I've been searching high and low for an answer to my question. I'm testing Exchange 2007 in the lab (better late than never), and I've got a copy of our production networks. As far as OWA goes...here's how it works. AD Site - Colocation (Site 1) 2003 SP2 FE (to be decommissioned by using CAS1; Currently, this handles all OWA and mobile devices which all point to simply, https://owa.domain.com) 2007 CAS/HT (CAS1)
AD Site - Corporate Offices (Site 2) 2003 SP2 BE MB1 - 2007 SP2 UR4; CAS,MB, and HT roles installed MB2 - 200u SP2 UR4; CAS,MB roles installed Note: CAS role will be configured with NLB, but not yet implemented. All Exchange 2007 Servers running Windows 2008 SP2; all updates. All 2003 Exchange servers are running Windows 2003 R2 SP2; all updates
I have gone through simplifying the OWA login process on CAS1 in Site 1. When users hit "owa.domain.com", they are redirected to https://cas1.domain.com/exchange. My legacy 2003 mailbox can log in and are brought to their 2003 BE OWA experience successfully.
I created a test user on 2007 exchange server MB1. When they go to owa.domain.com, they log in and get a 403 Forbidden error. If I go to owa.domain.com/owa, they get the error that says, Outlook Web Access is not available. If the problem continues, contact technical support for your organization and tell them the following: There is no Microsoft Exchange Client Access server that has the necessary configuration in the Active Directory site where the mailbox is stored.". I get the same error if I disable SSL on MB1. (I've read a few posts where people disabled SSL, recreated virtual directories, etc, etc)
I don't think CAS-CAS proxying is occurring. The event log doesn't have any errors. I've tried enabling Windows Authentication on MB1 owa virtual directory in addition to the default basic authentication...to no avail.
My SSL, authentication, and other settings are at their defaults on MB1, and MB2. The only thing different out of the box is my redirection to /exchange on CAS1, as well as SSL disabled on default website level only (SSL enabled on all virtual directories).
I've read that if both 2007 and 2003 legacy users go to /exchange, they should be moved to the appropriate /owa or legacy backend. I wish this were happening.
I've been searching for answers all week and haven't found much. ANY assistance or hints for this exchange07 newbie would be so greatly appreciated! I'm sure the answer is out there, but I haven't been able to find them.
Thanks so much in advance!
*edit* includes more system details, OS, and current OWA 2003FE usage.
< Message edited by Ytsejamer1 -- 3.Jun.2010 3:37:51 PM >
Are both these sites considered as internet-facing sites or is Site1 the only internet facing site? Also Can you run "get-owavirtualdirectory -server "CASServerName) | FL" on each of the CAS servers? Check to see if the ExternalURL is populated. This should only be populated on the CAS server on the internet-facing site.
Only "Site 1" is internet facing. Currently, there are no external urls configured on CAS1 or MB1 (there shouldn't be on MB1/MB2/etc).
CAS role is installed there for my outlook clients in Corporate Site (Site 2)...but all OWA.domain.com requests will forward to the internet facing CAS1.
*edit* I now have the internet facing CAS external URL populated, but i'm still receiving the same 403 error message.
I think I have read over that link a few times...it's somewhat confusing because the CAS will check whether the internal Corp CAS has the internal URL set, then it will check the ExternalURL property, which is Null on internal Corp CAS...so it should proxy just fine.
I'm starting to wonder if my NLB cluster that is active which includes MB1 and MB2 is interfering with CAS resolution from Public Site to Corp Site. All port ranges are disabled for that NLB resource, so everything SHOULD be functioning as normal. I even stopped the NLB, but the same errors persist.
< Message edited by Ytsejamer1 -- 4.Jun.2010 10:02:57 AM >
I am one step closer... I had to enable Windows Integrated Authentication on BOTH MB1 and MB2 CAS/MB server owa vdirs... At that point I was able to hit owa.domain.com/owa and proxy correctly to the AD Site with the mailbox.
Unfortunately, logging into owa.domain.com/exchange does still not properly proxy to 2007 MB1 server where 2007 user mailbox resides. I need to utilize /exchange so that my legacy mb users continue to get their OWA. From all documentation /exchange should proxy fine to both 2003 and 2007. What i'm seeing is only one of the two...2003.
I did read about setting windows authentication on 2003 Backends vdirs via 2003 ESM, but being that they are able to access OWA successfully I'm not sure I really need to do anything further.
I disabled SSL on the /exchange virtual directories on the MB/CAS servers in my non-public corporate site and every type of user is receiving their correct OWA experience.
What the heck...i can't believe there is no mention of this anywhere...i don't believe I've got an exotic exchange organization configuration. In fact, Microsoft says: Communications between Client Access servers in different sites occur over Secure HTTP (HTTPS). If that's the case, why do I have to disable SSL on that vdir? (http://technet.microsoft.com/en-us/library/bb310763.aspx) (http://msexchangeteam.com/archive/2007/09/04/446918.aspx)
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> 2007 CAS/HT not proxying to 2007 CAS/MB/HT for OWA 
2007 CAS/HT not proxying to 2007 CAS/MB/HT for OWA - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
