?
Solved

Exchange 2003 OWA randomly does not log on

Posted on 2006-06-24
16
Medium Priority
?
320 Views
Last Modified: 2010-08-05
I have had this issue for a few years now, since Exchange 2000. I have since upgraded clean on to a new server. Did not have this issue with Exchange 5.5

When the client attempts to log on, the screen very often hangs with a little progress bar at the bottom. Sometimes you have to click "log on" about 20 times for OWA to load. I notice besides the browser progress bar, a file referenced is owaauth.dll, which OWA is attempting to 'open'

I have followed Microsoft's firewall configuration, opening all the appropriate ports for the front end OWA box (in DMZ with public IP), to reach the backend mail server and DNS server.

Any help would be greatly appreciated.

0
Comment
Question by:pacman_d
  • 7
  • 7
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16975657
What happens if you login directly to the backend server? Does it work correctly then?

Have you always run the frontend in a DMZ?

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975751
I've always had the front end in a DMZ. It does (so far) work by going to directly to the backend for testing. For obvious reasons, I don't want my Exchange box exposed directly to the Internet.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975790
You have had this problem for a few years, with an Exchange server in a DMZ and you didn't think that was the problem?

Obvious reasons? Please tell me what they are, as no one has given me a convincing argument for an Exchange server in a DMZ. I have asked many many times.

My feelings on Exchange in a DMZ are well documented.
In short - I don't believe that the DMZ is the right place for an Exchange server.

Have you got all of the ports open?
Have you made all the changes to Exchange to allow it to use static ports?

If you have, then your DMZ is practically useless.

If you don't want to expose your Exchange server to the internet, then put an ISA server in the DMZ on a workgroup. It avoids the direct exposure to the internet and leaves the Exchange servers where they belong - with all the other domain members - behind the firewall.

With Exchange 5.5 you could easily put OWA in the DMZ as OWA didn't require the full Exchange server, and with Exchange 2007 you can as well as Microsoft have a special version that works in a perimeter network, but the close integration with active directory makes it almost impossible to do securely with Exchange 2000/2003.

Simon.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:pacman_d
ID: 16975879
I realize the swiss-cheese factor that E2003 creates with a firewall. But I still need to run it like that. I have created static exchange ports, as well all of the Microsoft recommended ports. The client is a non-profit, and cannot afford any more microsoft licensing for a bit (ISA).
I definitley agree with not liking how Exchange works in a perimeter network, but that is where I am until E2007 is available and stable.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16975900
I have seen four Exchange servers in DMZs, all displaying similar symptoms to yours. I move the Exchange server back inside, all the problems go away.

To run an Exchange server inside you only need to have two ports open to the outside world - 443 and 25. I have many servers running in that configuration and have not seen a problem.

I have also deployed Exchange in to financial institutions, and they usually ask for the server to go in the DMZ, until I show them the list of ports that I want open on the firewall.

The solution is to bring the server inside. Nothing else will work reliably. Microsoft will never admit that publicly of course... it makes MCS good money trying to get it to work.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975926
Hmmmm. I may have to do this. A big problem is that this place pays good $$ for a Verisign SSL cert. I think I may just create a cert in Windows, and explain to users  about the "certificate cannot be verified" pop up they will get every time.

I want this to be a last resort, but it is an option.
I am still looking to resolve it some other way.
I may put a dummy firewall in there to rule out whether the hardware firewall is not forwarding certain packets correctly. There is a MS article that mentions that this may be the cause...

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975933
What does the certificate have to do with it? Simply move the certificate with the server. I don't use Verisign certificates for OWA anyway, as they are over priced for an application that doesn't need the insurance protection. I don't like the security popup at all and will attempt to avoid it at all costs.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975946
the front end exchange box is my web server, and I have a few web applications that use this cert for SSL. Maybe I will look into a cheaper SSL cert. provider. You have any recommendations?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975974
For most deployments I use RapidSSL.com - their starterSSL certificates are fine. Don't be tempted by wildcard certificates if you are going to use any mobile applications as Windows Mobile cannot cope with them.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16976012
when you use the backend e2003 box for OWA, do you check that box that says "this is a front end server" on the properties in System Manager?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16976340
Nope.
The backend server is not a frontend. Simply leave it alone.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16977100
anyone else actually get e2003 to work in this front end/dmz to back-end configuration?
0
 

Author Comment

by:pacman_d
ID: 16996451
well... I gave in. I put a RapidSSL (great price!) cert on the mail server, and opened port 443 to it. OWA works great. I was hoping to get the DMZ > backend config working, but you make a good argument about the amount of ports required for it vs. only HTTPS to the mail server...

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16996482
I was always told that you should have limited ports coming in to your most trusted environment. Therefore you ask the question... what would you prefer...

A single port coming in from the Internet.
or Multiple ports coming in from the DMZ.

You must have one or the other.

Most people will go for the single port, as that port can be monitored very easily.

Simon.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month17 days, 13 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question