OWA Vault v6sp4 implementation not working

Richard_Cheung · ‎11-20-2007

Hi all

I am trying to update my installations for OWA from v5 to v6.0sp4.

What I have been testing with is my backend exchange cluster, with a front end server, and a vault server, all running windows 2003 sp2 / exchange 2003 sp2.

In my testing, even if I connect directly to the backend server via OWA, I do see the vault icons / stubs, I do see the archive explorer or search archives buttons. I can click on a vaulted message and open it. When I do, along the top of the window it says

"The archived item is currently unavailable. If you choose reply or forward, only the content shown below will be included. click here to preview the original item"

If I try to 'click there' to see the original item, or if I try to click on archive explorer etc, I get an error

"The remote server returned an error: (403) forbidden"

This is the same for all users on this backend exchange cluster, where I have installed the EnterpriseVaultv6sp4OWA backend software.

I am thinking it is something to do with the communications between my backend exchange server and my vault server not configured properly in my EV OWA implementation, but am not certain why. Have followed the administrator's guide implementation instructions to the letter.

Normal MAPI clients working on this server are working fine.

Has anyone come across this?

MichelZ · ‎11-20-2007

Richard

Have you followed all steps in the Install Guide for OWA?
Like ProxyCfg, Backend Setup, Permissions and so on?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Richard_Cheung · ‎11-20-2007

Yes, followed the instructions to the letter, checked at each step to confirm - eg ran proxycfg to confirm my backend mail server and vault server were listed etc

MichelZ · ‎11-20-2007

Richard

I'm sorry, I have no solution to this coming to my mind right now :(
What I know is that there were some enhancements in recent versions of Enterprise Vault.

As you might know, the current Version is 2007 SP1.
Would it be an option for you to just upgrade to the latest version?

Or just wait a day or two for the other techs to respond to you, maybe they got a blasting idea.

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

PATRICK_Kitchen · ‎11-20-2007

I think I have read somewhere the Windows 2003 SP3 gives problems due to some thing (not sure what) that are switched off instead of on in SP2.

Will try and find the article.

PATRICK_Kitchen · ‎11-20-2007

Here is the article:-

The Scalable Networking pack is included in Win2k Service Pack 2 :-0

http://msexchangeteam.com/archive/2007/07/18/446400.aspx

MichelZ · ‎11-20-2007

Pat

Windows 2003 SP2 gives problems with the Management Console, yes.
But this has nothing to do with OWA.

Could you please read this forum post, maybe you can get something out of this:
https://forums.symantec.com/syment/board/message?board.id=106&thread.id=11385

For the Win2k3 SP2 Problem, read on here:
http://seer.entsupport.symantec.com/docs/288797.htm

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Richard_Cheung · ‎11-20-2007

Thank you all for the replies.

I will look over all the support notes, but nothing immediately jumps out to me.

Given that my backend has only recently (as in a month and a bit ago) upgraded to v6.0 sp4, is it a better option for me, in terms of resolving these issues, to go from v6.0 sp4 to v7, then v7 to v 2007 in the back end, and only then do I install the v2007 OWA extensions??

As far as I am aware, because I am on v6 sp4 software, I cant install any newer versions of OWA front end / back end extensions without causing issues.

Is this a case where I just need to advise the powers that be that instead of getting to each version completely then upgrading, to just do the backend quickly? is it possible to upgrade server from v6 sp4 straight to v 2007 (bypassing v7??)

it may be that this is one solution that i should follow anyway, seeing as we werent ever planning on staying on version 6 for long.... the end goal is we want the latest version at the server end, all working fully, with fully working OWA / RPC over HTTP functionalities as well.

inputs as to the best way to get to my end goal? call support about the issue? or just work on the backend upgrade as quick as possible?

Robert_Primozic · ‎11-21-2007

Do you have your Exchange IIS site on default web site (default installation) or do you have custom web sites?

Because there is a problem when virtual sites doees not reside on default web site...

Robert

jimbo2 · ‎11-21-2007

Richard,

You seem to be having two problems:

(1)

The 403.3 is a very reliable error message that IIS returns. Verity that you have added the cluster IP and all of the node IP in the IIS security restriction area for the vault server IIS site.

