Re: OWA with SSL issues

  • From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 2 Feb 2005 11:11:40 -0500

Hey Tom, 


Thus far what has made the difference for me is adding* and /echange/img/* to the cache on
ISA server. Before when I didn't have this feature turned on I would get
either "page can not be found" or "forbidden access" when connecting
from a remote machine. Also when I enabled anonymous access on /exchweb
and clear text security (??) I was able to https from the local LAN
which showed that yes indeed it works from inside the network.


The main issue right now for me is my setup I am doing on a different
setup than what most would do. I use virtual HTTP sites as suppose to
using the default site. So I am hitting a wall when it comes figuring
out my latest feat with un-graying the SSL port on the virtual HTTP
sites. Oh and figuring how to get HTTP to HTTPS redirection working. 






From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, February 02, 2005 10:29 AM
To: [ExchangeList]
Subject: [exchangelist] Re: OWA with SSL issues

Hi Andrew,




From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, February 02, 2005 8:53 AM
To: [ExchangeList]
Subject: RE: [exchangelist] Re: OWA with SSL issues

Jumping to conclusions to protect your reputation will not cut it Tom.
As it turns out I was able to add your steps to the Microsoft way which
didn't change a thing except for making things load up a little slower
(I am typing this on a clients site). 
[Thomas W Shinder] I'm not trying to protect my reputation or bolster my
meager ego, I just want to understand what made the difference for you.
Also, as far as you know, I was the one who wrote the "MS way" (not
saying that I did). 


The only thing I don't agree with is your OWA client notes were the
client has to add the IP address of the External nic to their host file
along with the mail server name, the reason this is a problem is simply
because what if the client wants to access his or her mail via a
Internet cafe in Ireland? (ref. chapter 10, page 49)
[Thomas W Shinder] Read them again. I use the HOSTS file on the client
only for testing the scenario. I made it extremely clear in all my OWA
publishing docs that a split DNS is the best practice, and that we're
using HOSTS files only to bypass the instructions on split DNS, which is
discussed in other areas of the docs or in the book. I never use HOSTS
files in my production networks for the clients (only on the ISA
firewalls until the split DNS is in place). Once the split DNS is in
place, you never have to use a HOSTS file anywhere, and that's made
clear in all my stuff. Also, MS itself continues to use HOSTS file
entries on the ISA firewall's themselves for their world-wide
deployment, which is good enough for me. 


The purpose of OWA SSL is for security and to allow people to get their
mail anywhere. If you told your clients, oh btw you have to make sure
the machine you are on has this setting they would probably freak out
and dump your services for someone else who doesn't require such
[Thomas W Shinder] Sort of.SSL is actually a privacy method, not a
"security" method, but that gets into a security wankers debate :)  I've
never had problems with clients and split DNS once I explain the massive
benefits obtained from it, and the overall improvement in the end user
expereince because of the complete location indepence and transparency
it provides.  


This forum and the ISA one has been a great help to me. Even your
documentation has been a help though it's only a piece of the bigger
puzzle! :)
[Thomas W Shinder] I appreciate the ack! :)  I still would like to know
what made the difference for you, so the next guy doesn't have to go
through what you did.





Other related posts: