kpturner
asked on
SBS 2008 SSL conflict with Default website and SBS Web Applications
We have just migrated from SBS 2003 to SBS 2008. The migration finally completed last week. Most of the important things are working fine, but there are some niggly issues which are puzzling me, almost all to do with IIS and remote access.
Once the migration had completed, both "Default web site" and "SBS Web Applications" were bound to port 443 for SSL. This meant that one of the servers ("SBS Web Application" would not start). Although it would not start, it was not too bad because our mobile devices (mainly iPhones) were able to use activesynch/direct push presumably via the Microsoft-Server-ActiveSyn
However, since SBS Web Applications could not start we cannot get to anything else like RWW etc.
When I investigated this I found various resources (including some posts on here) telling me that "Default Web site" should only be bound to port 80, not 443. Sure enough, if I remove the 443 binding I can then start "SBS Web Applications". However, that instantly means I lose activeSynch/Direct Push for our remote devices and I can no longer access OWA.
It seems like a catch-22 unless there is something missing in SBS Web Applications that should replicate the activesynch and OWA functions in Default Web Site. I know for a fact that there was an OWA virtual directory within SBS Web Applications that is no longer there. I found some script that should recreate it:
Even if we got OWA working I am still unsure how activesynch can work. We tried uninstalling/installing ClientAccess to no avail and ran the "Fix my network" wizard - which didn't find anything to fix.
I am stumped.
Once the migration had completed, both "Default web site" and "SBS Web Applications" were bound to port 443 for SSL. This meant that one of the servers ("SBS Web Application" would not start). Although it would not start, it was not too bad because our mobile devices (mainly iPhones) were able to use activesynch/direct push presumably via the Microsoft-Server-ActiveSyn
However, since SBS Web Applications could not start we cannot get to anything else like RWW etc.
When I investigated this I found various resources (including some posts on here) telling me that "Default Web site" should only be bound to port 80, not 443. Sure enough, if I remove the 443 binding I can then start "SBS Web Applications". However, that instantly means I lose activeSynch/Direct Push for our remote devices and I can no longer access OWA.
It seems like a catch-22 unless there is something missing in SBS Web Applications that should replicate the activesynch and OWA functions in Default Web Site. I know for a fact that there was an OWA virtual directory within SBS Web Applications that is no longer there. I found some script that should recreate it:
New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods FbaNew-OwaVirtualDirectory : An error occurred while creating the IIS virtual dire
ctory 'IIS://CHROMIS.CoralTree.local/W3SVC/3/ROOT/owa' on 'CHROMIS'.
At line:1 char:24Even if we got OWA working I am still unsure how activesynch can work. We tried uninstalling/installing ClientAccess to no avail and ran the "Fix my network" wizard - which didn't find anything to fix.
I am stumped.
Tray896
All that you need to do in order to run both sites on the same ports is to have them running on separate IP's. Get a new IP for your SBS Web Application, and then edit the bindings for that site within IIS manager. Edit the bindings for http and https so that it points to the new IP that you put on the box, and then modify any necessary DNS changes to point to that IP.
ASKER
Thanks for the quick answer. I know I can get both started using different IP addresses, but I think that will just mask the fact that we have something else wrong under the covers. There should be an OWA virtual folder in SBS Web Applications and there is not, and creating one fails. It should be possible to have a single IP address and have activesynch, owa, RWW etc all running without difficulty as far as I know.....maybe I am wrong with that assumption but it certainly appears to be the case from the reams of documentation I have been ploughing through :-(
I am not of much help, but just a 'heads up' SBS 2008 does not like multiple IP's.
Have you run the connect to the internet and configure my internet address wizards? The latter should configure the web functions. Failing that try the fix my network wizard and the SBS 2008 BPA which will often point out mis-configurations.
http://www.microsoft.com/downloads/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en
Have you run the connect to the internet and configure my internet address wizards? The latter should configure the web functions. Failing that try the fix my network wizard and the SBS 2008 BPA which will often point out mis-configurations.
http://www.microsoft.com/downloads/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en
ASKER
Yes tried the various wizards more than once. No luck.
Have you tried the BPA (Best Practices Analyzer) suggested above. It is very informative about mis-configurations with SBS 2008.
ASKER
Yes we have run the BPA and it did report a few things that bear consideration, but nothing that relates to this. I think that resolving the shell error is the first thing to do, then if I could somehow see a working example with a single IP address it might be able to get it working.
Are there any screen shots from a default config we could provide for you that would be of some help?
ASKER
Yes please. An expanded view of the "Default Web Site" and the "SBS Web Applications" to show the underlying applications and virtual directories would be useful. That will confirmmy suspicion that there should be an OWA object within each and may also give a clue as to how activesynch can work via SSL to SBS Web Applications rather than Default Web site. Also the bindings for each to confirm that there is no SSL binding on the Default Directory.
I don't know if it possible to cobble together OWA under SBS Web applications in IIS alone or if it must be done through the Exchange Shell ?
I don't know if it possible to cobble together OWA under SBS Web applications in IIS alone or if it must be done through the Exchange Shell ?
Is this of some help?
IIS.jpg
IIS.jpg
ASKER
Yes - quite revealing thanks. Your OWA and
ASKER
Hit the wrong button by mistake.
Yes - quite revealing thanks. Your OWA and
Yes - quite revealing thanks. Your OWA and
ASKER
Did it again!!
Your OWA and Microsoft-Server-ActiveSyn
That explains how it is possible to have SSL only on the SBS Web Applications folder since that is the correct place for the virtual directories.
Now I just need to put the virtual folders in the correct place, but I am pretty sure that it is not enough to do so via IIS.
