• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

OWA - OMA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> OWA - OMA Page: [1]
Login
Message << Older Topic   Newer Topic >>
OWA - OMA - 26.Apr.2006 5:09:53 PM   
gabygaby

 

Posts: 24
Joined: 1.Dec.2004
Status: offline
Hi,

We work for quit a time with exchange2003 - ISA2004 - and OWA. This means that on our exchange-server the /exchange virtual directory is configured to require SSL. This is known to give a problem for OMA. I read that it then was necessary to create a new virtual directory for oma.
Isn't it possible to avoid this using ISA2004 and a specific weblistener ?

Thx,
Gaby
Post #: 1
RE: OWA - OMA - 26.Apr.2006 6:08:08 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Why would you need to required SSL?

What problems are there? I use SSL to SSL bridging for OMA and have no problems.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to gabygaby)
Post #: 2
RE: OWA - OMA - 27.Apr.2006 5:17:12 PM   
gabygaby

 

Posts: 24
Joined: 1.Dec.2004
Status: offline
Hi Tom,

why SSL for OWA  ? - well i read a few articles from somebody... with the name of....T.SHINDER where he explaines that with isa2004 and OWA you need to work with SSL between ISA and exchange.....and so i did.

You get then the error for OMA:

http://support.microsoft.com/kb/817379/en-us

Greetz
Gaby

(in reply to gabygaby)
Post #: 3
RE: OWA - OMA - 29.Apr.2006 1:45:55 AM   
charlie66

 

Posts: 27
Joined: 9.Aug.2004
From: Denmark
Status: offline
As Tom states, if you have SSL to SSL bridging configured for your OMA publishing rule on your ISA box, there is not really any reason for requiring SSL on the exchange virtual directory on the Exchange server.

(in reply to gabygaby)
Post #: 4
RE: OWA - OMA - 30.Apr.2006 11:40:42 AM   
gabygaby

 

Posts: 24
Joined: 1.Dec.2004
Status: offline
Hi Charlie,

Perhaps there is a misunderstanding but as i earlier said we have SSL enabled on the exchange-directory because of OWA (not oma).....

greetz,
gaby

(in reply to charlie66)
Post #: 5
RE: OWA - OMA - 1.May2006 9:58:53 AM   
charlie66

 

Posts: 27
Joined: 9.Aug.2004
From: Denmark
Status: offline
Hi Gaby

It doesn't really matter - as long as you have SSL to SSL bridging configured for all your Exchange web publishing rules (OWA, OMA, ActiveSync etc.).

You have a web listener which has only SSL enabled, and you should put a check mark in "Require 128 bit encryption" in your web publishing rules.

Then you can safely remove the "Require SSL" from the exchange virtual directory on the Exchange server.

Soren

(in reply to gabygaby)
Post #: 6
RE: OWA - OMA - 1.May2006 10:40:35 AM   
gabygaby

 

Posts: 24
Joined: 1.Dec.2004
Status: offline
Hi Soren,

"safely remove the "Require SSL" from the exchange virtual directory on the Exchange server" ? How can i do this when in my publishing rule there is explicitely - in the bridging-part - indicated that it is an ssl-connection to the OWA site.
Is there somewhere an article about this ?

thx,
Gaby

(in reply to charlie66)
Post #: 7
RE: OWA - OMA - 2.May2006 9:44:39 PM   
kjman

 

Posts: 63
Joined: 2.Jun.2005
From: So cal
Status: offline
You cant remove the "require SSL on the Exchange Vdir if you want Forms based auth and Active sync to work. If this is a single Exchange server setup no backend then ISA with SSL bridging is going to act like a web proxy client once it is done decrypting and then re encrypting the SSL session. Once ISA re encrypts the traffic it will forward the original request from the remote client to the Exchange server, this traffic is all SSL. So if ISA is forwarding SSL to the Exhcange server and the Exchagne server doesnt have a certificate configured on it for SSL then the request will fail. Also in a single Exchagne environment in order to get OMA/EAS and Forms based auth to work correctly you will need to follow

http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/cf6a2b0a-856a-438b-bf7a-dee822dfcba0.mspx?mfr=true 

(in reply to gabygaby)
Post #: 8
RE: OWA - OMA - 3.May2006 5:29:07 PM   
charlie66

 

Posts: 27
Joined: 9.Aug.2004
From: Denmark
Status: offline
Hi

@kjman:

Not sure if there is some misunderstanding here - you do not need "Require secure channel (SSL)" in order to establish secure communication with an IIS server. What this setting does is forcing the SSL on clients, meaning if the client does not initiate an SSL connection, but tries an unencrypted session, it will fail (you will see the SSL required error page).

But as long as the IIS server is configured for SSL (i.e. when it has a certificate correctly installed) it is possible for a client to establish an SSL connection - as you state "So if ISA is forwarding SSL to the Exhcange server and the Exchagne server doesnt have a certificate configured on it for SSL then the request will fail." (my underlining).

But this is not dependent on whether you have "Require secure channel (SSL)" on or not. Neither is FBA, OMA or ActiveSync dependent on this - at least they all work in my setup.

@Gaby

Whether you will allow the "Require secure channel (SSL)" on the exchange vdir to be off or not, is necessarily your choice.

If users only access OWA through your ISA server, if your OWA weblisteners only forward SSL traffic and you have SSL bridging on your OWA rules, then all communication from the client to the ISA server is encrypted, and the communication from the ISA server to the Exchange server is also encrypted by design.

If internal users can access OWA directly, bypassing the ISA server, then they can establish an unsecured connection to your exchange server (by typing http://exchangesrv/exchange e.g.) - they are not able to access their mailboxes, but they will be requested to login and their passwords are transmitted unencrypted if you have basic auth enabled.

If someone on your internal network uses a packet analyzer, there is a potential risk that passwords are exposed.

Otherwise, you need to install a front-end exchange server, or try the fix mentioned in the MS KB cited by kjman (or this one which is more specific: http://support.microsoft.com/default.aspx?scid=kb;en-us;817379).

I don't know whether adding the extra exchange vdir will work with an ISA server (but it probably should do OK).

Regards,

Soren

(in reply to kjman)
Post #: 9
RE: OWA - OMA - 3.May2006 6:17:25 PM   
kjman

 

Posts: 63
Joined: 2.Jun.2005
From: So cal
Status: offline
This is what i am trying to say.

If you have configured the ISA server for SSL bridging menaing the client send SSL to ISA, and ISA sends SSL to the OWA server, then if there is no certificate on the machine hosting the OWA site then the request from ISA to the OWA server will fail, because ISA is sending SSL and the machine hosting OWA is listening on 80 http. Also if you have enabled forms based authentification on the OWA server then you have to use SSL also if if you want to use EAS then you have to use SSL.

So knowing this you CANT terminate the SSL session at the ISA server firewall and then pass back HTTP trafic to the Exchange server and expect to use forms based  auth and Active sync

(in reply to charlie66)
Post #: 10
RE: OWA - OMA - 3.May2006 8:34:27 PM   
charlie66

 

Posts: 27
Joined: 9.Aug.2004
From: Denmark
Status: offline
Hi kjman

I agree completely with you - when using SSL bridging you need certificates on both IIS and ISA server.

When using FBA in an ISA server topology, you would typically enable FBA on the OWA listener on the ISA box, not on the Exchange server, but the requirements are basically the same.

Regards

Soren

(in reply to kjman)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> OWA - OMA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts