• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 799
  • Last Modified:

OWA failing to start on cluster failover when SSL in use

Hi,

I have a two node, active/passive exchange 2003 enterprise cluster setup. The cluster is not used for anything else. The cluster acts as a standalone server (i.e. no front-end/back-end setup).

Each server is running Windows Server 2003 Enterprise with all the updates applied.

The first node works perfectly. The problem is with the second node, which is setup is in exactly the same way.

I have SSL enabled on OWA (and the entire IIS site). When the node fails over the HTTP service either stops immediately with no event log information, or starts the non-SSL websites and the SSL sites are in the "Stopped" state.

All other Exchange services are fine - and I can access email via Outlook Exchange Mode, IMAP, POP and send mail via SMTP.

The SSL certificate is a wildcard SSL certificate (*.mydomain.com) whose request was generated on the first node (i.e. the node that works all the time). The virtual server is running on mail.mydomain.com behind a firewall.

Everything works on node 1 - but not node 2.

Any ideas?
0
PJAClark
Asked:
PJAClark
  • 3
  • 3
1 Solution
 
aa230002Commented:
Cluster.log file will help you in this case.
Note:- Cluster.log file is 8MB in size and will be over-written after that. All time stamps in cluster.log will be in GMT time zone.

I would suggest you to do the failover and when you see HTTP instance not coming online on the other node. take the cluster.log and see whats going on during that time. The relevant portion will help you find the solution..

Thanks,
Amit Aggarwal.
0
 
PJAClarkAuthor Commented:
OK,

The cluster.log suggested that IIS couldn't connect to port 443. I did the following to confirm this.

IIS site settings are: Site "insecure" listening on prot 82. Site "Secure SSL" listening on port 81 and port 443 (for SSL). W3SVC is set to start manually, and is in the stopped state by default.

My next steps were:

1. Ensure Exchange running on Node 1.
2. Ensure nothing listening on 80, 81, 82 or 443 on Node 2. Done by typing "netstat -a -b -n -o -p TCP > portlist.txt" and the searching portlist.txt for ":80", ":81", ":82" and ":443". None were found, so nothing listening on any IIS port at this time.
3. Perform failover at 20:49 GMT.
4. Note HTTP SSL site failed on Node 2.

The cluster.log notes that the HTTP SSL site successfully started at 20:50.
About a second later there is a line: "Microsoft Exchange DAV Server instance <HTTP SSL>: [EXRES] DwCheckProtocolSocketSSL: failed to connect socket. Error 2148074241".
We then get a few retrying lines, and then the resource shutdown commands.

Afterwards, the insecure site is running on port 82 as planned, and the secure site is not running. W3SVC is running. Nothing is listening on ports 81 or 443 (the ports the SSL site uses).

As far as I can tell, the cluster.log has not helped any. If you want the full cluster.log then I'm happy to post it.

Peter.
0
 
aa230002Commented:
Seems, something wrong with the certificate.
Make sure that your certificate is trusted.
Try exporting the certificate from node1 and import it on Node2. I am not 100% sure, but i think certificate is associated with node and not the Exchange Virtual Server.

Thanks,
Amit Aggarwal.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
aa230002Commented:
Also have a look at this -->
HOW TO: Use Certificates with Virtual Servers in Exchange 2000 Server
http://support.microsoft.com/kb/319574

Thanks,
Amit Aggarwal.
0
 
PJAClarkAuthor Commented:
Would it matter if I created the request in IIS rather than Exchange Manager? The certificate is for a wildcard certificate of *.mydomain.co.uk. When the SSL site works on both nodes, IE doesn't ask any security questions so i presume that it's trusted. When viewed oneach server through IIS it says that the certificate and the path it uses are OK.

The certificates have been installed through IIS on both nodes at the moment.

Presumably I can install this via Exchange Manager - the article you have was for Exchange 2000. The Exchange 2003 one is at http://support.microsoft.com/kb/823024.

According to this, I should have a tab in the Properties of the "Secure SSL" virtual server node under HTTP called Access that allows me request and install a certificate. I have that Access tab, but no option for Certificates.
0
 
PJAClarkAuthor Commented:
Hi,

I am still missing the tab that MSKB article 823024 refers to, but I can do it via IIS.

The trick lay in installing the certificate on the node that requested it, and the exporting it from that node to a file, which was then imported on the other nodes.

Both HTTP and HTTPS sites are now working.

Thanks for the export hint.

Peter.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now