Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unihomed OWA and SSL publishing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unihomed OWA and SSL publishing - 8.Dec.2003 10:15:00 AM
|
|
|
zamirl
Posts: 94
Joined: 26.Mar.2002
From: Bat-Yam, Israel
Status: offline
|
I followed the instructions on TS article
"The Unihomed web cache mode ISA server part 2:
Web publishing OWA.
The ISA is in the DMZ, and got 443 port to the OWA
and the Internet clients have only 443 port to the ISA.
The certificate was issued by a stand alone CA
I installed on the OWA server.
I requiested a cerificate from the OWA site, attached the certificate to the OWA, exported it
and imported it on the ISA.
I configured the "Incoming web requests" to listen for SSL and use the certificate.
The publishing rule bridges the HTTP requests as SSL and the SSL requests as SSL.
The publishing rule redirects to the FQDN of the OWA (such as owa.domain.com), and it is translated by a hosts file on the ISA to the OWA
address.
When opening a browser on the ISA, and tring to
accesss the OWA with http://OWA_IP_Address/exchange I am getting the certificate yes/no, and able to acccess.
When I use the http://OWA_FQDN/exchange I am not
prompted for the Yes/No as the certificate was
installed on the ISA - so this is fine and works fast.
This should also tell me that the ISA publishing rule (using the FQDN) should have no problem of bridging the requests to the OWA.
Client certificates were not issues as the need is to only encrypt the password and session to the OWA, and not authenticate the client.
My problem is that the external clients are delayed for about 1.5 minutes before they are getting the certificate Yes/No screen.
After they get it, they are almost immidiatly
prompted with the logon dialog box and able to
logon to OWA.
I think that the problem is that the Internet user browser is unable to contact the server holding the CRLs (the internal OWA), and that is the cause for the long delay. Am I right ?
Someone suggested to change the CA configuration and to configure that the CRL list is located at:
www.cnn.com so the CRL lookup will fail fast and the Yes/No prompt will not delay for too much time.
What do you think ?
Do you think that there is another problem ?
I will appriciate any suggestions
|
|
|
|
RE: Unihomed OWA and SSL publishing - 10.Dec.2003 2:58:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Liran,
Its not a CRL issue because by default the browser does not check this.
However, you do need the CA certificate in the client's trusted root certification authorities certificate store.
HTH,
Tom
|
|
|
|
|
RE: Unihomed OWA and SSL publishing - 11.Dec.2003 1:36:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Liran,
Have you forced basic auth ONLY on the OWA directories? Remember, if you restart the Exchange Server it resets the config and put integrated auth back in, and that can cause the poor performance.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
