Configuring Access to OWA (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access



Message

dbuedenbender -> Configuring Access to OWA (11.May2004 2:06:00 PM)

Hi All,
I want to migrate our existing SBS2K server to Win2003 and Exchange 2003 on a new server.
The last problem I am working on is the access to OWA. We are a consulting company for SAP and have insurance companys as clients which all have different restrictions with their internet configurations.
These companys do not allow https connections and if they connect via http://servername/exchange the window where the mails should appear keeps displaying "loading".
Is there any possibility to enable forms based authentication for http connections so that users can choose if they need the basic or premium version?

Best regards,
Dirk Buedenbender



bbuerstinghaus -> RE: Configuring Access to OWA (11.May2004 2:20:00 PM)

Hi,

you can only choose form based authentication with https.

Hope this helps you.

best regards
Bj÷rn Bnrstinghaus



dbuedenbender -> RE: Configuring Access to OWA (11.May2004 2:35:00 PM)

Thanks for your answer although this does not really help.
Is there a way to deactivate the premium mode or any other way to choose between premium and basic mode?

Rgs,
D. Buedenbender



Henrik Walther -> RE: Configuring Access to OWA (11.May2004 4:01:00 PM)

Dirk,

I can't see why these insurance companies shouldn't allow outbound 443/SSL traffic when they already allow HTTP/80, I mean SSL is secure because the traffic is encrypted, which isn't the case with HTTP.

I advise against running OWA without SSL enabled, as it's then just a matter of putting a network sniffer on your public IP address, then all data including usernames/passwords can be hijacked.

As Bj÷rn already informed you it's not possible to use Forms-based authentication without implementing SSL.

If you insist on running OWA over a non-secure port (HTTP) then disable Forms-based authentications and remove the SSL certificate from the Default Web Site, then have the clients login without using the new logon page (just like with Exchange 2000).



dbuedenbender -> RE: Configuring Access to OWA (12.May2004 7:57:00 AM)

Hi Henrik,
I think it is clear that HTTPS and forms based authentication should be the primary access to exchange.
Let's go a little bit more in detail about the situation for your understanding:
Our customer uses packet filtering and virusscanners for http-traffic. As they cannot scan https because it is encrypted, they maintain an internal whitelist for https.
That means: No Webdav, nearly no scripting (the right pane where messages should appear keeps displaying "loading") and no https. We have currently 7 consultants there and it took us 3 month of continuous bothering their security officer to get https access to our old mailserver.

So the best solution for us would be:
- form based authentication using https if possible
- basic mode and http if we have no other choice.

But how do we get the basic mode for http?

Any advise?

Rgs,
D. Buedenbender

[ July 27, 2004, 04:57 PM: Message edited by: Dirk Buedenbender ]



Henrik Walther -> RE: Configuring Access to OWA (12.May2004 10:50:00 AM)

Alright I understand the problem.

In order to use HTTP to access OWA, disable Forms-based authentication (done via Protocols > HTTP in ESM), then remove the SSL certificate from the Default Web Site.

Why do you want to force the clients to use basic mode, Premium mode also works with HTTP.



dbuedenbender -> RE: Configuring Access to OWA (12.May2004 11:11:00 AM)

The problem is that the premium mode does not allways work due to disabled WebDAV an scripting.
We already did the same for OWA 2000.

Rgs,
D. Buedenbender



Henrik Walther -> RE: Configuring Access to OWA (12.May2004 12:52:00 PM)

To force all users to use the basic client, you can add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA registry subkey on the Exchange server. Set the value of the ForceClientsDownLevel subkey (of type REG_DWORD) to 1 to enable this feature (a value of 0 disables the feature). In a front-end/back-end configuration, set this key on the back-end server, which generates the HTML coding and passes it to the front-end server, which then sends the HTML coding to the client.



paulbaldwin -> RE: Configuring Access to OWA (12.May2004 4:09:00 PM)

Hi Henrik,

I know you are right about ForceClientsDownLevel being on the backend, but doesn't the frontend do the HTML rendering, the backend just supplies the content? In which case this doesn't make sense.

Can you enlighten me?

Cheers

Paul

[update]
Never mind, I've already looked and the FE does no rendering (for OWA) and simply proxies requests. The BE does all the grind. I always thought the FEs did a little more work than that.

[ May 13, 2004, 12:22 PM: Message edited by: Paul Baldwin ]



Page: [1]