Once this is fixed and you can retrieve items check for the buttons. If the buttons do not exits then clear your IE cache.

(2)

If that does not work then check the compatibility chart for the version of Exchange and Hotfix that you are using for Exchange.

http://seer.entsupport.symantec.com/docs/276547.htm

If you keep your Exchange server up to date (to the day) with security fixes that modify the Exchange controls directory then you may be ahead of Symantec Exchange hotfixes. Anyway, check the chart and if you are not sure then open a case and explain the problem about the controls files. A TSE will compare your directory to that is compatible in the charts.

Jim Schreiner

Richard_Cheung · ‎11-21-2007

I was wondering about that - no I dont have it on the default web sites in IIS - the default web sites are 'disabled' and custom sites setup below.

what are the issues with that?

John_Chisari · ‎11-21-2007

Richard - what you are seeing in IIS on the Exchange cluster is normal - there shouldn't be any issues with it and EV

As Jimbo2 says, the forbidden 403 is coming from IIS on the EV server - will add some more specifically where to fix this.

Go into the properties of EVanon virtual directory on the EV server - Directory Security - IP addresses and domain name restrictions - make sure the IP addresses of the cluster and all physical nodes are in the Granted Access list.

Richard_Cheung · ‎11-25-2007

Thanks for that. the 403 IIS thing has been resolved on the server I was implementing it on - it turns out that the server was a cluster, but yea i had to put the IP of each physical node in the allow list on IIS on the vault server...

I have been trying to upgrade another one of my servers - just a single exchange server, now I get a 401 on that one!!! checked the obvious and confirmed it is allowed... just not having luck with this!!!

MichelZ · ‎11-25-2007

Richard.

401 = Unauthorized.
You have run the OWA Setup on the Exchange, have you?
There could be something wrong with the Anonymous account.
I'd suggest you just let the Setup run again.

Additionally, make sure that the proxy bypass list is correct (proxycfg)

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

jimbo2 · ‎11-26-2007

1. Verify that the Anonymous account is not locked out.

2. Verify that the Anonymous account is not due for a password change.

3. Verify that the Anonymous account is only part of the 'Domain Users' group.

4. Rerun the OWAUSER.WSF script on the EV server under the security context of the EV service account.

Jim S.

jimbo2 · ‎11-28-2007

Richard,

I left out a step. Restart all EV services.

Have you have any luck?

Jim S.

Richard_Cheung · ‎11-28-2007

Hi Jim

I have checked.

anon account is not locked out, password hasnt changed, and is not a member of domain admins

I havent tried to rerun the file yet, i have a query...

I have an environment with one exchange front end server, and multiple exchange backend servers.

I have confirmed that OWA EV is still working fine via the front end for all mailboxes living on one backend server, but it isnt working on this new backend one I am trying to upgrade....

I would have thought if there was a problem with the EVANON account or if it wasnt registered properly, it would also break my already still working system right?

SO I am thinking it must be something else.......

am i on the wrong track?

jimbo2 · ‎11-28-2007

Richard,

In my opinion you are on the right track. I do agree.

Open a command prompt on the server that is working and type proxycfg (This is read only).

Do the same on the server that is not working. There will be some differences because the servers are different but the format will be about the same.

You may want to post both.

Jim S.

Richard_Cheung · ‎11-28-2007

i shall get the output and post it tomorrow.. gotta do some other outage now :o)

thanks for your help thus far

Richard_Cheung · ‎11-28-2007

okay have ran the proxycfg command on two of the backends.

on working one, output is:

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : <local>
Bypass List : 10.1.2.51;<local>;vaultserver.domain.com;vaultserver

on not working one, output is:

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : <local>
Bypass List : 128.6.5.7;<local>;vaultalias.domain.com;vaultalias;vaultserver.domain.com;vaultserver

so only difference on the one that is not working is that it has added both the vaultserver and the vaultserveralias into the proxy bypass list.

would have thought this should cause a problem. i checked dns, if i pinged the vaultalias, i get the vaultserver.domain.com returning my queries immediately.

VOX

OWA Vault v6sp4 implementation not working