Solved

OWA VERY slow from the outside

Posted on 2004-03-25
13
808 Views
Last Modified: 2008-01-09
I have a very simple setup:
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......

From inside we can access OWA instaneously from any workstation.  
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA.  Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast.  I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas?  I need to get this working properly ASAP.....Thanks.
0
Comment
Question by:tenover
  • 3
  • 3
  • 2
  • +4
13 Comments
 
LVL 7

Expert Comment

by:Isigow
ID: 10680530
There is a known issue with MS certs that they take forever. Using a Verisign cert will fix the issue (or any purchased certificate from a good company)
We had the same issue, and listed many places over the net is how slow MS Certificate Authority issued certificates are compared to certificate vendors.

Isi
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10681299
Just curious... if you disable SSL does it speed things up?  If so, then it sounds like Isi is on the right track.  If not then you might have another issue.

OneHump
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 10681487
thawte is another good one. cheaper than verisign and trusted just the same.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:tenover
ID: 10681534
How an I simply "disable" SSL for one night to test it out?  I'm pretty sure that when I first set it up, before SSL was setup, it was MUCH quicker.....Let me know if I can just disable it for a few hours to test...Thanks.
0
 
LVL 7

Expert Comment

by:Isigow
ID: 10681749
If you tell the Virtual SMTP server not to require SSL under the communication button, then login to your mailserver.com/exchange instead of https://mailserver.com/exchange and it is instant it is your SSL cert (I can guarnatee that it is, I have a server that I tested this way before and it turned out it was a known issue with MS Issued Cert's, part of the side effect of them being free)

Isi
0
 

Author Comment

by:tenover
ID: 10681884
Please forgive me if I'm misunderstanding you, but wouldn't I turn off SSL on my Default website and/or the Exchange, exchangeweb, or Public "websites" in IIS?  Thanks.  I can't see turning off SSL in my Exchange Systems Manager.....
0
 
LVL 7

Expert Comment

by:Isigow
ID: 10682597
Yeah my fault, was thinking about when I disabled SSL everywhere at once to test everything (POP3, IIS etc) sorry for the mistake on my part.

IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.

Isi
0
 

Author Comment

by:tenover
ID: 10683632
Well, after messing around with it, as soon as I uncheck "Require 128-bit", but LEAVE "Use SSL" checked, it sped up by about 90%.  Totally normal now.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10688052
Yeah, I wouldnt require 128-bit unless you have security requirements to do so and you are sure your browser supports it.  You might even be using a 40-bit cert with the 128-bit setting which would certainly cause issues.  :)

OneHump
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11053783
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0
 

Expert Comment

by:bataniya
ID: 11682577
I've ran into the same problem myself.  It seems that the way Internet Explorer works when checking SSL certificates is to blame.  Using mozilla or opera there is no delay.

To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store.  Basically copy this .crt or .cer file to your client computer and double click it.  It will then prompt you to install the certificate on your client computer.

You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetificates->Trusted Root Certification Authorities.

The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.

It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this.  You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.

http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate.  In this case, I don't have any answers.
0
 

Expert Comment

by:ryanwilliams_ga
ID: 12412535
See if these Microsoft articles help out any.  If I remember correctly I shared and web shared the c:\WINNT\system32\certsrv\CertEnroll\ folder on the CA machine.  Allowing only read and script access to everyone.  I then setup a vitual directory under the OWA website called CRLs, pointing it  back (A SHARE LOCATED ON ANOTHER COMPUTER) to the computer sharing the certenroll folder.  Then I changed the  X 509 Extensions policy in the CA mmc using information from the articles below but using the new virtual directory that I setup.  Then started the request for a new certificate, this should point to the new location for the needed cert info that is accessible externally.  Remember not to require ssl on this new CRLs virtual directory under OWA.  Its not instant like I have seen on other sites, but doesn't seem to have that 18 sec. to 5 min. wait anymore.  This was pulled from memory and I had to lookup the articles again, I just thought this may help someone else out there.

Article ID : 248058
Article ID : 295070
Article ID : 289749
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question