OWA VERY slow from the outside

I have a very simple setup:
- Small (5 W2k servers, 30 W2k clients) network
- Single Exchange 2000 Standard server
- OWA is running on the Exchange server......

From inside we can access OWA instaneously from any workstation.  
From outside (home, travel, etc..) it is EXTREMELY slow when accessing OWA.  Takes about 2 minutes for the SSL security box to come up, then after you accept, it takes about another 2 or 3 minutes for the login box to come up......If I access it using my Linux box at home, it's super fast.  I'm using SSL and MS Enterprise certificate I created and am storing on the server.....Any ideas?  I need to get this working properly ASAP.....Thanks.
tenoverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IsigowCommented:
There is a known issue with MS certs that they take forever. Using a Verisign cert will fix the issue (or any purchased certificate from a good company)
We had the same issue, and listed many places over the net is how slow MS Certificate Authority issued certificates are compared to certificate vendors.

Isi
0
OneHumpCommented:
Just curious... if you disable SSL does it speed things up?  If so, then it sounds like Isi is on the right track.  If not then you might have another issue.

OneHump
0
kristinawCommented:
thawte is another good one. cheaper than verisign and trusted just the same.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

tenoverAuthor Commented:
How an I simply "disable" SSL for one night to test it out?  I'm pretty sure that when I first set it up, before SSL was setup, it was MUCH quicker.....Let me know if I can just disable it for a few hours to test...Thanks.
0
IsigowCommented:
If you tell the Virtual SMTP server not to require SSL under the communication button, then login to your mailserver.com/exchange instead of https://mailserver.com/exchange and it is instant it is your SSL cert (I can guarnatee that it is, I have a server that I tested this way before and it turned out it was a known issue with MS Issued Cert's, part of the side effect of them being free)

Isi
0
tenoverAuthor Commented:
Please forgive me if I'm misunderstanding you, but wouldn't I turn off SSL on my Default website and/or the Exchange, exchangeweb, or Public "websites" in IIS?  Thanks.  I can't see turning off SSL in my Exchange Systems Manager.....
0
IsigowCommented:
Yeah my fault, was thinking about when I disabled SSL everywhere at once to test everything (POP3, IIS etc) sorry for the mistake on my part.

IIS Manager->right click default web site->directory security->secure communications
remove the certificate entirely or just disable it, your choice.

Isi
0
tenoverAuthor Commented:
Well, after messing around with it, as soon as I uncheck "Require 128-bit", but LEAVE "Use SSL" checked, it sped up by about 90%.  Totally normal now.
0
OneHumpCommented:
Yeah, I wouldnt require 128-bit unless you have security requirements to do so and you are sure your browser supports it.  You might even be using a 40-bit cert with the 128-bit setting which would certainly cause issues.  :)

OneHump
0
CetusMODCommented:
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bataniyaCommented:
I've ran into the same problem myself.  It seems that the way Internet Explorer works when checking SSL certificates is to blame.  Using mozilla or opera there is no delay.

To get IE to load your SSL page faster, you need to install your server's root certificate (the .crt or .cer file) in your client computer IE's trusted root certificate store.  Basically copy this .crt or .cer file to your client computer and double click it.  It will then prompt you to install the certificate on your client computer.

You can view the root certificates on the client computer by launching IE and go to Tools->Internet Options->Content->Cetificates->Trusted Root Certification Authorities.

The computers on your internal LAN work fine because they have the server's root certificate installed on them when you joined them to your domain.

It is an inconvenient solution because you have to carry around your server's root certificate and install it on all outside computers you go to, but there is another way around this.  You can use the VB script from the link below to setup a non-SSL webpage that will install your server's root certificate into the outside computer.

http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

Now the only problem with this solution is the outside computer might have tight security and won't let your webpage install your server's certificate.  In this case, I don't have any answers.
0
ryanwilliams_gaCommented:
See if these Microsoft articles help out any.  If I remember correctly I shared and web shared the c:\WINNT\system32\certsrv\CertEnroll\ folder on the CA machine.  Allowing only read and script access to everyone.  I then setup a vitual directory under the OWA website called CRLs, pointing it  back (A SHARE LOCATED ON ANOTHER COMPUTER) to the computer sharing the certenroll folder.  Then I changed the  X 509 Extensions policy in the CA mmc using information from the articles below but using the new virtual directory that I setup.  Then started the request for a new certificate, this should point to the new location for the needed cert info that is accessible externally.  Remember not to require ssl on this new CRLs virtual directory under OWA.  Its not instant like I have seen on other sites, but doesn't seem to have that 18 sec. to 5 min. wait anymore.  This was pulled from memory and I had to lookup the articles again, I just thought this may help someone else out there.

Article ID : 248058
Article ID : 295070
Article ID : 289749
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.