Re: OWA with SSL issues

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 3 Feb 2005 09:40:15 -0600

Hi Andew,
Again, you are incorrect. Enabling the cache has NOTHING to do with OWA
publishing. And don't be too sure about certification issues either.


From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 03, 2005 9:09 AM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues



Why then if I turn the cache off that I get "page can not be displayed"
when I go to https: my mail server? It has a big part in it, remember
Microsoft wrote the rules here, they should know it's their product! :-)


If someone where to write their ISA 2004 cert (if it exists) and on it
they were asked about doing OWA SSL and the choices were your method,
Microsoft's method, and a totally incorrect method. The person choose
your method they would answer it wrong. 


This is the Microsoft way:


I started the whole thing from scratch doing it this way on the ISA
server, which worked first time around on both my LAN and WAN. Then I
started making changes to the ISA OWA publish rule to match yours in
ISA2k4EXCHkit Chapter 10 including adding the Enrollment rule which made
very little difference if anything at all. 


Then since I was having troubles getting the SSL port to stick on my
virtual server I found some guys blog online which clearly explains how
to add the SSL port to your virtual servers, so I removed the certs from
the virtual server, deleted, and followed the rules from scratch making
a new certs, and giving the virtual server its SSL port. Plus I knew
already that I had to copy the certs to ISA and add it into the certs; I
removed the old one from personal first before installing the new; then
fixed the OWA SSL Listener up with the new certs. 


Somewhere in the time I was doing this it dawned on me how virtual
servers work. When you create a virtual server it puts ExchWeb in your
new virtual server which you can only see under IIS. Exchange is
actually there but in the /* folder. So I changed OWA publishing path to
/*. At this point I killed the cache and found that I could not access
OWA via the LAN or WAN anymore, sure I could get the cert which is no
big deal but after the cert I would get "page can not be displayed". It
was only when I turned on caching again pointing it to /* because for
some reason it didn't like the Microsoft was of /exchweb/* and
/exchweb/img/* (plan to test again) everything started working again.


The next problem I ran into was the logout window one gets when they
close their OWA screen without clicking on the logout button in OWA.
Because there was no /exchange it was presenting me with a problem, when
you close the window it jump to /exchange before jumping back / and so
when I created the /exchange folder in the EVS (which points to the same
info that the virtual server does if you look at the properties of the
EVS and home directory.. you can see it points to the same
\\.\backoffice\....\MBX <file:///\\.\backoffice\....\MBX>  that
/exchange points to.) and when I closed the window it took forever to
see the OWA Outlook logout graphic. It was only when I added /exchange/*
to the cache did it fly through when it was required to open and


I think I still have my testuser account setup Tom if you want to check
it out. 


Login: testuser@xxxxxxxxxxxxxxxxxxxxxx

Pass: hiway!9824


Also one thing I noticed that makes a big difference in performance is
the 128bit encryption. Microsoft's guide only wants to you enable
"Required Secure Channel (SSL)" on your OWA site, were you want people
to also enable the 128bit encryption. Little to do they know enabling
the 128bit encryption slows down OWA quite a bit. Also the person who
wrote the blog on setting EVS only suggested you use the required secure
channel (SSL) on the EVS.


What is the key difference here?


I am doing this all on an Exchange Virtual Server were your
documentation, which is quite different than Microsoft's, is for a
Exchange server which is running on a DC and its using the default site.
Oh and the fact that I followed Microsoft's notes and enabled caching.


(I am nuking this bottom of this thread because I am sure this message
is more than the legal limit of 30k.)



List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx 

Other related posts: