Solved

OMA host header

Posted on 2006-06-29
49
653 Views
Last Modified: 2008-02-01
How can I get OMA to use a host header.
i want OWA to keep using outlook.mydomain.com and I want OMA to be accessible by mobile.mydomain.com
Currently I have dns entries for both pointing to the public IP of my OWA/OMA server but at the moment I have to type outlook.mydomain.com/mobile to get OMA
0
Comment
Question by:viperacom
  • 24
  • 21
  • 4
49 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I think you will need to add an extra Web Site in IIS Manager to do this, and then redirect this Web Site to get its content from your existing outlook.mydomain.com/mobile address.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
sounds good but can you elaborate... i think OMA can be fragile if you start moving things around
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Fortunately, you don't have to move OMA.  In IIS Manager, create a new Web Site under the server object Web Sites container, give it a name (anything), but tell IIS to use your host header name for this new Web Site.  When it asks where to get the content from, just say C:\ for now (you change it later), and finish the wizard.  Then go back into its properties, and on the Home Directory tab, click the 'A Redirection..' option, and in the 'Redirect to' input box, type your existing outlook.mydomain.com/oma location.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
In my experience, OWA/OMA doesn't like host headers.
You can't use host headers with SSL, nor can you use a wildcard SSL certificate (as Windows mobile doesn't support them). The fact that you using host headers means you aren't using SSL, so why not just use an alias in DNS?

Simon.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
You know, I was assuming that the OP wanted to use mobile.mydomain.com (i.e. without /oma on the end) as the full URL for OMA, but reading the question again, I could be wrong.  If you are prepared to use mobile.mydomain.com/OMA , then there is no problem - just point the DNS record at the server.  But if you want it to be just http://mobile.mydomain.com , then it gets more complicated.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
Hi,

Yes I would like to use mobile.mydomain.com without the /oma at the end.
Currently mobile.mydomain.com and outlook.mydomain.com point to the same IP.
I have a redirect on the default site so that outlook.mydomain.com goes straight to the OWA login page.

I was hoping to be able to somehow point requests for mobile.mydomain.com straight to the OMA login page.

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I see, that's what I thought.  And for that, I think you will need a second Web site.  Here's something I tried that works okay here.  Create a second web site under the Web Sites container in IIS Manager.  Give it a host header name mobile.domain.com , and for the path just put C:\ for now.  Accept all the other default values.  When that's finished, right-click the OMA VDir under your Default Web Site, and save its configuration to a file.  Then, right-click your second Web site, and select 'New VDir from a file', and import the file you just saved.  Then look at the properties of the second Web Site.  On the Home Directory tab, select 'A redirection to a URL', and in the box type /OMA .  Then check 'A directory below URL entered', and save the changes.  No, when you go to mobile.mydomain.com , you should go straight to OMA.  It works here, anyway.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
great, i will give it a try
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
PS: i've just noticed before i have gone to do this that OWA is now broken for anyone outside head office. I havent made the OMA change yet.
The user logs in and it times out giving error 503. I just recently turned off "require ssl" so that OMA would work from mobiles. the firewall does not allow port 80 so they are forced to use ssl anyway.
I am happy to start a new thread to allocate points if you have an answer... i just want to fix that before making any more changes sorry
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
There are a couple of MS docs for this that are probably the best place to start:

http://support.microsoft.com/?kbid=823159
http://support.microsoft.com/?kbid=837285
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
With some clever scripting you can use a single URL for both OMA and OWA.
What you need to do is detect the web browser that is being used. I have successfully done it for Windows Mobile devices.
The relevant code goes in to the forms based page and redirects the user to OMA if the are accessing OWA with a Windows Mobile device.

http://www.amset.info/exchange/owa-redirectpages.asp

Simon.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Good idea.  You could also have a Default.asp file that detects which host name was used to access the server.  Of course, if you did this, then you couldn't have anything else in the Default Web Site.

<%
If LCase(Request.ServerVariables("SERVER_NAME")) = "mobile.mydomain.com" Then
  Response.Redirect "/OMA"
Else
  Response.Redirect "/Exchange"
End If
%>
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Couldn't you layer the redirect pages up?
First one sends you to /oma or another redirect
Next one sends you to /exchange or another redirect
Last one delivers the default page.

hmmmm

I can immediate think of two sites where that will work very well...

Simon.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
You can do this (below), or use another redirect instead of embedding the default page:

<%
If LCase(Request.ServerVariables("SERVER_NAME")) = "mobile.mydomain.com" Then
  Response.Redirect "/OMA"
ElseIf LCase(Request.ServerVariables("SERVER_NAME")) = "owa.mydomain.com" Then
  Response.Redirect "/Exchange"
Else
%>

<html>
Default Web Page.  Etc.
</html>

<%
End If
%>
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Ooo lovely.
Just a pity that Windows Mobile doesn't support wildcard SSL certificates, otherwise you could combine that code with forms based authentication.

Simon.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Of course, this won't work for those people that redirected their Default Web Site to /Exchange in IIS Manager (because the Default.asp page never gets loaded) - you'd have to let the Default.asp page do the actual redirection.

Having a second Web Site on the same server, and redirecting to a (cloned as described above) OMA VDir on that (instead of the OMA VDir on the Default Web Site) might help with the wildcard cert problem.

Response.Redirect "https://second.host.header.name/OMA"
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Oh, but you wouldn't need the SERVER_NAME redirect with a second site - you'd just use its host header.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
Excellent, I will try this out tomorrow. Cheers
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
OK I have completely removed and reinstalled Exchange from my front end server.
I have put the following code at the top of the iistart.htm file for default web site

<%
If LCase(Request.ServerVariables("SERVER_NAME")) = "outlook.blah.com" Then
  Response.Redirect "/Exchange"
Else Response.Redirect "https://mobile.blah.com/OMA
%>
(NB: I have put SERVER_NAME as exactly that, not my real server name- is this correct?)

THen I have done this...
---
Create a second web site under the Web Sites container in IIS Manager.  Give it a host header name mobile.blah.com , and for the path just put C:\ for now.  Accept all the other default values.  When that's finished, right-click the OMA VDir under your Default Web Site, and save its configuration to a file.  Then, right-click your second Web site, and select 'New VDir from a file', and import the file you just saved.  Then look at the properties of the second Web Site.  On the Home Directory tab, select 'A redirection to a URL', and in the box type /OMA .  Then check 'A directory below URL entered', and save the changes.
---

I have an SSL cert for outlook.blah.com and a different SSL cert for mobile.blah.com.
If I install the mobile one to the newly created second site and also enable on the OMA v directory... then do I just install the outlook.blah.com SSL cert on the default site and enable for exchange vdir? will they conflict at all?
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
Sorry for not waiting for a response but I have installed the mobile SSL cert on the mobile site using port 443. I have installed the outlook cert on the default site using port 444. I have not set Exchange vDIr to require SSL because only ports 443 and 444 are allowed through the firewall..

Currently if I browse to https://mobile.blah.com I get redirected to OMA (hooray!)
But... if I browse to https://outlook.blah.com I still get redirected to OMA (I think I have the redirect code slightly wrong)
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
would it be because I have no exchfilt.dll listed in ISAPI filters since the reinstall? - just noticed.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
still ALWAYS get redirected to OMA.
This is the entire contents of my default.asp...

<%
If LCase(Request.ServerVariables("SERVER_NAME")) = "mobile.blah.com" Then
  Response.Redirect "https://mobile.blah.com/OMA"
ElseIf LCase(Request.ServerVariables("SERVER_NAME")) = "outlook.blah.com" Then
  Response.Redirect "/Exchange"
Else
%>

<html>
Default Web Page.
</html>

<%
End If
%>
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I think you have redirected your Default Web Site to '/Exchange' (like you just redirected your second Web site to '/OMA') that means that your code never gets executed.  You need to remove the existing redirect and let the VBScript take care of it.

Also, it needs to be in Default.asp - you can't include VBScript code in an .htm file because .htm files are not pre-processed liked .asp files are.  Look at the default documents for the DWS and make sure that default.asp is at the top of the list.

SERVER_NAME is exactly right.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Sorry, I mean you may have your DWS redirected to '/OMA' (not /Exchange).  Make sure you haven't, before we check anything else.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:viperacom
Comment Utility
Hi I have checked all of that already...
still going to OMA no matter what.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Okay, can you go to https://outlook.yourdomain.com , wait a few minutes (to let it flush the log cache), and then open your current IIS log file in Notepad, and paste us the lines generated by this request.  You should see the time at the left-hand side, so you can tell which block of log entries are created when you request the URL.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
this is browsing to https://outlook.yourdomain.com which directs to OMA and then logging in with myusername

2006-07-03 11:10:14 W3SVC1523476301 192.168.x.x GET / - 443 - x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 302 0 0
2006-07-03 11:10:14 W3SVC1523476301 192.168.x.x GET /OMA/oma.aspx - 443 myusername x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 302 0 0
2006-07-03 11:10:15 W3SVC1523476301 192.168.x.x GET /OMA/oma.aspx - 443 myusername x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 200 0 0
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
and this is browsing to https://mobile.yourdomain.com which also redirects to OMA and logging in with myusername

2006-07-03 11:16:18 W3SVC1523476301 192.168.x.x GET / - 443 - x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 302 0 0
2006-07-03 11:16:18 W3SVC1523476301 192.168.x.x GET /OMA/ - 443 - x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 401 2 2148074254
2006-07-03 11:16:23 W3SVC1523476301 192.168.x.x GET /OMA/oma.aspx - 443 myusername x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 302 0 0
2006-07-03 11:16:23 W3SVC1523476301 192.168.x,x GET /OMA/oma.aspx - 443 myusername x.x.2.212 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 200 0 0
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Looking at the W3SVC1523476301 bit, it looks like neither of these is from your Default Web Site (which should be W3SVC1), so I think that requests for both outlook. and mobile. are going to the second Web Site.  Did you configure the second Web site to use the host header mobile.yourdomain.com ?
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
yes i did, and the default site currently has no host header set.
I even tried setting the host header of the default site to outlook.yourdomain.com but that didnt work either
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
even if i set the default site to redirect to /exchange it still goes to OMA.
Is it because OMA SSL is 443 and default site is 444?
or does the ssl port work automatically?
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
OK here is the latest ( I have it all working apart from an SSL cert error...)
*******************************************************************
Default site SSL port set back to 443 and no host header.
Default site SSL cert is outlook.mydomain.com

---Default.asp contents---
<%
If LCase(Request.ServerVariables("SERVER_NAME")) = "mobile.yourdomain.com" Then
  Response.Redirect "https://mobile.yourdomain.com/OMA"
ElseIf LCase(Request.ServerVariables("SERVER_NAME")) = "outlook.yourdomain.com" Then
  Response.Redirect "/Exchange"
Else
%>

<html>
Default Web Page.
</html>

<%
End If
%>
----end of Default.asp contents--------

Seperate site in IIS named MOBILE
Contains OMA Vdir cloned as per your instructions previously.
Host header for this site is mobile.yourdomain.com
SSL port is 444 (couldnt make 443 due to conflict with default site)

if i browse to outlook.yourdomain.com and log in I get OWA hooray
if i browse to mobile.yourdomain.com and log in I get OMA hooray - but I initially get a SSL cert warning that the name doesnt match the cert. I think this is because it first goes via default site which is outlook not mobile. How can i prevent this? - I have an SSL cert for each name ie. outlook.yourdomain.com and mobile.yourdomain.com

Thanks for sticking with this so far... ALMOST THERE! :)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
If you use a non-standard port (like 444), you are always going to have to put it in the URL, like this http://servername:444/ .  That is why you ended up at the second Web site.  You need to have the second back on 443.  If you have a host header for the second Web Site, then there should not be a conflict - I am surprised that it complained.  Only one thing needs to be different - the IP address it listens on (if the machine has several), the port number, or the host header.  Now that the second web site has a host header, you should be able to change it back to 443.  I think.

The SSL cert is a problem.  You will need another cert for mobile.domain.com  .  A wildcard cert for *.domain.com would have been good, but I am led to believe that Windows Mobile doesn't like them.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
The mobile site has host header mobile.yourdomain.com
it is currently set to 444 and works fine (apart from ssl cert warning which you simply acknowledge)

If i stop the mobile site, set to 443 and then try to start it says that another site is using the port so could not start.

I have 2 certs installed, one for default site and registered as outlook.yourdomain.com and one for mobile site registered as mobile.yourdomain.com.

so in summary. the redirect and everything works perfect but..
when browsing to mobile.yourdomain.com, before you get redirected, it complains about the name on the cert not matching which i presume is because when it gets to default site\default.asp to do the redirect code it says hangon you typed mobile.yourdomain.com but this site has ssl cert for outlook.yourdomain.com  ... THEN and only after you acknowledge, it redirects to mobile.yourdomain.com which does not complain because the ssl cert is correct for the mobile site...

any ideas?

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
But hang on a sec.  If the second Web Site has mobile.domain.com as its host header, and 444 as its port number, then you should be able to straight to the second web site with https://mobile.domain.com:444 .

We will have to decide if you are going to use 444 as the port, which means that you need to use it in all URLs (including the one in the default.asp)?  I would personally prefer to get everything on the same port.  If you have IIS6 (i.e. Windows 2003 server), then it can be done.  It may have complained before because you had another blank entry in the host headers table for the site.  I think one often ends up in there by default.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
i am running iis6 / 2003
browsing to mobile.yourdomain.com:444 get error 404 not found.
I do not understand why it works with 444 using the redirect code but it does.
I would prefer it on 443 but it wont let me.

ps: they are both on single IP.

what do u suggest?
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I would double-check the host headers list on each web site.  Make sure that each table has only one entry.

I also need to make sure that IIS6 / SSL / host headers actually works.  This suggests it does:

http://support.microsoft.com/Default.aspx?id=187504

And yet, I find on my own server that if I try to use the same port, the second web site will go into a stopped state.  Although it doesn't actually complain at the time that I put 443 in the input field.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
I am now wondering whether accessing mobile.yourdomain.com is really using the cloned OMA and not the original OMA vdir.
Because mobile.yourdomain.com and outlook.yourdomain.com are the same IP, theoretically if the host headers were not working then mobile.yourdomain.com/OMA could actually be default site/OMA

Can i delete the original OMA vdir?

PS: Once I am logged in to OMA my browser says mobile.yourdomain.com/OMA and if you look at the info on the certificate error it says the certificate is outlook.yourdomain.com instead of mobile.yourdomain.com

hmmmm......
will check the host headers list...
so default website should have no header? or should it be set to outlook.yourdomain.com
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
You can delete the OMA VDir, but it is not trivial to recreate it:

http://support.microsoft.com/?kbid=883380

It would be best to set the DWS to outlook.yourdomain.com , I think, if you have no other use for it.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Ah.  I think you need to use the other host header list at the bottom of the dialog - where it says Multiple SSL Identities - when you are using SSL.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
OK I have removed the original OMA vdir under DWS.
Have also set host header for DWS to outlook.yourdomain.com
Restarted IIS.
can still access outlook.yourdomain.com no probs.
can no longer access mobile.yourdomain.com - 404 page not found

so looks like it was using the DWS OMA vDir.

PS: Can not even access mobile.yourdomain.com:444/OMA

0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
the bottom list doesnt let you do headers though does it?
only ip and port?
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I'm going to have to try and duplicate it here.  Each way I can think of approaching it ends up with at least one problem.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
And i thought you almost had it :(
Will setting up another public IP and NATing to a new internal static IP so that mobile.yourdomain.com has it's own unique IP help?
If it has to come to that, it is an option, just the least desirable one.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
If you can route another Public IP in, that would be great.  Not everyone has that option these days.  It looks like we could do it with wildcard SSL (i.e. *.mydomain.com), but Windows Mobile apparently does not support wildcard SSL.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
Yes I want to avoid wildcard due to incompatibility and also because I have just paid for two seperate certificates.

If i go and setup an additional IP, do you have a plan that you think will work before I go down that road or would you rather play around with the orginal redirect idea?

PS: WHy does the default site need the redirect code in the default.asp if there is a host header set on each site, shouldnt the host headers do the trick on their own.
(As long as DWS was set to redirect to /exchange under current site and Mobile was set to redirect to /oma under current site in IIS) ?
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
Comment Utility
You will no longer need the default.asp if you use host headers.  My original plan was to redirect to Virtual Directories, like /Exchange and /OMA on the default web site, but then SSL appeared in the equation (I'm not sure exactly where), and then things became very complicated (i.e. you then need two web sites to avoid the SSL 'different host name' problem).

If you have two public IPs, then you can map them to two different internal IPs (on the same server), and then you can have both Web sites using 443 for SSL, but with different IP addresses.  From what I can find out about this, you /can/ use host headers with IIS6 (as long as you have W2K3 server SP1), but they still need a unique IP/Port combination on the server.
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
HI,

I have both websites running on seperate IP addresses now but it still wont allow me to set both to 443.
Any ideas? i thought this was only a problem when sharing an IP address?
0
 
LVL 1

Author Comment

by:viperacom
Comment Utility
Ahhh restarted IIS.
Awesome, thanks for sticking with me.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now