On Thu, Nov 07, 2002 at 06:57:36AM -0800, David Marshall wrote: > The biggest drawbacks to this solution were. > a. Every time you reboot/restart IIS on the System where OWA is installed, > your security settings will be reset adding "Windows Integrated Authentication" > back to the virtual directories.
Strange. We've already done that and it does last through reboots. > b. We had to add a virtual host for every OWA site on Apache that we needed to host. > In my environment we have 3 exchange servers and 2 routing groups. > This meant that as we changed our Exchange Topology, that we would have > to re-work the Apache front-end proxy. Ah. That sounds like you're doing this to backend servers - not an OWA frontend server - sorry for not mentioning that - we're using frontend servers - specifically to get around the issues of having multiple Exchange servers. > After reading the Microsoft Exchange Front-End/Backend documents > http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided > to evaluate running a Front-End OWA server under SSL with HTTP disabled on a > separate system from the other Exchange Servers. In the final analysis, we > decided that this was the right answer for us. That's alright. I finally think I've figure it out! The problem was that our Apache reverse-proxy was called "proxy.domain", whereas our OWA2K was called "owa.domain". Whenever a client asked for "https://proxy.domain/exchange/..." that would pass through to owa.domain with a Host: header of "proxy.domain" (as you would expect). However there is a bug in either OWA or IE5+ that causes OWA2K to generate corrupt XML if the IIS server doesn't recognise the Host: header as being itself. So all we did was tell IIS that "proxy.domain" was a valid alias for itself, and magically OWA2K started working via the reverse-proxy :-) I feel like I've achieved something this week :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]