VOX

did you notice that you posted this as private? your audiance is much smaller when you do it this way.

thanks AndrewB! I´ll change it

Can you enabled OWA logging on the CAS server please? Trace one for internal connection and trace one for external connection and compare the two logs.

Has the BC fireware setup to forward HTTP and HTTPs traffic to/from the CAS servers, EV server and the BC firewall?

Thanks for reply LCT.

I will ask the Exchange admin to do so. It´s a single exchange 2010 installation. all roles on one server.

Regarding the BC setup OWA only works fine so forward traffic to the CAS works fine.(webmail.company.com)

The BC admin has also done a forward to the EV (webmail.company.com/enterprisevault) and the adress is in the Ev desktop policy, with proxy setting on. And syncing vault cache works. 

One question do I need to publish the EV in the firewall to get this working? dont EV inject data to the CAS server that generate the data correctly? Or does the user client (IE,crome ect.) need to contact EV direct?

1. Enable dtrace logging on the Enterprise Vault server for the following processes:
W3WP
Authserver
DirectoryService
ShoppingService
StorageRestore
AgentClientBroker
RetrievalTask

For instructions on enabling dtrace: http://www.symantec.com/docs/TECH38122
2. Reproduce the problem with OWA.
3. Stop dtrace logging on the EV server.
4. Gather the dtrace log and IIS log from the EV server and the OWA log from the CAS server and post here for review.

Check the configuration on CAS Server for OWA and verify the settings.

Check the following Technote.

http://www.symantec.com/business/support/index?page=content&id=TECH60712&actp=search&viewlocale=en_US&searchid=1338360912561

http://www.symantec.com/business/support/index?page=content&id=TECH141519

As per the logs which you posted below its showing that your are using Mozilla, Please note that only IE is supported by EV to access archive email from OWA, other browsers like Mozilla Firefox, Chrome are not supported.

My college managing the BC proxy also wanted me to post this:

2012-05-24 13:45:01 20 212.247.95.61 - - - PROXIED "none" https://webmail.xxx.xx/owa/?ae=Item&a=Open&t=IPM.Note.EnterpriseVault.Shortcut&id=RgAAAACdqEnpmcmzSo...

AAAxLvrAAAJ&pspid=_1337866556159_518344619  304 TCP_HIT GET application/x-javascript https webmail.xxx.xx 443 /owa/14.2.247.5/scripts/premium/freadmsg.js - js "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KH

TML, like Gecko) Version/5.1.7 Safari/534.57.2" 192.168.xx.xx 368 993

Yes I know IE is only supported, but I can sucsessfully use owa with EV ad-on internaly with Chrome.

One question do I need to publish the EV in the firewall to get this working? dont EV inject data to the CAS server that generate the data correctly? Or does the user client (IE,crome ect.) need to contact EV direct?

The OWA client i.e. IE or Chrome or whatever only need to connect directly to the EV server if you are using the Search and Archive Explorer via OWA, otherwise the OWA extensions on the CAS server will handle other/normal EV requests. Normally you don't need to publish the EV on the BC firewall as the requests are being handled by the OWA publising rule, as mentioned already unless you are planning to use Search and Archive Explorer.

I would get your BC guys to to check the traffics between EV server, CAS servers and the BC firewall. We had the same issue as we also use BC firewall and after all the rules are checked on the BC firewall everything was working fine. Were you able to enable the OWA log on the CAS server? and compare the working and non-working logs? Also I would be intersted to see yoir web.config on your CAS server as this will be a start to your problem troubleshooting.

internall and external config will depend on what you have configured in the web.config, assuming that the BC firewall is all configured correctly. 

Once again thanks LCT,

I will post the logs and webconfig as soon as possible.

Well after a restart of the servers (ms patch day) all attachement problem worked..Thanks for all the help 

But  Search vaults /archiveexplorer does not work. It seems that the url is the internal url for the EV in the popupwindow fo archiveexplorer.. I have specified in the desktop policy, advanched OWA settings:

external webapplication url: https://webmail.company.com/enterprisevault and this url is redirected to https://evserver.company.local/enterprisevault

If I try https://webmail.company.com/enterprisevault/search.asp or archiveexplorerui im able to search/browse..

I looked at this: http://www.symantec.com/business/support/index?page=content&id=TECH141519

And took a look in Web.app file and do not find any key:

<add key="EnterpriseVault_UseExternalWebAppUrl" value="true"/>

Do I need to manual populate the web.app file? I´s this not what the desktop policy should do?

Once again I very thankfull for all your awsers!!

As the URL - https://webmail.company.com/enterprisevault/search.asp is working externally make sure the following values are correctly set in the Exchange Desktop Policy -> OWA:-

External Web Application URL: <https>/enterprisevault

Furhter add the following lines to the web.config on CAS :-

EnterpriseVault_ExternalHostNames: webmail.company.com

 Also ensure the Client Connection is set to 'Direct' in the Desktop Policy.

Refer to the attached document on configuring the OWA External URL.

Glad that it's all working as expected now.

As I mentioned to you in my previous replies. In order for you to use the Search and Archive Explore externally via OWA you need to publish the EV server with it's own external IP address via the BC firewall i.e. different IP from from the OWA publishing rule. For example, vaultsite.mydomain.com, this will mean that when you click on Search or Archive Explorer it will connect directly to the EV server via your BC firewall, such as https://vaultsite.mydomain.com/enterprisevault/ and of course redirecting https traffic to you BC firewall to your EV server via http.

Alternatively you can put in an ISA or TMG server (most commonly what alot of people do), publish your OWA and EV server with separate rules and set the link translation then you don't need to publish the EV server separately with its own IP on your BC firewall.

Be careful when you use the  

<add key="EnterpriseVault_UseExternalWebAppUrl" value="true"/>

because it will break your internal OWA if you don't set it up correctly.

Thanks for all the help.

But I dont really get the part regarding publish the EV server with it's own external IP. The BC Redirect traffic :

https://webmail.company.com/enterprisevault -->http://Internalevserver/enterpisevault

I can use Search/archive explorer externaly by using https://webmail.company.com/enterprisevault/search.asp and archiveexplorerui.asp

So the BC must do a sucsessfull redirect.

What am i missing, regarding one more external IP?

So what happens when you click Search or Archive Explorer in OWA?  Have you enabled EV logging?

If you have setup firewall other than ISA (Cisco Pix, Lynxes, watchguard,..etc). then you should have separate published host record for EV server.

Example:-

https://web.domain.com/owa                                  (External IP 200.100.1.1 )              https://CAS.domain.local/owa                                 (internal IP 10.0.0.2)

https://EV.domain.com/enterprisevault          (External IP 200.100.1.1 )  

http://EV.domain.local/enterprisevault (internal IP 10.0.0.3)

you can get the help of Network administrator to publish the host record and configure one to one mapping between external name to internal host name. You need to opened the same ports as you required for RPC over http/https for EV record.

If ISA is in place for link translation, we can use existing published host record of exchange, that can work for EV as well, Example:-

https://host.domain.com/owa                                  (External IP 200.100.1.1 )             

Once you get this publish your outlook anwhere will also works.

Thanks for all the help guys!  

I did read the Configuring External and Internal OWA URL.pdf but could not totaly grasp the info. As I understand now it´s the web.config file that needed to change according to the settings, but the data to add in the web.config was not totaly clear for me. OR go for TMG/ISA with link translation, right?

If someone kind soul got a web.config file with correct configuration added (not for my case, but for education) please publish it for my educational intrest.

At the end the customer, did not whant this changes and did not think search/archive explorer was a big deal.

Once again, Many thanks!