We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

OWA VERY slow from the outside

tenover
tenover asked
on
Medium Priority
867 Views
Last Modified: 2008-01-09
I have a very simple setup:
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......

From inside we can access OWA instaneously from any workstation.  
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA.  Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast.  I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas?  I need to get this working properly ASAP.....Thanks.
Comment
Watch Question

Commented:
There is a known issue with MS certs that they take forever. Using a Verisign cert will fix the issue (or any purchased certificate from a good company)
We had the same issue, and listed many places over the net is how slow MS Certificate Authority issued certificates are compared to certificate vendors.

Isi

Commented:
Just curious... if you disable SSL does it speed things up?  If so, then it sounds like Isi is on the right track.  If not then you might have another issue.

OneHump
thawte is another good one. cheaper than verisign and trusted just the same.

Author

Commented:
How an I simply "disable" SSL for one night to test it out?  I'm pretty sure that when I first set it up, before SSL was setup, it was MUCH quicker.....Let me know if I can just disable it for a few hours to test...Thanks.

Commented:
If you tell the Virtual SMTP server not to require SSL under the communication button, then login to your mailserver.com/exchange instead of https://mailserver.com/exchange and it is instant it is your SSL cert (I can guarnatee that it is, I have a server that I tested this way before and it turned out it was a known issue with MS Issued Cert's, part of the side effect of them being free)

Isi

Author

Commented:
Please forgive me if I'm misunderstanding you, but wouldn't I turn off SSL on my Default website and/or the Exchange, exchangeweb, or Public "websites" in IIS?  Thanks.  I can't see turning off SSL in my Exchange Systems Manager.....

Commented:
Yeah my fault, was thinking about when I disabled SSL everywhere at once to test everything (POP3, IIS etc) sorry for the mistake on my part.

IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.

Isi

Author

Commented:
Well, after messing around with it, as soon as I uncheck "Require 128-bit", but LEAVE "Use SSL" checked, it sped up by about 90%.  Totally normal now.

Commented:
Yeah, I wouldnt require 128-bit unless you have security requirements to do so and you are sure your browser supports it.  You might even be using a 40-bit cert with the 128-bit setting which would certainly cause issues.  :)

OneHump
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
I've ran into the same problem myself.  It seems that the way Internet Explorer works when checking SSL certificates is to blame.  Using mozilla or opera there is no delay.

To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store.  Basically copy this .crt or .cer file to your client computer and double click it.  It will then prompt you to install the certificate on your client computer.

You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetificates->Trusted Root Certification Authorities.

The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.

It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this.  You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.

http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate.  In this case, I don't have any answers.
See if these Microsoft articles help out any.  If I remember correctly I shared and web shared the c:\WINNT\system32\certsrv\CertEnroll\ folder on the CA machine.  Allowing only read and script access to everyone.  I then setup a vitual directory under the OWA website called CRLs, pointing it  back (A SHARE LOCATED ON ANOTHER COMPUTER) to the computer sharing the certenroll folder.  Then I changed the  X 509 Extensions policy in the CA mmc using information from the articles below but using the new virtual directory that I setup.  Then started the request for a new certificate, this should point to the new location for the needed cert info that is accessible externally.  Remember not to require ssl on this new CRLs virtual directory under OWA.  Its not instant like I have seen on other sites, but doesn't seem to have that 18 sec. to 5 min. wait anymore.  This was pulled from memory and I had to lookup the articles again, I just thought this may help someone else out there.

Article ID : 248058
Article ID : 295070
Article ID : 289749
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.