Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

No OWA access if mailbox uses diferent CAs from published CAS

1,107 views
Skip to first unread message

Paulo Mesquita

unread,
Apr 8, 2008, 6:05:01 AM4/8/08
to
Hello,

I've a client that has 2 sites, in one site a ISA server publishes that site
OWA to the world; the certificates are from an internal CA (Enterprise Root
CA); in this site there is only one server with all roles (CAS, HUB and
Mailbox).

In the other site we have 2 servers one mailbox and another CAS+HUB, using
internal certificates from the same internal CA.

If I access anyone of this servers using the internal OWA URL everything
works for the mailboxes in the same site, if the mailbox in the other site
then we get an error.

The same error happens when we try to access a mailbox that is on the second
site from the internet, but if we try to access to a mailbox that is on the
same site of the published CAS everything works.

The error is like this:

///error begin///

Outlook Web Access is not currently available for the user mailbox that you
are trying to access. If the problem continues, contact technical support for
your organization and tell them the following: Outlook Web Access could not
establish a Secure Sockets Layer (SSL) connection to the Microsoft Exchange
Client Access server that should be used to access the mailbox.

Copy error details to clipboard
Show details

Request
Url: https://xxxxxxx:443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequest
User host address: xx.xx.xx.xx
User: xxxxxxx
EX Address: /o=xxxxx/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=xxxxxxx
SMTP Address: xx...@xxxxxx.xx
OWA version: 8.1.263.0
Second CAS for proxy: https://xxxxxxxxx/owa

Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException
Exception message: The CAS server is most likely not configured for SSL (it
returned a 403)

Call stack

No callstack available

///error end///


I think this is some problem with the certificates but I don't see where.

Thanks for your help.


Oliver Moazzezi [MVP]

unread,
Apr 8, 2008, 11:08:17 AM4/8/08
to
Hi there,

From the error:

Second CAS for proxy: https://xxxxxxxxx/owa

If this is externally accessed then a user won't be able to get to the above
address.

Set an External Url on each CAS server so proxy redirecting will work
correctly.

This is configured using EMS or EMC. If using the EMC for example, expand
Server Configuration | Client Access | Each CAS Server you need to configure
| Right click OWA Virtual Directory | General Tab - from here populate the
External Url that each CAS server is sitting behind for each AD Site.

Then when a user connects to a CAS and the Mailbox is actually in another AD
Site, the CAS will redirect the user with the External Url set on the a
selected CAS server in the correct Site.

You can also configure CAS' to proxy off each other, for example:

User accessing Mail > CAS in AD Site 1 > CAS in AD Site 2 > Mailbox in AD
Site 2

If you want to configure it to work this way let me know and I will follow
up the post.

Hope this helps,

Oliver


Paulo Mesquita

unread,
Apr 8, 2008, 11:58:00 AM4/8/08
to
Hello Oliver,

One thing i don't understand, is necessary to have external URL configured
in every server? I've never see that before..... Don't interpret me wrongly
but in every document and blog i've read no one says that. And now I'm
confused.....

So we do have a ISA that publishes a CAS (this published CAS has a external
URL configured) and we need to access mailboxes in this site (that works) and
in another site (don't work), do we need to configure and publish the CAS
from 2nd site? Or just put an external URL that is not valid on the outside
because only the url that we are actually publishing is the ISA (1st site)
one?

And yes we do need to have CAS proxy working in both ways.

PAMF

Oliver Moazzezi [MVP]

unread,
Apr 8, 2008, 1:41:57 PM4/8/08
to
It isn't necessary no, it's only necessary if you want to redirect a user to
a new OWA URL if you have moved their mailbox for example to another Mailbox
Server in another AD Site.

The parameter to stop redirection and rather proxy to a CAS in another AD
site is: RedirecttoOptimalOwaServer

More info on RedirecttoOptimalOwaServer, Internal url and External url
parameters:

http://technet.microsoft.com/en-us/library/bb123515(EXCHG.80).aspx


More info on CAS-CAS proxying and understanding redirection here:

http://technet.microsoft.com/en-us/library/bb310763.aspx

Oliver


fouad.o...@gmail.com

unread,
Feb 13, 2013, 5:13:10 PM2/13/13
to
If any one get this issue, you need to create a DWORD named AllowProxyingWithoutSSL to dismiss the SSL access when OWA Proxying is used.

You need to create this DWORD in this registry key : HKLM/SYSTEM/CurrentControlSet/MSExchangeOWA/
0 new messages