Re: OWA with SSL issues

  • From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 3 Feb 2005 13:15:13 -0500

Read Mat Hellman's message in ISAServerlist Steve. 


-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: Thursday, February 03, 2005 12:41 PM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues

Let me quite categorically state that the cache is definitely not needed

I have 6 virtual OWA SSL server running as we speak at a large client
site, being published through ISA 2K4 with no issues whatsoever.

Done properly, it will work as per Tom's documentation.

This is not so much an ISA issue Andrew, as an IIS/virtual Exchange HTTP
issue. Correct your virtual servers and it will work correctly.



From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 03, 2005 12:03 PM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues

Tom let me turn off cache and see if it works if it doesn't work then
unfortunately you are wrong on this matter. ;)






From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, February 03, 2005 10:45 AM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues

Hi Andrew,


I think the problem here is that what you're doing is "off label" and
the guidance I provide explitly states what parameters required. So,
there are a lot of confounding variables in your config, which I suspect
(I don't know for sure) would not be supported by PSS.


Publishing the Web enrollment site provided an example of how to do it.
I used it in several of my own deployments for users who can't get to
the office. I don't recommend in general for security reasons, but it
does work fine for me and my clients.


Where are the differences between MS's docs and mine? I worked closely
with MS on these, they worked in actual, real-world deployments with
lots o' users, so I know they're good. But if you deviate from the
paramters, then you have to do some footwork and figure out what the
special requirements are. But, again, you do NOT need to enable Web
caching to publish OWA.






From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 03, 2005 9:09 AM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues



Why then if I turn the cache off that I get "page can not be displayed"
when I go to https: my mail server? It has a big part in it, remember
Microsoft wrote the rules here, they should know it's their product! J


If someone where to write their ISA 2004 cert (if it exists) and on it
they were asked about doing OWA SSL and the choices were your method,
Microsoft's method, and a totally incorrect method. The person choose
your method they would answer it wrong. 


This is the Microsoft way:


I started the whole thing from scratch doing it this way on the ISA
server, which worked first time around on both my LAN and WAN. Then I
started making changes to the ISA OWA publish rule to match yours in
ISA2k4EXCHkit Chapter 10 including adding the Enrollment rule which made
very little difference if anything at all. 


Then since I was having troubles getting the SSL port to stick on my
virtual server I found some guys blog online which clearly explains how
to add the SSL port to your virtual servers, so I removed the certs from
the virtual server, deleted, and followed the rules from scratch making
a new certs, and giving the virtual server its SSL port. Plus I knew
already that I had to copy the certs to ISA and add it into the certs; I
removed the old one from personal first before installing the new; then
fixed the OWA SSL Listener up with the new certs. 


Somewhere in the time I was doing this it dawned on me how virtual
servers work. When you create a virtual server it puts ExchWeb in your
new virtual server which you can only see under IIS. Exchange is
actually there but in the /* folder. So I changed OWA publishing path to
/*. At this point I killed the cache and found that I could not access
OWA via the LAN or WAN anymore, sure I could get the cert which is no
big deal but after the cert I would get "page can not be displayed". It
was only when I turned on caching again pointing it to /* because for
some reason it didn't like the Microsoft was of /exchweb/* and
/exchweb/img/* (plan to test again) everything started working again.


The next problem I ran into was the logout window one gets when they
close their OWA screen without clicking on the logout button in OWA.
Because there was no /exchange it was presenting me with a problem, when
you close the window it jump to /exchange before jumping back / and so
when I created the /exchange folder in the EVS (which points to the same
info that the virtual server does if you look at the properties of the
EVS and home directory.. you can see it points to the same
\\.\backoffice\....\MBX <file:///\\.\backoffice\....\MBX>  that
/exchange points to.) and when I closed the window it took forever to
see the OWA Outlook logout graphic. It was only when I added /exchange/*
to the cache did it fly through when it was required to open and


I think I still have my testuser account setup Tom if you want to check
it out. 


Login: testuser@xxxxxxxxxxxxxxxxxxxxxx

Pass: hiway!9824


Also one thing I noticed that makes a big difference in performance is
the 128bit encryption. Microsoft's guide only wants to you enable
"Required Secure Channel (SSL)" on your OWA site, were you want people
to also enable the 128bit encryption. Little to do they know enabling
the 128bit encryption slows down OWA quite a bit. Also the person who
wrote the blog on setting EVS only suggested you use the required secure
channel (SSL) on the EVS.


What is the key difference here?


I am doing this all on an Exchange Virtual Server were your
documentation, which is quite different than Microsoft's, is for a
Exchange server which is running on a DC and its using the default site.
Oh and the fact that I followed Microsoft's notes and enabled caching.


(I am nuking this bottom of this thread because I am sure this message
is more than the legal limit of 30k.)



List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: