Exchange 2007 OWA issue
in [Microsoft Exchange]
|
From: Christopher Blair on 10 Jun 2008 18:08 I have two sites. Site 1: Exchange 2003 server and Exchange 2007 CAS only Site 2: Exchange 2003 and Exchange 2007 MAIL, CAS, HUB The issue im having is when i use the exchange 2007 server from site 1 (with the /exchange page rather than /owa page) i get the error 403 - Forbidden: Access is denied. If i use the /owa rather than /exchange it seems to work fine, but the problem is i can only publish one site for all my users (/exchange) until all the 2003 servers are gone. For whatever reason when i go to the /exchange page and try to log into a 2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i have it configured properly, but i must be missing something. Any ideas?
From: Rich Matheisen [MVP] on 10 Jun 2008 22:25 Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote: >I have two sites. Two AD sites -- right? Strictly speaking, Exchange 2007 is a "site" in the Exchange 5.5 sense of the word, and it's an Administrative Group, too. So, if you have two Exchange 2003 Administrative Groups and Exchange 2007, you really have three Administrative Groups. But Exchange 2007 uses AD sites to figure things out. >Site 1: Exchange 2003 server and Exchange 2007 CAS only > >Site 2: Exchange 2003 and Exchange 2007 MAIL, CAS, HUB > >The issue im having is when i use the exchange 2007 server from site 1 (with >the /exchange page rather than /owa page) i get the error 403 - Forbidden: >Access is denied. Any ISA servers in there? Is /Exchange published? >If i use the /owa rather than /exchange it seems to work >fine, but the problem is i can only publish one site for all my users >(/exchange) until all the 2003 servers are gone. Using /owa for an Exchange 2003 mailbox should switch the URL to use /Exchange. >For whatever reason when i go to the /exchange page and try to log into a >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i >have it configured properly, but i must be missing something. If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you should be see a page that tells you to use the CAS in Site 2, not just switched to the /owa virtual directory -- unless the CAS in Site 2 has no external URL. In that case you'll be proxied from Site 1 to Site 2 and not all of the OWA features will work. -- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm Don't send mail to this address mailto:h.pott(a)getronics.com Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Christopher Blair on 11 Jun 2008 08:52 "Rich Matheisen [MVP]" wrote: > Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote: > > >I have two sites. > > Two AD sites -- right? Strictly speaking, Exchange 2007 is a "site" in > the Exchange 5.5 sense of the word, and it's an Administrative Group, > too. So, if you have two Exchange 2003 Administrative Groups and > Exchange 2007, you really have three Administrative Groups. But > Exchange 2007 uses AD sites to figure things out. Two AD sites is correct. > >Site 1: Exchange 2003 server and Exchange 2007 CAS only > > > >Site 2: Exchange 2003 and Exchange 2007 MAIL, CAS, HUB > > > >The issue im having is when i use the exchange 2007 server from site 1 (with > >the /exchange page rather than /owa page) i get the error 403 - Forbidden: > >Access is denied. > > Any ISA servers in there? Is /Exchange published? /Exchange is not published yet. I am trying to get it all working internally before we make it available externally. > >If i use the /owa rather than /exchange it seems to work > >fine, but the problem is i can only publish one site for all my users > >(/exchange) until all the 2003 servers are gone. > > Using /owa for an Exchange 2003 mailbox should switch the URL to use > /Exchange. If that is the case, then i have more issues than i thought. I was my understanding that if you went to the /exchange site it would work for 2003 or 2007, but if you go to the /owa site, it will only work for 2007. > >For whatever reason when i go to the /exchange page and try to log into a > >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i > >have it configured properly, but i must be missing something. > > If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you > should be see a page that tells you to use the CAS in Site 2, not just > switched to the /owa virtual directory -- unless the CAS in Site 2 has > no external URL. In that case you'll be proxied from Site 1 to Site 2 > and not all of the OWA features will work. What features will not work? I have no external urls yet. It should still let me into the mailbox and that is the issue im having. I will hit the cas in site 1 and it wont proxy me to the cas in site 2. Just gives me a 403 - forbidden: Access denied... when using the /exchange. As i typed earlier using /owa works... but i can only have one external url for the users so it will have to be the /exchange site that they will use. > -- > Rich Matheisen > MCSE+I, Exchange MVP > MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm > Don't send mail to this address mailto:h.pott(a)getronics.com > Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com >
From: Rich Matheisen [MVP] on 11 Jun 2008 16:49 Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote: >> Any ISA servers in there? Is /Exchange published? > >/Exchange is not published yet. I am trying to get it all working internally >before we make it available externally. Are the the external and internal URLs the Site 1 CAS the same? Are the external and internal URLs on the Site 2 CAS the same? If the CAS server in both sites have their external URLs set to $null then no redirection will take place -- the connection will be proxied. Otherwise the CAS in Site 1 will try to redirect to the CAS in Site 2, but the URL may not be resolvable (you haven't given much in the way of details about this). >> >If i use the /owa rather than /exchange it seems to work >> >fine, but the problem is i can only publish one site for all my users >> >(/exchange) until all the 2003 servers are gone. >> >> Using /owa for an Exchange 2003 mailbox should switch the URL to use >> /Exchange. > >If that is the case, then i have more issues than i thought. I was my >understanding that if you went to the /exchange site it would work for 2003 >or 2007, but if you go to the /owa site, it will only work for 2007. Oops. You're right. I had that backwards. But by "published" I was asking about the ISA server. The CAS server should accept both /owa and /exchange. If you're only working inside your LAN then the only problem I can see is that you're resolving the domain to the external address of the ISA server and that may not be accessible to everyone on the secure LAN -- or, if it is, that you haven't published /Exchange on the ISA server. >> >For whatever reason when i go to the /exchange page and try to log into a >> >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i >> >have it configured properly, but i must be missing something. >> >> If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you >> should be see a page that tells you to use the CAS in Site 2, not just >> switched to the /owa virtual directory -- unless the CAS in Site 2 has >> no external URL. In that case you'll be proxied from Site 1 to Site 2 >> and not all of the OWA features will work. > >What features will not work? Well, document access, for one. >I have no external urls yet. Don't confuse the external and internal URLs specified in the CAS configuration with the external and internal IP addresses. If the internal and external URLs on each CAS are the same, and you're using a split DNS, you'll hit the correct IP address (the internal one) even if you refer to the "external" URL from within your LAN. The external DNS will refer to the ISA external IP address where you've published the Exchange services. >It should still >let me into the mailbox and that is the issue im having. I will hit the cas >in site 1 and it wont proxy me to the cas in site 2. Nope. Not if the CAS in Site 2 has an external URL configured. Proxying only works when the external URL is set to $null. >Just gives me a 403 - >forbidden: Access denied... when using the /exchange. And you're sure that the 403 isn't coming from the ISA server because the /Exchange virtual directory isn't published on it? >As i typed earlier >using /owa works... but i can only have one external url for the users so it >will have to be the /exchange site that they will use. You can publish both in ISA, in two separate rules. Put the one for the E2K7 /Exchange ahead of the one for Exchange 2003. Then, instead of letting "Authenticated Users" use the rule, assign group to the rule. Populate the group with the E2K7 users. Your Exchange 2003 users won't be in the group so they'll fall through to the Exchange 2003 /Exchange rule, and that one will let authenticated user use it. -- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm Don't send mail to this address mailto:h.pott(a)getronics.com Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Christopher Blair on 11 Jun 2008 17:27
"Rich Matheisen [MVP]" wrote: > Christopher Blair <ChristopherBlair(a)discussions.microsoft.com> wrote: > > >> Any ISA servers in there? Is /Exchange published? > > > >/Exchange is not published yet. I am trying to get it all working internally > >before we make it available externally. > > Are the the external and internal URLs the Site 1 CAS the same? Are > the external and internal URLs on the Site 2 CAS the same? The external URL's on both sites are blank, the internal URL is configured to https://FQDN/owa > If the CAS server in both sites have their external URLs set to $null > then no redirection will take place -- the connection will be proxied. > Otherwise the CAS in Site 1 will try to redirect to the CAS in Site 2, > but the URL may not be resolvable (you haven't given much in the way > of details about this). > The servers are not currently accessible from the outside. I am just trying to get things configured on the inside before i add that wrench into the mix. > >> >If i use the /owa rather than /exchange it seems to work > >> >fine, but the problem is i can only publish one site for all my users > >> >(/exchange) until all the 2003 servers are gone. > >> > >> Using /owa for an Exchange 2003 mailbox should switch the URL to use > >> /Exchange. > > > >If that is the case, then i have more issues than i thought. I was my > >understanding that if you went to the /exchange site it would work for 2003 > >or 2007, but if you go to the /owa site, it will only work for 2007. > > Oops. You're right. I had that backwards. > > But by "published" I was asking about the ISA server. The CAS server > should accept both /owa and /exchange. If you're only working inside > your LAN then the only problem I can see is that you're resolving the > domain to the external address of the ISA server and that may not be > accessible to everyone on the secure LAN -- or, if it is, that you > haven't published /Exchange on the ISA server. We do have an ISA server but it is not doing anything with OWA. > >> >For whatever reason when i go to the /exchange page and try to log into a > >> >2007 mailbox it isn't redirecting me to the owa site. As far as i can tell i > >> >have it configured properly, but i must be missing something. > >> > >> If your mailbox is on Exchange 2007 and you use the CAS in Site 1 you > >> should be see a page that tells you to use the CAS in Site 2, not just > >> switched to the /owa virtual directory -- unless the CAS in Site 2 has > >> no external URL. In that case you'll be proxied from Site 1 to Site 2 > >> and not all of the OWA features will work. > > > >What features will not work? > > Well, document access, for one. > > >I have no external urls yet. > > Don't confuse the external and internal URLs specified in the CAS > configuration with the external and internal IP addresses. If the > internal and external URLs on each CAS are the same, and you're using > a split DNS, you'll hit the correct IP address (the internal one) even > if you refer to the "external" URL from within your LAN. The external > DNS will refer to the ISA external IP address where you've published > the Exchange services. Neither server currently has an external IP. > >It should still > >let me into the mailbox and that is the issue im having. I will hit the cas > >in site 1 and it wont proxy me to the cas in site 2. > > Nope. Not if the CAS in Site 2 has an external URL configured. > Proxying only works when the external URL is set to $null. > > >Just gives me a 403 - > >forbidden: Access denied... when using the /exchange. > And you're sure that the 403 isn't coming from the ISA server because > the /Exchange virtual directory isn't published on it? > Internal traffic is not routed thru our ISA server... i believe, i will check into this... though i dont see how that would explain why owa works but exchange wont for 2007 users. > >As i typed earlier > >using /owa works... but i can only have one external url for the users so it > >will have to be the /exchange site that they will use. > > You can publish both in ISA, in two separate rules. Put the one for > the E2K7 /Exchange ahead of the one for Exchange 2003. Then, instead > of letting "Authenticated Users" use the rule, assign group to the > rule. Populate the group with the E2K7 users. Your Exchange 2003 users > won't be in the group so they'll fall through to the Exchange 2003 > /Exchange rule, and that one will let authenticated user use it. > Hmmm... that is something to consider. > -- > Rich Matheisen > MCSE+I, Exchange MVP > MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm > Don't send mail to this address mailto:h.pott(a)getronics.com > Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com > |