Solved

Exchange 2003 OWA randomly does not log on

Posted on 2006-06-24
16
309 Views
Last Modified: 2010-08-05
I have had this issue for a few years now, since Exchange 2000. I have since upgraded clean on to a new server. Did not have this issue with Exchange 5.5

When the client attempts to log on, the screen very often hangs with a little progress bar at the bottom. Sometimes you have to click "log on" about 20 times for OWA to load. I notice besides the browser progress bar, a file referenced is owaauth.dll, which OWA is attempting to 'open'

I have followed Microsoft's firewall configuration, opening all the appropriate ports for the front end OWA box (in DMZ with public IP), to reach the backend mail server and DNS server.

Any help would be greatly appreciated.

0
Comment
Question by:pacman_d
  • 7
  • 7
16 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
What happens if you login directly to the backend server? Does it work correctly then?

Have you always run the frontend in a DMZ?

Simon.
0
 

Author Comment

by:pacman_d
Comment Utility
I've always had the front end in a DMZ. It does (so far) work by going to directly to the backend for testing. For obvious reasons, I don't want my Exchange box exposed directly to the Internet.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You have had this problem for a few years, with an Exchange server in a DMZ and you didn't think that was the problem?

Obvious reasons? Please tell me what they are, as no one has given me a convincing argument for an Exchange server in a DMZ. I have asked many many times.

My feelings on Exchange in a DMZ are well documented.
In short - I don't believe that the DMZ is the right place for an Exchange server.

Have you got all of the ports open?
Have you made all the changes to Exchange to allow it to use static ports?

If you have, then your DMZ is practically useless.

If you don't want to expose your Exchange server to the internet, then put an ISA server in the DMZ on a workgroup. It avoids the direct exposure to the internet and leaves the Exchange servers where they belong - with all the other domain members - behind the firewall.

With Exchange 5.5 you could easily put OWA in the DMZ as OWA didn't require the full Exchange server, and with Exchange 2007 you can as well as Microsoft have a special version that works in a perimeter network, but the close integration with active directory makes it almost impossible to do securely with Exchange 2000/2003.

Simon.
0
 

Author Comment

by:pacman_d
Comment Utility
I realize the swiss-cheese factor that E2003 creates with a firewall. But I still need to run it like that. I have created static exchange ports, as well all of the Microsoft recommended ports. The client is a non-profit, and cannot afford any more microsoft licensing for a bit (ISA).
I definitley agree with not liking how Exchange works in a perimeter network, but that is where I am until E2007 is available and stable.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
I have seen four Exchange servers in DMZs, all displaying similar symptoms to yours. I move the Exchange server back inside, all the problems go away.

To run an Exchange server inside you only need to have two ports open to the outside world - 443 and 25. I have many servers running in that configuration and have not seen a problem.

I have also deployed Exchange in to financial institutions, and they usually ask for the server to go in the DMZ, until I show them the list of ports that I want open on the firewall.

The solution is to bring the server inside. Nothing else will work reliably. Microsoft will never admit that publicly of course... it makes MCS good money trying to get it to work.

Simon.
0
 

Author Comment

by:pacman_d
Comment Utility
Hmmmm. I may have to do this. A big problem is that this place pays good $$ for a Verisign SSL cert. I think I may just create a cert in Windows, and explain to users  about the "certificate cannot be verified" pop up they will get every time.

I want this to be a last resort, but it is an option.
I am still looking to resolve it some other way.
I may put a dummy firewall in there to rule out whether the hardware firewall is not forwarding certain packets correctly. There is a MS article that mentions that this may be the cause...

0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
What does the certificate have to do with it? Simply move the certificate with the server. I don't use Verisign certificates for OWA anyway, as they are over priced for an application that doesn't need the insurance protection. I don't like the security popup at all and will attempt to avoid it at all costs.

Simon.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:pacman_d
Comment Utility
the front end exchange box is my web server, and I have a few web applications that use this cert for SSL. Maybe I will look into a cheaper SSL cert. provider. You have any recommendations?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
For most deployments I use RapidSSL.com - their starterSSL certificates are fine. Don't be tempted by wildcard certificates if you are going to use any mobile applications as Windows Mobile cannot cope with them.

Simon.
0
 

Author Comment

by:pacman_d
Comment Utility
when you use the backend e2003 box for OWA, do you check that box that says "this is a front end server" on the properties in System Manager?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Nope.
The backend server is not a frontend. Simply leave it alone.

Simon.
0
 

Author Comment

by:pacman_d
Comment Utility
anyone else actually get e2003 to work in this front end/dmz to back-end configuration?
0
 

Author Comment

by:pacman_d
Comment Utility
well... I gave in. I put a RapidSSL (great price!) cert on the mail server, and opened port 443 to it. OWA works great. I was hoping to get the DMZ > backend config working, but you make a good argument about the amount of ports required for it vs. only HTTPS to the mail server...

0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I was always told that you should have limited ports coming in to your most trusted environment. Therefore you ask the question... what would you prefer...

A single port coming in from the Internet.
or Multiple ports coming in from the DMZ.

You must have one or the other.

Most people will go for the single port, as that port can be monitored very easily.

Simon.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now