Solved

OWA VERY slow from the outside

Posted on 2004-03-25
13
773 Views
Last Modified: 2008-01-09
I have a very simple setup:
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......

From inside we can access OWA instaneously from any workstation.  
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA.  Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast.  I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas?  I need to get this working properly ASAP.....Thanks.
0
Comment
Question by:tenover
  • 3
  • 3
  • 2
  • +4
13 Comments
 
LVL 7

Expert Comment

by:Isigow
Comment Utility
There is a known issue with MS certs that they take forever. Using a Verisign cert will fix the issue (or any purchased certificate from a good company)
We had the same issue, and listed many places over the net is how slow MS Certificate Authority issued certificates are compared to certificate vendors.

Isi
0
 
LVL 10

Expert Comment

by:OneHump
Comment Utility
Just curious... if you disable SSL does it speed things up?  If so, then it sounds like Isi is on the right track.  If not then you might have another issue.

OneHump
0
 
LVL 22

Expert Comment

by:kristinaw
Comment Utility
thawte is another good one. cheaper than verisign and trusted just the same.
0
 

Author Comment

by:tenover
Comment Utility
How an I simply "disable" SSL for one night to test it out?  I'm pretty sure that when I first set it up, before SSL was setup, it was MUCH quicker.....Let me know if I can just disable it for a few hours to test...Thanks.
0
 
LVL 7

Expert Comment

by:Isigow
Comment Utility
If you tell the Virtual SMTP server not to require SSL under the communication button, then login to your mailserver.com/exchange instead of https://mailserver.com/exchange and it is instant it is your SSL cert (I can guarnatee that it is, I have a server that I tested this way before and it turned out it was a known issue with MS Issued Cert's, part of the side effect of them being free)

Isi
0
 

Author Comment

by:tenover
Comment Utility
Please forgive me if I'm misunderstanding you, but wouldn't I turn off SSL on my Default website and/or the Exchange, exchangeweb, or Public "websites" in IIS?  Thanks.  I can't see turning off SSL in my Exchange Systems Manager.....
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 7

Expert Comment

by:Isigow
Comment Utility
Yeah my fault, was thinking about when I disabled SSL everywhere at once to test everything (POP3, IIS etc) sorry for the mistake on my part.

IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.

Isi
0
 

Author Comment

by:tenover
Comment Utility
Well, after messing around with it, as soon as I uncheck "Require 128-bit", but LEAVE "Use SSL" checked, it sped up by about 90%.  Totally normal now.
0
 
LVL 10

Expert Comment

by:OneHump
Comment Utility
Yeah, I wouldnt require 128-bit unless you have security requirements to do so and you are sure your browser supports it.  You might even be using a 40-bit cert with the 128-bit setting which would certainly cause issues.  :)

OneHump
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
Comment Utility
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0
 

Expert Comment

by:bataniya
Comment Utility
I've ran into the same problem myself.  It seems that the way Internet Explorer works when checking SSL certificates is to blame.  Using mozilla or opera there is no delay.

To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store.  Basically copy this .crt or .cer file to your client computer and double click it.  It will then prompt you to install the certificate on your client computer.

You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetificates->Trusted Root Certification Authorities.

The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.

It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this.  You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.

http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate.  In this case, I don't have any answers.
0
 

Expert Comment

by:ryanwilliams_ga
Comment Utility
See if these Microsoft articles help out any.  If I remember correctly I shared and web shared the c:\WINNT\system32\certsrv\CertEnroll\ folder on the CA machine.  Allowing only read and script access to everyone.  I then setup a vitual directory under the OWA website called CRLs, pointing it  back (A SHARE LOCATED ON ANOTHER COMPUTER) to the computer sharing the certenroll folder.  Then I changed the  X 509 Extensions policy in the CA mmc using information from the articles below but using the new virtual directory that I setup.  Then started the request for a new certificate, this should point to the new location for the needed cert info that is accessible externally.  Remember not to require ssl on this new CRLs virtual directory under OWA.  Its not instant like I have seen on other sites, but doesn't seem to have that 18 sec. to 5 min. wait anymore.  This was pulled from memory and I had to lookup the articles again, I just thought this may help someone else out there.

Article ID : 248058
Article ID : 295070
Article ID : 289749
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now