Comments on: Publishing Symantec Enterprise Vault in ISA 2006

By: @AaronJAnderson

@AaronJAnderson — Wed, 03 Mar 2010 00:26:49 +0000

Elan, Thanks for the reply! I think I'm pretty much stuck right now with the extra authentication. My TMG server is not a domain member so constrained delegation is not an option for me. This is a security team decision. I'm sure as soon as the higher ups get annoyed with typing their passwords so many times (Like I don't type mine in 300 times a day!) that they'll lighten up a little bit and just let us optimize our 2007 front ends with our F5 load balancers, which btw, make OWA really scream. This is an excellent article. Probably the most complete on the net in regard to the topic.

By: Elan Shudnow

Elan Shudnow — Sun, 28 Feb 2010 17:29:07 +0000

Not sure. I've only ever published the EV stuff through OWA as described in the article. The first thought I have is that EnterpriseVault IIS directory authentication doesn't match the Authentication Delegation on the TMG Rule and you get prompted. There are other things such as you may not be using NTLM on the listener with KCD to the IIS directory or Pre-Auth Bypass directly to the server to bypass authentication credentials as NTLM cannot have another auth provider in the middle.

By: @AaronJAnderson

@AaronJAnderson — Fri, 26 Feb 2010 14:47:27 +0000

I have this working with Exchange 2007, TMG 2010 (isa) and EV 8.0 sp2. I did this to get the EV extensions working in Outlook for Outlook Anywhere. Everything works but I am prompted for credentials the first time Outlook tries to do something with EV such as retrieve or store.

Is there a way to avoid this?

By: GAH

GAH — Tue, 03 Nov 2009 17:09:41 +0000

I will update the existing rule and see how it will work.
Thank you very much Elan.

By: Elan Shudnow

Elan Shudnow — Tue, 03 Nov 2009 17:04:04 +0000

Don't think you will see anything in specific. This article was written a while ago and it may work now. When I wrote that, I heard of someone having this issue and that they used a regular website publishing rule which fixed the issue for them. I didn't test it out myself.

By: GAH

GAH — Tue, 03 Nov 2009 16:00:39 +0000

Tanks for a great blog Elan.

One question for you Elan.
Regarding "There is a bug that prevents you from setting up Link Translation rules that are needed to get Enterprise Vault to work" how will I see the error occur. Or will I not see any error but it just will not work.
The reason I ask is that I do not know whether the “Exchange Web Client Access publishing Rule” was used when the OWA rule was created or “Web Site Publishing Rule.” I do not want to reconstruct the rule unnecessarily.

thanks

By: Rami

Rami — Mon, 06 Jul 2009 21:55:44 +0000

Thanks for this info. We toyed with this solution. But having all of our users go out to the ISA server when they are internal was something we weren’t thrilled about due to high availability concerns.
What we have done is we created a second website (with a different IP) on the CAS boxes, configuring it for basic authentication and creating the necessary CAS hooks with powershell. We left the default CAS website as forms-based auth. Then you can direct the ISA traffic to the secondary website using the second IP while leaving your internal OWA traffic to the primary website. This guarantees FBA for both internal and external and the same namespace (if you want) while allowing internal traffic to not require the ISA to be up, etc.

This does make EVault config in web.config a little more interesting since both primary and secondary websites in CAS point to the same OWA dir and web.config. So you have to point the EnterpriseVault_WebDAVRequestHost entry to the secondary website’s IP address. But it all seems to work.
The next challenge was to make Evault in OWA and Outlook work correctly on kiosks (where the windows user is not necessarily the same as the user’s mailbox).

By: world free

world free — Tue, 07 Apr 2009 16:17:43 +0000

update on my side. this is required for the outlook anywhere rule (if you use outlook anywhere).

By: Elan Shudnow

Elan Shudnow — Tue, 07 Apr 2009 16:14:24 +0000

1. You’re re-directing all the EV FQDN to the OWA FQDN to avoid the need to have the EV FQDN in the cert. So no.
2. No because again, you’re re-directing the EV traffic to the OWA listener/rule.
3. Depends on how your ISA to AD authentication is set up.

By: Stan

Stan — Mon, 06 Apr 2009 20:03:17 +0000

Hi,

Great instructions! Now if I could only get it to work.

1. Is a UC cert required for this method to work?
2. What should the Authentication be set at on the OWA listener?
3. I’m assuming LDAP traffic must be allowed between the ISA server and the internal network?