot support server publish, it can only support web-based publish. Please notice these limitations when you make TMG work under only one Nic.

http://social.technet.microsoft.com/Forums/forefront/en-US/27ffc1af-d4a3-4212-b2f7-81f6ab8d9830/tmg-2010-single-nic-exchange-2010-publishing?forum=Forefrontedgegeneral

http://social.technet.microsoft.com/Forums/forefront/en-US/89c51627-e811-4465-ae6a-8e732cd64fa8/unable-to-publish-owa-with-tmg-blocked-web-destinations?forum=Forefrontedgegeneral#69cc918e-8da8-4e63-9ed0-610cea3044f3

http://technet.microsoft.com/en-us/library/ee796231.aspx

Best Regards

Quan Gu

January 13th, 2014 12:52am

Hi,

If you really find a system policy is blocking HTTP/HTTPS from ISA localhost to internal. You need to change or delete this rule. Since system policy has higher priority, even if you create an access rule, it will not work.

when monitoring external access, the connection gets to the ISA (it's being nated there), and the ISA IP is 10.1.0.1 and I see in the destination IP of that connection the ISA IP 10.1.0.1 and not the 10.1.1.1 of the exchange Since you have published your exchange server, external client can only see ISAs IP on internet.

As you mentioned before, I must make sure ISA can access exchange server firstly.

Please try to disable system policy and create an access rule.

In Single network adapter scenario, there is no concept about external. There are just localhost and internal in this environment.

In addition, Singe NIC model cannot support server publish, it can only support web-based publish. Please notice these limitations when you make TMG work under only one Nic.

http://social.technet.microsoft.com/Forums/forefront/en-US/27ffc1af-d4a3-4212-b2f7-81f6ab8d9830/tmg-2010-single-nic-exchange-2010-publishing?forum=Forefrontedgegeneral

http://social.technet.microsoft.com/Forums/forefront/en-US/89c51627-e811-4465-ae6a-8e732cd64fa8/unable-to-publish-owa-with-tmg-blocked-web-destinations?forum=Forefrontedgegeneral#69cc918e-8da8-4e63-9ed0-610cea3044f3

http://technet.microsoft.com/en-us/library/ee796231.aspx

Best Regards

Quan Gu

Free Windows Admin Tool Kit Click here and download it now
January 13th, 2014 8:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics