Comments on: Publishing Symantec Enterprise Vault in ISA 2006

By: @AaronJAnderson

@AaronJAnderson — Sun, 02 May 2010 19:28:02 +0000

Rainy day update:

Executives do not want to type passwords. I will reference this thread later in the future when I tell team-members things like this :) So now it's time to re-engineer some things on the TMG and join it to the domain. I will also be setting up NTLM authentication for Outlook Anywhere so this should be an interesting event.

By: Alogic

Alogic — Fri, 30 Apr 2010 12:07:05 +0000

Hi Elan,
Great article btw. My dilema is probably a misconfiguration on my part. I was wondering if you had time to check my config.
I posted my issue on the EV forum which explains my issue. https://www-secure.symantec.com/connect/forums/is…

It seems like after logging into OWA, ISA tries to fetch the EV icons and scripts from the EV server instead of using the CAS RPC extensions.
where did I go wrong?

Thanks for your help.
-S

By: Santiago

Santiago — Thu, 08 Apr 2010 11:59:15 +0000

Thanks Elan for your attention

By: eshudnow

eshudnow — Fri, 02 Apr 2010 13:19:16 +0000

Santiago, I've never really set up Enterprise Vault and have only published it via ISA for which I created the article for. So I apologize, but I can't really provide you with any more information on this. What I would suggest though, is to post in the Symantec EV forum section and ask how you can enable SSL on your IIS directories for Enterprise Vault. You would then just have ISA bridge to the EV IIS directory over port 443 which is on the bridge tab on the ISA rule. You would then want to set up the link translation rules to have the client go to https. I have no tried this at all so try and test this in a lab before doing it in production.

By: Santiago

Santiago — Thu, 01 Apr 2010 12:00:20 +0000

Hello Elan,
I have some questions for you about this article…

So, i'm using Enterprise Vault 8.0 SP3 ver. with HTTP 80 port to access web application. In general, i have already published in ISA the following exchange 2007 services – OWA, Outlook Anywhere, ActiveSync,…. that's why we use HTTPS communication, also i need to publish EV in ISA 2006 and that the communication will be secure – encrypted.

It is interested to me that if i change in EV site properties the "Use TCP Port 80" to "Use HTTPS on SSL Port 443" then i will also to implement SSL in IIS of Evault and that's why then configure the SSL certificate.

Do you know what kind of certificate do i need to use to push then HTTPS on Enterprise Vault.. ?

P.S I'm little bit confused with configuring SSL Port to Enterprise Vault entirely because i'm using HTTP 80 port already, could you suggest me simply how to setup it ?

By: Santiago

Santiago — Thu, 01 Apr 2010 11:58:18 +0000

Hello Elan,
I have some questions for you about this article…

So, i’m using Enterprise Vault 8.0 SP3 ver. with HTTP 80 port to access web application. In general, i have already published in ISA the following exchange 2007 services – OWA, Outlook Anywhere, ActiveSync,…. that’s why we use HTTPS communication, also i need to publish EV in ISA 2006 and that the communication will be secure – encrypted.

It is interested to me that if i change in EV site properties the “Use TCP Port 80″ to “Use HTTPS on SSL Port 443″ then i will also to implement SSL in IIS of Evault and that’s why then configure the SSL certificate.

Do you know what kind of certificate do i need to use to push then HTTPS on Enterprise Vault.. ?

P.S I’m little bit confused with configuring SSL Port to Enterprise Vault entirely because i’m using HTTP 80 port already, could you suggest me simply how to setup it ?

By: @AaronJAnderson

@AaronJAnderson — Wed, 03 Mar 2010 00:26:49 +0000

Elan, Thanks for the reply! I think I'm pretty much stuck right now with the extra authentication. My TMG server is not a domain member so constrained delegation is not an option for me. This is a security team decision. I'm sure as soon as the higher ups get annoyed with typing their passwords so many times (Like I don't type mine in 300 times a day!) that they'll lighten up a little bit and just let us optimize our 2007 front ends with our F5 load balancers, which btw, make OWA really scream. This is an excellent article. Probably the most complete on the net in regard to the topic.

By: Elan Shudnow

Elan Shudnow — Sun, 28 Feb 2010 17:29:07 +0000

Not sure. I've only ever published the EV stuff through OWA as described in the article. The first thought I have is that EnterpriseVault IIS directory authentication doesn't match the Authentication Delegation on the TMG Rule and you get prompted. There are other things such as you may not be using NTLM on the listener with KCD to the IIS directory or Pre-Auth Bypass directly to the server to bypass authentication credentials as NTLM cannot have another auth provider in the middle.

By: @AaronJAnderson

@AaronJAnderson — Fri, 26 Feb 2010 14:47:27 +0000

I have this working with Exchange 2007, TMG 2010 (isa) and EV 8.0 sp2. I did this to get the EV extensions working in Outlook for Outlook Anywhere. Everything works but I am prompted for credentials the first time Outlook tries to do something with EV such as retrieve or store.

Is there a way to avoid this?

By: GAH

GAH — Tue, 03 Nov 2009 17:09:41 +0000

I will update the existing rule and see how it will work.
Thank you very much Elan.