Exchange 2003 OWA randomly does not log on

I have had this issue for a few years now, since Exchange 2000. I have since upgraded clean on to a new server. Did not have this issue with Exchange 5.5

When the client attempts to log on, the screen very often hangs with a little progress bar at the bottom. Sometimes you have to click "log on" about 20 times for OWA to load. I notice besides the browser progress bar, a file referenced is owaauth.dll, which OWA is attempting to 'open'

I have followed Microsoft's firewall configuration, opening all the appropriate ports for the front end OWA box (in DMZ with public IP), to reach the backend mail server and DNS server.

Any help would be greatly appreciated.

pacman_dAsked:
Who is Participating?
 
SembeeConnect With a Mentor Commented:
I have seen four Exchange servers in DMZs, all displaying similar symptoms to yours. I move the Exchange server back inside, all the problems go away.

To run an Exchange server inside you only need to have two ports open to the outside world - 443 and 25. I have many servers running in that configuration and have not seen a problem.

I have also deployed Exchange in to financial institutions, and they usually ask for the server to go in the DMZ, until I show them the list of ports that I want open on the firewall.

The solution is to bring the server inside. Nothing else will work reliably. Microsoft will never admit that publicly of course... it makes MCS good money trying to get it to work.

Simon.
0
 
SembeeCommented:
What happens if you login directly to the backend server? Does it work correctly then?

Have you always run the frontend in a DMZ?

Simon.
0
 
pacman_dAuthor Commented:
I've always had the front end in a DMZ. It does (so far) work by going to directly to the backend for testing. For obvious reasons, I don't want my Exchange box exposed directly to the Internet.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
SembeeCommented:
You have had this problem for a few years, with an Exchange server in a DMZ and you didn't think that was the problem?

Obvious reasons? Please tell me what they are, as no one has given me a convincing argument for an Exchange server in a DMZ. I have asked many many times.

My feelings on Exchange in a DMZ are well documented.
In short - I don't believe that the DMZ is the right place for an Exchange server.

Have you got all of the ports open?
Have you made all the changes to Exchange to allow it to use static ports?

If you have, then your DMZ is practically useless.

If you don't want to expose your Exchange server to the internet, then put an ISA server in the DMZ on a workgroup. It avoids the direct exposure to the internet and leaves the Exchange servers where they belong - with all the other domain members - behind the firewall.

With Exchange 5.5 you could easily put OWA in the DMZ as OWA didn't require the full Exchange server, and with Exchange 2007 you can as well as Microsoft have a special version that works in a perimeter network, but the close integration with active directory makes it almost impossible to do securely with Exchange 2000/2003.

Simon.
0
 
pacman_dAuthor Commented:
I realize the swiss-cheese factor that E2003 creates with a firewall. But I still need to run it like that. I have created static exchange ports, as well all of the Microsoft recommended ports. The client is a non-profit, and cannot afford any more microsoft licensing for a bit (ISA).
I definitley agree with not liking how Exchange works in a perimeter network, but that is where I am until E2007 is available and stable.
0
 
pacman_dAuthor Commented:
Hmmmm. I may have to do this. A big problem is that this place pays good $$ for a Verisign SSL cert. I think I may just create a cert in Windows, and explain to users  about the "certificate cannot be verified" pop up they will get every time.

I want this to be a last resort, but it is an option.
I am still looking to resolve it some other way.
I may put a dummy firewall in there to rule out whether the hardware firewall is not forwarding certain packets correctly. There is a MS article that mentions that this may be the cause...

0
 
SembeeCommented:
What does the certificate have to do with it? Simply move the certificate with the server. I don't use Verisign certificates for OWA anyway, as they are over priced for an application that doesn't need the insurance protection. I don't like the security popup at all and will attempt to avoid it at all costs.

Simon.
0
 
pacman_dAuthor Commented:
the front end exchange box is my web server, and I have a few web applications that use this cert for SSL. Maybe I will look into a cheaper SSL cert. provider. You have any recommendations?
0
 
SembeeCommented:
For most deployments I use RapidSSL.com - their starterSSL certificates are fine. Don't be tempted by wildcard certificates if you are going to use any mobile applications as Windows Mobile cannot cope with them.

Simon.
0
 
pacman_dAuthor Commented:
when you use the backend e2003 box for OWA, do you check that box that says "this is a front end server" on the properties in System Manager?
0
 
SembeeCommented:
Nope.
The backend server is not a frontend. Simply leave it alone.

Simon.
0
 
pacman_dAuthor Commented:
anyone else actually get e2003 to work in this front end/dmz to back-end configuration?
0
 
pacman_dAuthor Commented:
well... I gave in. I put a RapidSSL (great price!) cert on the mail server, and opened port 443 to it. OWA works great. I was hoping to get the DMZ > backend config working, but you make a good argument about the amount of ports required for it vs. only HTTPS to the mail server...

0
 
SembeeCommented:
I was always told that you should have limited ports coming in to your most trusted environment. Therefore you ask the question... what would you prefer...

A single port coming in from the Internet.
or Multiple ports coming in from the DMZ.

You must have one or the other.

Most people will go for the single port, as that port can be monitored very easily.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.