tenover
asked on
OWA VERY slow from the outside
I have a very simple setup:
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......
From inside we can access OWA instaneously from any workstation.
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA. Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast. I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas? I need to get this working properly ASAP.....Thanks.
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......
From inside we can access OWA instaneously from any workstation.
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA. Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast. I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas? I need to get this working properly ASAP.....Thanks.
Just curious... if you disable SSL does it speed things up? If so, then it sounds like Isi is on the right track. If not then you might have another issue.
OneHump
OneHump
thawte is another good one. cheaper than verisign and trusted just the same.
ASKER
How an I simply "disable" SSL for one night to test it out? I'm pretty sure that when I first set it up, before SSL was setup, it was MUCH quicker.....Let me know if I can just disable it for a few hours to test...Thanks.
If you tell the Virtual SMTP server not to require SSL under the communication button, then login to your mailserver.com/exchange instead of https://mailserver.com/exchange and it is instant it is your SSL cert (I can guarnatee that it is, I have a server that I tested this way before and it turned out it was a known issue with MS Issued Cert's, part of the side effect of them being free)
Isi
Isi
ASKER
Please forgive me if I'm misunderstanding you, but wouldn't I turn off SSL on my Default website and/or the Exchange, exchangeweb, or Public "websites" in IIS? Thanks. I can't see turning off SSL in my Exchange Systems Manager.....
Yeah my fault, was thinking about when I disabled SSL everywhere at once to test everything (POP3, IIS etc) sorry for the mistake on my part.
IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.
Isi
IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.
Isi
ASKER
Well, after messing around with it, as soon as I uncheck "Require 128-bit", but LEAVE "Use SSL" checked, it sped up by about 90%. Totally normal now.
Yeah, I wouldnt require 128-bit unless you have security requirements to do so and you are sure your browser supports it. You might even be using a 40-bit cert with the 128-bit setting which would certainly cause issues. :)
OneHump
OneHump
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've ran into the same problem myself. It seems that the way Internet Explorer works when checking SSL certificates is to blame. Using mozilla or opera there is no delay.
To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store. Basically copy this .crt or .cer file to your client computer and double click it. It will then prompt you to install the certificate on your client computer.
You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetifica tes->Trust ed Root Certification Authorities.
The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.
It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this. You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.
http://support.microsoft.com/default.aspx?scid=kb;en-us;297681
Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate. In this case, I don't have any answers.
To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store. Basically copy this .crt or .cer file to your client computer and double click it. It will then prompt you to install the certificate on your client computer.
You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetifica
The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.
It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this. You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.
http://support.microsoft.com/default.aspx?scid=kb;en-us;297681
Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate. In this case, I don't have any answers.
See if these Microsoft articles help out any. If I remember correctly I shared and web shared the c:\WINNT\system32\certsrv\ CertEnroll \ folder on the CA machine. Allowing only read and script access to everyone. I then setup a vitual directory under the OWA website called CRLs, pointing it back (A SHARE LOCATED ON ANOTHER COMPUTER) to the computer sharing the certenroll folder. Then I changed the X 509 Extensions policy in the CA mmc using information from the articles below but using the new virtual directory that I setup. Then started the request for a new certificate, this should point to the new location for the needed cert info that is accessible externally. Remember not to require ssl on this new CRLs virtual directory under OWA. Its not instant like I have seen on other sites, but doesn't seem to have that 18 sec. to 5 min. wait anymore. This was pulled from memory and I had to lookup the articles again, I just thought this may help someone else out there.
Article ID : 248058
Article ID : 295070
Article ID : 289749
Article ID : 248058
Article ID : 295070
Article ID : 289749
We had the same issue, and listed many places over the net is how slow MS Certificate Authority issued certificates are compared to certificate vendors.
Isi