We work for quit a time with exchange2003 - ISA2004 - and OWA. This means that on our exchange-server the /exchange virtual directory is configured to require SSL. This is known to give a problem for OMA. I read that it then was necessary to create a new virtual directory for oma. Isn't it possible to avoid this using ISA2004 and a specific weblistener ?
why SSL for OWA ? - well i read a few articles from somebody... with the name of....T.SHINDER where he explaines that with isa2004 and OWA you need to work with SSL between ISA and exchange.....and so i did.
As Tom states, if you have SSL to SSL bridging configured for your OMA publishing rule on your ISA box, there is not really any reason for requiring SSL on the exchange virtual directory on the Exchange server.
"safely remove the "Require SSL" from the exchange virtual directory on the Exchange server" ? How can i do this when in my publishing rule there is explicitely - in the bridging-part - indicated that it is an ssl-connection to the OWA site. Is there somewhere an article about this ?
Posts: 63
Joined: 2.Jun.2005
From: So cal
Status: offline
You cant remove the "require SSL on the Exchange Vdir if you want Forms based auth and Active sync to work. If this is a single Exchange server setup no backend then ISA with SSL bridging is going to act like a web proxy client once it is done decrypting and then re encrypting the SSL session. Once ISA re encrypts the traffic it will forward the original request from the remote client to the Exchange server, this traffic is all SSL. So if ISA is forwarding SSL to the Exhcange server and the Exchagne server doesnt have a certificate configured on it for SSL then the request will fail. Also in a single Exchagne environment in order to get OMA/EAS and Forms based auth to work correctly you will need to follow
Not sure if there is some misunderstanding here - you do not need "Require secure channel (SSL)" in order to establish secure communication with an IIS server. What this setting does is forcing the SSL on clients, meaning if the client does not initiate an SSL connection, but tries an unencrypted session, it will fail (you will see the SSL required error page).
But as long as the IIS server is configured for SSL (i.e. when it has a certificate correctly installed) it is possible for a client to establish an SSL connection - as you state "So if ISA is forwarding SSL to the Exhcange server and the Exchagne server doesnt have a certificate configured on it for SSL then the request will fail." (my underlining).
But this is not dependent on whether you have "Require secure channel (SSL)" on or not. Neither is FBA, OMA or ActiveSync dependent on this - at least they all work in my setup.
@Gaby
Whether you will allow the "Require secure channel (SSL)" on the exchange vdir to be off or not, is necessarily your choice.
If users only access OWA through your ISA server, if your OWA weblisteners only forward SSL traffic and you have SSL bridging on your OWA rules, then all communication from the client to the ISA server is encrypted, and the communication from the ISA server to the Exchange server is also encrypted by design.
If internal users can access OWA directly, bypassing the ISA server, then they can establish an unsecured connection to your exchange server (by typing http://exchangesrv/exchange e.g.) - they are not able to access their mailboxes, but they will be requested to login and their passwords are transmitted unencrypted if you have basic auth enabled.
If someone on your internal network uses a packet analyzer, there is a potential risk that passwords are exposed.
Posts: 63
Joined: 2.Jun.2005
From: So cal
Status: offline
This is what i am trying to say.
If you have configured the ISA server for SSL bridging menaing the client send SSL to ISA, and ISA sends SSL to the OWA server, then if there is no certificate on the machine hosting the OWA site then the request from ISA to the OWA server will fail, because ISA is sending SSL and the machine hosting OWA is listening on 80 http. Also if you have enabled forms based authentification on the OWA server then you have to use SSL also if if you want to use EAS then you have to use SSL.
So knowing this you CANT terminate the SSL session at the ISA server firewall and then pass back HTTP trafic to the Exchange server and expect to use forms based auth and Active sync
I agree completely with you - when using SSL bridging you need certificates on both IIS and ISA server.
When using FBA in an ISA server topology, you would typically enable FBA on the OWA listener on the ISA box, not on the Exchange server, but the requirements are basically the same.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> OWA - OMA 
OWA - OMA - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread