Re: OWA with SSL issues
- From: Tee Darling <tee.darling77@xxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 3 Feb 2005 13:32:19 -0500
Andrew,
It looks like you're not configuring something right. And do not
blame Tom Shinder for what you're doing wrong. Just be patient and
reconfigure your OWA right. It looks like you're picking information
from different places to do your OWA configuration. Follow one source
at a time.
My advice is if you want to follow Microsoft's KB article to do this
just go ahead and do that and if you want to follow Tom's I hope you
do the same but do not mix all of the information at the same time.
I just bought Tom's ISA Server 2004 and everything Tom is saying in
this book is working for me like a champ!!! This guy knows what he is
talking about when it comes to ISA Server period.
Take your time to reconfigure your OWA and you will get it right.
Tee
On Thu, 3 Feb 2005 13:15:13 -0500, Andrew English
<andrew@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> http://www.MSExchange.org/
>
> Read Mat Hellman's message in ISAServerlist Steve.
>
> Andrew
>
> -----Original Message-----
> From: Steve Moffat [mailto:steve@xxxxxxxxxx]
> Sent: Thursday, February 03, 2005 12:41 PM
> To: [ExchangeList]
> Subject: [exchangelist] Re: OWA with SSL issues
>
> http://www.MSExchange.org/
>
> Let me quite categorically state that the cache is definitely not needed
> either.
>
> I have 6 virtual OWA SSL server running as we speak at a large client
> site, being published through ISA 2K4 with no issues whatsoever.
>
> Done properly, it will work as per Tom's documentation.
>
> This is not so much an ISA issue Andrew, as an IIS/virtual Exchange HTTP
> issue. Correct your virtual servers and it will work correctly.
>
> S
>
> ________________________________
>
> From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, February 03, 2005 12:03 PM
> To: [ExchangeList]
> Subject: [exchangelist] Re: OWA with SSL issues
>
> http://www.MSExchange.org/
>
> Tom let me turn off cache and see if it works if it doesn't work then
> unfortunately you are wrong on this matter. ;)
>
> Andrew
>
> ________________________________
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, February 03, 2005 10:45 AM
> To: [ExchangeList]
> Subject: [exchangelist] Re: OWA with SSL issues
>
> http://www.MSExchange.org/
>
> Hi Andrew,
>
> I think the problem here is that what you're doing is "off label" and
> the guidance I provide explitly states what parameters required. So,
> there are a lot of confounding variables in your config, which I suspect
> (I don't know for sure) would not be supported by PSS.
>
> Publishing the Web enrollment site provided an example of how to do it.
> I used it in several of my own deployments for users who can't get to
> the office. I don't recommend in general for security reasons, but it
> does work fine for me and my clients.
>
> Where are the differences between MS's docs and mine? I worked closely
> with MS on these, they worked in actual, real-world deployments with
> lots o' users, so I know they're good. But if you deviate from the
> paramters, then you have to do some footwork and figure out what the
> special requirements are. But, again, you do NOT need to enable Web
> caching to publish OWA.
>
> HTH,
>
> Tom
>
> ________________________________
>
> From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, February 03, 2005 9:09 AM
> To: [ExchangeList]
> Subject: [exchangelist] Re: OWA with SSL issues
>
> http://www.MSExchange.org/
>
> Tom,
>
> Why then if I turn the cache off that I get "page can not be displayed"
> when I go to https: my mail server? It has a big part in it, remember
> Microsoft wrote the rules here, they should know it's their product! J
>
> If someone where to write their ISA 2004 cert (if it exists) and on it
> they were asked about doing OWA SSL and the choices were your method,
> Microsoft's method, and a totally incorrect method. The person choose
> your method they would answer it wrong.
>
> This is the Microsoft way:
>
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing
> .mspx
>
> I started the whole thing from scratch doing it this way on the ISA
> server, which worked first time around on both my LAN and WAN. Then I
> started making changes to the ISA OWA publish rule to match yours in
> ISA2k4EXCHkit Chapter 10 including adding the Enrollment rule which made
> very little difference if anything at all.
>
> Then since I was having troubles getting the SSL port to stick on my
> virtual server I found some guys blog online which clearly explains how
> to add the SSL port to your virtual servers, so I removed the certs from
> the virtual server, deleted, and followed the rules from scratch making
> a new certs, and giving the virtual server its SSL port. Plus I knew
> already that I had to copy the certs to ISA and add it into the certs; I
> removed the old one from personal first before installing the new; then
> fixed the OWA SSL Listener up with the new certs.
>
> Somewhere in the time I was doing this it dawned on me how virtual
> servers work. When you create a virtual server it puts ExchWeb in your
> new virtual server which you can only see under IIS. Exchange is
> actually there but in the /* folder. So I changed OWA publishing path to
> /*. At this point I killed the cache and found that I could not access
> OWA via the LAN or WAN anymore, sure I could get the cert which is no
> big deal but after the cert I would get "page can not be displayed". It
> was only when I turned on caching again pointing it to /* because for
> some reason it didn't like the Microsoft was of /exchweb/* and
> /exchweb/img/* (plan to test again) everything started working again.
>
> The next problem I ran into was the logout window one gets when they
> close their OWA screen without clicking on the logout button in OWA.
> Because there was no /exchange it was presenting me with a problem, when
> you close the window it jump to /exchange before jumping back / and so
> when I created the /exchange folder in the EVS (which points to the same
> info that the virtual server does if you look at the properties of the
> EVS and home directory.. you can see it points to the same
> \\.\backoffice\....\MBX <file:///\\.\backoffice\....\MBX> that
> /exchange points to.) and when I closed the window it took forever to
> see the OWA Outlook logout graphic. It was only when I added /exchange/*
> to the cache did it fly through when it was required to open and
> display.
>
> I think I still have my testuser account setup Tom if you want to check
> it out.
>
> Login: testuser@xxxxxxxxxxxxxxxxxxxxxx
>
> Pass: hiway!9824
>
> Also one thing I noticed that makes a big difference in performance is
> the 128bit encryption. Microsoft's guide only wants to you enable
> "Required Secure Channel (SSL)" on your OWA site, were you want people
> to also enable the 128bit encryption. Little to do they know enabling
> the 128bit encryption slows down OWA quite a bit. Also the person who
> wrote the blog on setting EVS only suggested you use the required secure
> channel (SSL) on the EVS.
>
> What is the key difference here?
>
> I am doing this all on an Exchange Virtual Server were your
> documentation, which is quite different than Microsoft's, is for a
> Exchange server which is running on a DC and its using the default site.
> Oh and the fact that I followed Microsoft's notes and enabled caching.
>
> (I am nuking this bottom of this thread because I am sure this message
> is more than the legal limit of 30k.)
>
> Andrew
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> andrew@xxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> Tee.Darling77@xxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
>
Other related posts:
