Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003 OWA randomly does not log on

Posted on 2006-06-24
16
Medium Priority
?
318 Views
Last Modified: 2010-08-05
I have had this issue for a few years now, since Exchange 2000. I have since upgraded clean on to a new server. Did not have this issue with Exchange 5.5

When the client attempts to log on, the screen very often hangs with a little progress bar at the bottom. Sometimes you have to click "log on" about 20 times for OWA to load. I notice besides the browser progress bar, a file referenced is owaauth.dll, which OWA is attempting to 'open'

I have followed Microsoft's firewall configuration, opening all the appropriate ports for the front end OWA box (in DMZ with public IP), to reach the backend mail server and DNS server.

Any help would be greatly appreciated.

0
Comment
Question by:pacman_d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
16 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16975657
What happens if you login directly to the backend server? Does it work correctly then?

Have you always run the frontend in a DMZ?

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975751
I've always had the front end in a DMZ. It does (so far) work by going to directly to the backend for testing. For obvious reasons, I don't want my Exchange box exposed directly to the Internet.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975790
You have had this problem for a few years, with an Exchange server in a DMZ and you didn't think that was the problem?

Obvious reasons? Please tell me what they are, as no one has given me a convincing argument for an Exchange server in a DMZ. I have asked many many times.

My feelings on Exchange in a DMZ are well documented.
In short - I don't believe that the DMZ is the right place for an Exchange server.

Have you got all of the ports open?
Have you made all the changes to Exchange to allow it to use static ports?

If you have, then your DMZ is practically useless.

If you don't want to expose your Exchange server to the internet, then put an ISA server in the DMZ on a workgroup. It avoids the direct exposure to the internet and leaves the Exchange servers where they belong - with all the other domain members - behind the firewall.

With Exchange 5.5 you could easily put OWA in the DMZ as OWA didn't require the full Exchange server, and with Exchange 2007 you can as well as Microsoft have a special version that works in a perimeter network, but the close integration with active directory makes it almost impossible to do securely with Exchange 2000/2003.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:pacman_d
ID: 16975879
I realize the swiss-cheese factor that E2003 creates with a firewall. But I still need to run it like that. I have created static exchange ports, as well all of the Microsoft recommended ports. The client is a non-profit, and cannot afford any more microsoft licensing for a bit (ISA).
I definitley agree with not liking how Exchange works in a perimeter network, but that is where I am until E2007 is available and stable.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16975900
I have seen four Exchange servers in DMZs, all displaying similar symptoms to yours. I move the Exchange server back inside, all the problems go away.

To run an Exchange server inside you only need to have two ports open to the outside world - 443 and 25. I have many servers running in that configuration and have not seen a problem.

I have also deployed Exchange in to financial institutions, and they usually ask for the server to go in the DMZ, until I show them the list of ports that I want open on the firewall.

The solution is to bring the server inside. Nothing else will work reliably. Microsoft will never admit that publicly of course... it makes MCS good money trying to get it to work.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975926
Hmmmm. I may have to do this. A big problem is that this place pays good $$ for a Verisign SSL cert. I think I may just create a cert in Windows, and explain to users  about the "certificate cannot be verified" pop up they will get every time.

I want this to be a last resort, but it is an option.
I am still looking to resolve it some other way.
I may put a dummy firewall in there to rule out whether the hardware firewall is not forwarding certain packets correctly. There is a MS article that mentions that this may be the cause...

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975933
What does the certificate have to do with it? Simply move the certificate with the server. I don't use Verisign certificates for OWA anyway, as they are over priced for an application that doesn't need the insurance protection. I don't like the security popup at all and will attempt to avoid it at all costs.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16975946
the front end exchange box is my web server, and I have a few web applications that use this cert for SSL. Maybe I will look into a cheaper SSL cert. provider. You have any recommendations?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16975974
For most deployments I use RapidSSL.com - their starterSSL certificates are fine. Don't be tempted by wildcard certificates if you are going to use any mobile applications as Windows Mobile cannot cope with them.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16976012
when you use the backend e2003 box for OWA, do you check that box that says "this is a front end server" on the properties in System Manager?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16976340
Nope.
The backend server is not a frontend. Simply leave it alone.

Simon.
0
 

Author Comment

by:pacman_d
ID: 16977100
anyone else actually get e2003 to work in this front end/dmz to back-end configuration?
0
 

Author Comment

by:pacman_d
ID: 16996451
well... I gave in. I put a RapidSSL (great price!) cert on the mail server, and opened port 443 to it. OWA works great. I was hoping to get the DMZ > backend config working, but you make a good argument about the amount of ports required for it vs. only HTTPS to the mail server...

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16996482
I was always told that you should have limited ports coming in to your most trusted environment. Therefore you ask the question... what would you prefer...

A single port coming in from the Internet.
or Multiple ports coming in from the DMZ.

You must have one or the other.

Most people will go for the single port, as that port can be monitored very easily.

Simon.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question