Link to home
Start Free TrialLog in
Avatar of bbdoit
bbdoit

asked on

Exchange 2003 and 2007 OWA Coexistence Issues

We are transitioning from Exchange 2003 to Exchange 2007 and, as our company has many AD sites, we are only able to do one site at a time.  We are tasked with making this change with as little user impact as possible.  We have replaced our E2k3 FE/OWA server with an E2k7 CAS only server and, in order to minimize impact, we are trying to keep the same URL for OWA access.

Currently, we are using Microsoft's recommended redirect method to redirect all http://email.company.com requests to https://email.company.com/exchange and this is working fine for E2k3 users.  But, it is not working for E2k7 users in the following scenario:

First AD Site
1 - CAS only server (internet facing w\ redirect)
1 - HT only server
1 - MBX only server
1 - E2k3 mailbox server

Second AD site
1 - CAS\HT\MBX server
1 - E2k3 mailbox server

Mailboxes on E2k3 or E2k7 in the First AD site can access OWA via the redirect to /exchange without any problems.  Mailboxes on E2k3 in the Second AD site can access OWA that same way without any problems also.  BUT, people on E2k7 in the Second AD site always get the following error after login:

  The page must be viewed over a secure channel
  The page you are trying to access is secured with Secure Sockets Layer (SSL).
  --------------------------------------------------------------------------------

  Please try the following:

  Type https:// at the beginning of the address you are attempting to reach and press ENTER.
  HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
  Internet Information Services (IIS)

  --------------------------------------------------------------------------------

If that same E2k7 mailbox user uses https://email.company.com/owa, it works fine.  We have enabled Integrated Authentication on /owa within Exchange Mgmt console on the E2K7 server in the Second AD site.  Also, we have left the external URL field on the E2k7 server in the Second AD site blank.

Am I misunderstanding how the proxying works or is something just not working as it should?  Any help would be greatly appreciated.
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Does the URL change?
is the internal URL http or https ?

Simon.
Avatar of bbdoit
bbdoit

ASKER

No, the URL does not change and the internal URL displayed within EMC for this server is https://servername.domain.com/owa.
Does the second server have direct access to the internet?

Simon.
Avatar of bbdoit

ASKER

No it does not have direct access.  Exactly why we are trying to get OWA working via the CAS in the First AD site.
The error you are getting tends to point to a http in a URL somewhere instead of https. Exchange then redirects to the http version instead. Another thing it could be is that it is redirecting to the wrong server initially, so is doing a double hop and somewhere in that mix it is trying to use http. Do you know which server is generating the error? You may have to look in the web logs to verify it.

Simon.
Avatar of bbdoit

ASKER

It is definitely going to the correct server.  After looking at the logs, it appears that the CAS in the First AD site is requesting /exchange on the CAS in the Second AD site over port 80.  Here is the only entry in the IIS log from the CAS in the Second site:

2008-03-07 13:49:43 W3SVC1 172.18.105.53 GET /exchange - 80 - 149.39.142.162 Exchange-Server-Frontend-Proxy

I turned off "Require SSL" for the /exchange virtual directory on the server in the Second site and now it is working.  Is this the correct way to implement this?  It still sounds like something is wrong.
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bbdoit

ASKER

Simon, you are the BEST!  I "pretend" to be an Exchange Administrator - you ARE the master.  Thanks!