From: Rich Matheisen [MVP] on
Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote:

>
>
>"Rich Matheisen [MVP]" wrote:
>
>> Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote:
>>
>> >> Any ISA servers in there? Is /Exchange published?
>> >
>> >/Exchange is not published yet. I am trying to get it all working internally
>> >before we make it available externally.
>>
>> Are the the external and internal URLs the Site 1 CAS the same? Are
>> the external and internal URLs on the Site 2 CAS the same?
>
>The external URL's on both sites are blank, the internal URL is configured
>to https://FQDN/owa

Okay. What authentication method are you using on the CAS /owa virtual
directory?

>> If the CAS server in both sites have their external URLs set to $null
>> then no redirection will take place -- the connection will be proxied.
>> Otherwise the CAS in Site 1 will try to redirect to the CAS in Site 2,
>> but the URL may not be resolvable (you haven't given much in the way
>> of details about this).

>The servers are not currently accessible from the outside. I am just trying
>to get things configured on the inside before i add that wrench into the mix.

No problem.

>> >> >If i use the /owa rather than /exchange it seems to work
>> >> >fine, but the problem is i can only publish one site for all my users
>> >> >(/exchange) until all the 2003 servers are gone.
>> >>
>> >> Using /owa for an Exchange 2003 mailbox should switch the URL to use
>> >> /Exchange.
>> >
>> >If that is the case, then i have more issues than i thought. I was my
>> >understanding that if you went to the /exchange site it would work for 2003
>> >or 2007, but if you go to the /owa site, it will only work for 2007.
>>
>> Oops. You're right. I had that backwards.
>>
>> But by "published" I was asking about the ISA server. The CAS server
>> should accept both /owa and /exchange. If you're only working inside
>> your LAN then the only problem I can see is that you're resolving the
>> domain to the external address of the ISA server and that may not be
>> accessible to everyone on the secure LAN -- or, if it is, that you
>> haven't published /Exchange on the ISA server.
>
>We do have an ISA server but it is not doing anything with OWA.

Really? Not even for Exchange 2003?

>> >> >For whatever reason when i go to the /exchange page and try to log into a
>> >> >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i
>> >> >have it configured properly, but i must be missing something.
>> >>
>> >> If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you
>> >> should be see a page that tells you to use the CAS in Site 2, not just
>> >> switched to the /owa virtual directory -- unless the CAS in Site 2 has
>> >> no external URL. In that case you'll be proxied from Site 1 to Site 2
>> >> and not all of the OWA features will work.
>> >
>> >What features will not work?
>>
>> Well, document access, for one.
>>
>> >I have no external urls yet.
>>
>> Don't confuse the external and internal URLs specified in the CAS
>> configuration with the external and internal IP addresses. If the
>> internal and external URLs on each CAS are the same, and you're using
>> a split DNS, you'll hit the correct IP address (the internal one) even
>> if you refer to the "external" URL from within your LAN. The external
>> DNS will refer to the ISA external IP address where you've published
>> the Exchange services.
>
>Neither server currently has an external IP.

Nor does it need one. You'll expose the URL in ISA. Your CAS remains
on the secure LAN.

>> >It should still
>> >let me into the mailbox and that is the issue im having. I will hit the cas
>> >in site 1 and it wont proxy me to the cas in site 2.
>>
>> Nope. Not if the CAS in Site 2 has an external URL configured.
>> Proxying only works when the external URL is set to $null.
>>
>> >Just gives me a 403 -
>> >forbidden: Access denied... when using the /exchange.
>
>
>> And you're sure that the 403 isn't coming from the ISA server because
>> the /Exchange virtual directory isn't published on it?
>>
>
>Internal traffic is not routed thru our ISA server... i believe, i will
>check into this... though i dont see how that would explain why owa works but
>exchange wont for 2007 users.

It doesn't. I'm just working through the different pieces of software,
and the connections, you have.

In any case, the 403 should be recorded in the IIS log on the CAS
server. In addition to the 403 there's also a "sub status" that would
be helpful. There are many reasons for a 403 error and that extra
digit would help. E.g. 403.1 vs 403.4

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott(a)getronics.com
Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Christopher Blair on


"Rich Matheisen [MVP]" wrote:

> Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote:
>
> >
> >
> >"Rich Matheisen [MVP]" wrote:
> >
> >> Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote:
> >>
> >> >> Any ISA servers in there? Is /Exchange published?
> >> >
> >> >/Exchange is not published yet. I am trying to get it all working internally
> >> >before we make it available externally.
> >>
> >> Are the the external and internal URLs the Site 1 CAS the same? Are
> >> the external and internal URLs on the Site 2 CAS the same?
> >
> >The external URL's on both sites are blank, the internal URL is configured
> >to https://FQDN/owa
>
> Okay. What authentication method are you using on the CAS /owa virtual
> directory?
>

Forms for the server in site 1 windows authentication in site 2.

> >> If the CAS server in both sites have their external URLs set to $null
> >> then no redirection will take place -- the connection will be proxied.
> >> Otherwise the CAS in Site 1 will try to redirect to the CAS in Site 2,
> >> but the URL may not be resolvable (you haven't given much in the way
> >> of details about this).
>
> >The servers are not currently accessible from the outside. I am just trying
> >to get things configured on the inside before i add that wrench into the mix.
>
> No problem.
>
> >> >> >If i use the /owa rather than /exchange it seems to work
> >> >> >fine, but the problem is i can only publish one site for all my users
> >> >> >(/exchange) until all the 2003 servers are gone.
> >> >>
> >> >> Using /owa for an Exchange 2003 mailbox should switch the URL to use
> >> >> /Exchange.
> >> >
> >> >If that is the case, then i have more issues than i thought. I was my
> >> >understanding that if you went to the /exchange site it would work for 2003
> >> >or 2007, but if you go to the /owa site, it will only work for 2007.
> >>
> >> Oops. You're right. I had that backwards.
> >>
> >> But by "published" I was asking about the ISA server. The CAS server
> >> should accept both /owa and /exchange. If you're only working inside
> >> your LAN then the only problem I can see is that you're resolving the
> >> domain to the external address of the ISA server and that may not be
> >> accessible to everyone on the secure LAN -- or, if it is, that you
> >> haven't published /Exchange on the ISA server.
> >
> >We do have an ISA server but it is not doing anything with OWA.
>
> Really? Not even for Exchange 2003?

Correct.

> >> >> >For whatever reason when i go to the /exchange page and try to log into a
> >> >> >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i
> >> >> >have it configured properly, but i must be missing something.
> >> >>
> >> >> If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you
> >> >> should be see a page that tells you to use the CAS in Site 2, not just
> >> >> switched to the /owa virtual directory -- unless the CAS in Site 2 has
> >> >> no external URL. In that case you'll be proxied from Site 1 to Site 2
> >> >> and not all of the OWA features will work.
> >> >
> >> >What features will not work?
> >>
> >> Well, document access, for one.
> >>
> >> >I have no external urls yet.
> >>
> >> Don't confuse the external and internal URLs specified in the CAS
> >> configuration with the external and internal IP addresses. If the
> >> internal and external URLs on each CAS are the same, and you're using
> >> a split DNS, you'll hit the correct IP address (the internal one) even
> >> if you refer to the "external" URL from within your LAN. The external
> >> DNS will refer to the ISA external IP address where you've published
> >> the Exchange services.
> >
> >Neither server currently has an external IP.
>
> Nor does it need one. You'll expose the URL in ISA. Your CAS remains
> on the secure LAN.
>
> >> >It should still
> >> >let me into the mailbox and that is the issue im having. I will hit the cas
> >> >in site 1 and it wont proxy me to the cas in site 2.
> >>
> >> Nope. Not if the CAS in Site 2 has an external URL configured.
> >> Proxying only works when the external URL is set to $null.
> >>
> >> >Just gives me a 403 -
> >> >forbidden: Access denied... when using the /exchange.
> >
> >
> >> And you're sure that the 403 isn't coming from the ISA server because
> >> the /Exchange virtual directory isn't published on it?
> >>
> >
> >Internal traffic is not routed thru our ISA server... i believe, i will
> >check into this... though i dont see how that would explain why owa works but
> >exchange wont for 2007 users.
>
> It doesn't. I'm just working through the different pieces of software,
> and the connections, you have.
>
> In any case, the 403 should be recorded in the IIS log on the CAS
> server. In addition to the 403 there's also a "sub status" that would
> be helpful. There are many reasons for a 403 error and that extra
> digit would help. E.g. 403.1 vs 403.4

Its just a nice big 403 error. I can email you a screen shot if you like. I
have gone thru the ISS logs on both CAS servers and i cant find my 403 error
in the logs. Not sure if im not looking close enough but i would think it
would stand out since there is almost to traffic to either of these servers
yet. I could also attach the iis logs if you would like.

> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott(a)getronics.com
> Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
>
From: Rich Matheisen [MVP] on
Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote:

[ snip ]

>> >The external URL's on both sites are blank, the internal URL is configured
>> >to https://FQDN/owa
>>
>> Okay. What authentication method are you using on the CAS /owa virtual
>> directory?
>>
>
>Forms for the server in site 1 windows authentication in site 2.

Start by setting them both to "Basic".

[ snip ]

>> >We do have an ISA server but it is not doing anything with OWA.
>>
>> Really? Not even for Exchange 2003?
>
>Correct.

You should use ISA to publish those CAS servers.

[ snip ]

>> In any case, the 403 should be recorded in the IIS log on the CAS
>> server. In addition to the 403 there's also a "sub status" that would
>> be helpful. There are many reasons for a 403 error and that extra
>> digit would help. E.g. 403.1 vs 403.4
>
>Its just a nice big 403 error. I can email you a screen shot if you like. I
>have gone thru the ISS logs on both CAS servers and i cant find my 403 error
>in the logs. Not sure if im not looking close enough but i would think it
>would stand out since there is almost to traffic to either of these servers
>yet. I could also attach the iis logs if you would like.

I could understand the way it's acting if you were connecting to the
ISA server. That's how ISA will report an attempt to connect to a
virtual directory when it can't match an authentication method. But if
you're connecting directly to the CAS there should be someing in the
IIS log.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott(a)getronics.com
Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com