PJAClark
asked on
OWA failing to start on cluster failover when SSL in use
Hi,
I have a two node, active/passive exchange 2003 enterprise cluster setup. The cluster is not used for anything else. The cluster acts as a standalone server (i.e. no front-end/back-end setup).
Each server is running Windows Server 2003 Enterprise with all the updates applied.
The first node works perfectly. The problem is with the second node, which is setup is in exactly the same way.
I have SSL enabled on OWA (and the entire IIS site). When the node fails over the HTTP service either stops immediately with no event log information, or starts the non-SSL websites and the SSL sites are in the "Stopped" state.
All other Exchange services are fine - and I can access email via Outlook Exchange Mode, IMAP, POP and send mail via SMTP.
The SSL certificate is a wildcard SSL certificate (*.mydomain.com) whose request was generated on the first node (i.e. the node that works all the time). The virtual server is running on mail.mydomain.com behind a firewall.
Everything works on node 1 - but not node 2.
Any ideas?
I have a two node, active/passive exchange 2003 enterprise cluster setup. The cluster is not used for anything else. The cluster acts as a standalone server (i.e. no front-end/back-end setup).
Each server is running Windows Server 2003 Enterprise with all the updates applied.
The first node works perfectly. The problem is with the second node, which is setup is in exactly the same way.
I have SSL enabled on OWA (and the entire IIS site). When the node fails over the HTTP service either stops immediately with no event log information, or starts the non-SSL websites and the SSL sites are in the "Stopped" state.
All other Exchange services are fine - and I can access email via Outlook Exchange Mode, IMAP, POP and send mail via SMTP.
The SSL certificate is a wildcard SSL certificate (*.mydomain.com) whose request was generated on the first node (i.e. the node that works all the time). The virtual server is running on mail.mydomain.com behind a firewall.
Everything works on node 1 - but not node 2.
Any ideas?
ASKER
OK,
The cluster.log suggested that IIS couldn't connect to port 443. I did the following to confirm this.
IIS site settings are: Site "insecure" listening on prot 82. Site "Secure SSL" listening on port 81 and port 443 (for SSL). W3SVC is set to start manually, and is in the stopped state by default.
My next steps were:
1. Ensure Exchange running on Node 1.
2. Ensure nothing listening on 80, 81, 82 or 443 on Node 2. Done by typing "netstat -a -b -n -o -p TCP > portlist.txt" and the searching portlist.txt for ":80", ":81", ":82" and ":443". None were found, so nothing listening on any IIS port at this time.
3. Perform failover at 20:49 GMT.
4. Note HTTP SSL site failed on Node 2.
The cluster.log notes that the HTTP SSL site successfully started at 20:50.
About a second later there is a line: "Microsoft Exchange DAV Server instance <HTTP SSL>: [EXRES] DwCheckProtocolSocketSSL: failed to connect socket. Error 2148074241".
We then get a few retrying lines, and then the resource shutdown commands.
Afterwards, the insecure site is running on port 82 as planned, and the secure site is not running. W3SVC is running. Nothing is listening on ports 81 or 443 (the ports the SSL site uses).
As far as I can tell, the cluster.log has not helped any. If you want the full cluster.log then I'm happy to post it.
Peter.
The cluster.log suggested that IIS couldn't connect to port 443. I did the following to confirm this.
IIS site settings are: Site "insecure" listening on prot 82. Site "Secure SSL" listening on port 81 and port 443 (for SSL). W3SVC is set to start manually, and is in the stopped state by default.
My next steps were:
1. Ensure Exchange running on Node 1.
2. Ensure nothing listening on 80, 81, 82 or 443 on Node 2. Done by typing "netstat -a -b -n -o -p TCP > portlist.txt" and the searching portlist.txt for ":80", ":81", ":82" and ":443". None were found, so nothing listening on any IIS port at this time.
3. Perform failover at 20:49 GMT.
4. Note HTTP SSL site failed on Node 2.
The cluster.log notes that the HTTP SSL site successfully started at 20:50.
About a second later there is a line: "Microsoft Exchange DAV Server instance <HTTP SSL>: [EXRES] DwCheckProtocolSocketSSL: failed to connect socket. Error 2148074241".
We then get a few retrying lines, and then the resource shutdown commands.
Afterwards, the insecure site is running on port 82 as planned, and the secure site is not running. W3SVC is running. Nothing is listening on ports 81 or 443 (the ports the SSL site uses).
As far as I can tell, the cluster.log has not helped any. If you want the full cluster.log then I'm happy to post it.
Peter.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also have a look at this -->
HOW TO: Use Certificates with Virtual Servers in Exchange 2000 Server
http://support.microsoft.com/kb/319574
Thanks,
Amit Aggarwal.
HOW TO: Use Certificates with Virtual Servers in Exchange 2000 Server
http://support.microsoft.com/kb/319574
Thanks,
Amit Aggarwal.
ASKER
Would it matter if I created the request in IIS rather than Exchange Manager? The certificate is for a wildcard certificate of *.mydomain.co.uk. When the SSL site works on both nodes, IE doesn't ask any security questions so i presume that it's trusted. When viewed oneach server through IIS it says that the certificate and the path it uses are OK.
The certificates have been installed through IIS on both nodes at the moment.
Presumably I can install this via Exchange Manager - the article you have was for Exchange 2000. The Exchange 2003 one is at http://support.microsoft.com/kb/823024.
According to this, I should have a tab in the Properties of the "Secure SSL" virtual server node under HTTP called Access that allows me request and install a certificate. I have that Access tab, but no option for Certificates.
The certificates have been installed through IIS on both nodes at the moment.
Presumably I can install this via Exchange Manager - the article you have was for Exchange 2000. The Exchange 2003 one is at http://support.microsoft.com/kb/823024.
According to this, I should have a tab in the Properties of the "Secure SSL" virtual server node under HTTP called Access that allows me request and install a certificate. I have that Access tab, but no option for Certificates.
ASKER
Hi,
I am still missing the tab that MSKB article 823024 refers to, but I can do it via IIS.
The trick lay in installing the certificate on the node that requested it, and the exporting it from that node to a file, which was then imported on the other nodes.
Both HTTP and HTTPS sites are now working.
Thanks for the export hint.
Peter.
I am still missing the tab that MSKB article 823024 refers to, but I can do it via IIS.
The trick lay in installing the certificate on the node that requested it, and the exporting it from that node to a file, which was then imported on the other nodes.
Both HTTP and HTTPS sites are now working.
Thanks for the export hint.
Peter.
Note:- Cluster.log file is 8MB in size and will be over-written after that. All time stamps in cluster.log will be in GMT time zone.
I would suggest you to do the failover and when you see HTTP instance not coming online on the other node. take the cluster.log and see whats going on during that time. The relevant portion will help you find the solution..
Thanks,
Amit Aggarwal.