If you look at your Exchange 2007 Management Console you can see under Server Configuration/Client Access that OWA and ActiveSynch are displayed there too - and in my case incorrectly configured against Default Web Site. That brings me full circle back to the correct shell commands to recreate them correctly and the fact that they are failing :-(
Your OWA and Microsoft-Server-ActiveSyn
That explains how it is possible to have SSL only on the SBS Web Applications folder since that is the correct place for the virtual directories.
Now I just need to put the virtual folders in the correct place, but I am pretty sure that it is not enough to do so via IIS.
If you look at your Exchange 2007 Management Console you can see under Server Configuration/Client Access that OWA and ActiveSynch are displayed there too - and in my case incorrectly configured against Default Web Site. That brings me full circle back to the correct shell commands to recreate them correctly and the fact that they are failing :-(
ASKER
I have managed to delete and recreate everything using the Shell commands except OWA thanks to the screenshot and this: http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx
The OWA creation still fails with the error:
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory 'IIS://blah.local/W3SVC/3/
I think the recreation of OWA in SBS Web Applications if my only stumbling block now (as described in the original post).
The only solution I have found is to uninstall and reinstall CAS but I have tried that and it still recreates everything in the wrong place.
The OWA creation still fails with the error:
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory 'IIS://blah.local/W3SVC/3/
I think the recreation of OWA in SBS Web Applications if my only stumbling block now (as described in the original post).
The only solution I have found is to uninstall and reinstall CAS but I have tried that and it still recreates everything in the wrong place.
>>"Your OWA and Microsoft-Server-ActiveSyn
I assume that is a result of the migration rather than a clean install.
>>"If you look at your Exchange 2007 Management Console .........incorrectly configured against Default Web Site"
Yes these show SBS Web Apps
>>"I think the recreation of OWA in SBS Web Applications if my only stumbling block now"
Sorry but I have never had to do so and thus not familiar with the process. I had flagged the following article at one time:
http://exchangeshare.wordpress.com/2008/07/16/how-to-recreate-owa-virtual-directory-exchange-2007/
I assume that is a result of the migration rather than a clean install.
>>"If you look at your Exchange 2007 Management Console .........incorrectly configured against Default Web Site"
Yes these show SBS Web Apps
>>"I think the recreation of OWA in SBS Web Applications if my only stumbling block now"
Sorry but I have never had to do so and thus not familiar with the process. I had flagged the following article at one time:
http://exchangeshare.wordpress.com/2008/07/16/how-to-recreate-owa-virtual-directory-exchange-2007/
ASKER
Yeah that link talks about how to recreate OWA on the Default Web Site - which I already have (and it is the wrong place). So I can get to OWA using a non-SSL link - but I really want it in the correct place using SSL under SBS Web Applications. I can feel a call to Microsoft being required to resolve it I think. Some points are due to you for a partial solution with the screenshot but I am not sure how to do that. Maybe I need to wait until I have the full solution.
Sorry I didn't review that article, I see now it is for standalone Exchange not SBS.
I see this fellow had the same issue:
https://www.experts-exchange.com/questions/24255654/Reinstall-RWW-and-OWA-on-SBS-2008.html
If re-installing the client access role as they did, see:
http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx
Sorry I am not much help with this.
As for the points, I am certainly not worried about them, they won't buy me much :-) However if I would leave the question open until resolved. Then you can post your findings which may help someone else. If then you want to, you can split the points between you and I.
I see this fellow had the same issue:
https://www.experts-exchange.com/questions/24255654/Reinstall-RWW-and-OWA-on-SBS-2008.html
If re-installing the client access role as they did, see:
http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx
Sorry I am not much help with this.
As for the points, I am certainly not worried about them, they won't buy me much :-) However if I would leave the question open until resolved. Then you can post your findings which may help someone else. If then you want to, you can split the points between you and I.
Not required at all.
Sorry for getting into this so late; been busy with the day job.
1) SBS Web applications handles RWW, OWA, and ActiveSync (I think you already know this.) Why yours got changed up, couldn't tell ya, but that isn't default. And this is unique to SBS.
2) As you've also already resolved, port 443 cannot be on the default website. Don't use multiple IPs (contrary to at least one suggestion I noticed.
3) The command you want to run the commands I've attached as code
Sorry for getting into this so late; been busy with the day job.
1) SBS Web applications handles RWW, OWA, and ActiveSync (I think you already know this.) Why yours got changed up, couldn't tell ya, but that isn't default. And this is unique to SBS.
2) As you've also already resolved, port 443 cannot be on the default website. Don't use multiple IPs (contrary to at least one suggestion I noticed.
3) The command you want to run the commands I've attached as code
Get-OwaVirtualDirectory -server $LocalServerName | Remove-OwaVirtualDirectory
New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2007¿ -ExternalAuthenticationMethods Fba
Set-OWAVirtualDirectory -InternalUrl “https://sites/owa/” -ClientAuthCleanupLevel “Low” -LogonFormat “UserName” -DefaultDomain $strDomainDNS -Identity “Owa (SBS Web Applications)”
New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Exadmin” -ExternalAuthenticationMethods Fba
New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Mailboxes” -ExternalAuthenticationMethods Fba
New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Exchweb” -ExternalAuthenticationMethods Fba
New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “PublicFolders” -ExternalAuthenticationMethods Fba
iisreset /noforce
ASKER
By way of an update, we got Microsoft involved to fix the location for OWA since the shell command to recreate it did not work. The MS techie was successful eventually, but I am led to believe that he did have a particularly hair-raising time getting there, with one or two moments of panic. They will send us the completely documented solution when they have sorted out one or two other things, and I will try to pickout the relevant bits and post back.
Good to hear. It would be interesting to see "the relevant bits ".
Thanks for updating.
--Rob
Thanks for updating.
--Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for posting kpturner, good information to have.
--Rob
--Rob