05-25-2012 06:14 AM
Hi!
A customer got a Bluecoat SG210 (firmware 5.4.2.2) reverse proxy guarding their OWA (single server exchange 2010 sp2). If I connect to owa internaly every works, I get the vault icons. and I can open archived attachements. But if I connect externaly throu Bluecoat SG210 All I get is an attachement called: @ Please see attachements.
As I understand, I dont need to publish anything from the Vault server externaly to get this to work do I? It must be some kind of reverse proxy problem.
My college managing the BC proxy also wanted me to post this:
2012-05-24 13:45:01 20 212.247.95.61 - - - PROXIED "none" https://webmail.xxx.xx/owa/?ae=Item&a=Open&t=IPM.Note.EnterpriseVault.Shortcut&id=RgAAAACdqEnpmcmzSo...
AAAxLvrAAAJ&pspid=_1337866556159_518344619 304 TCP_HIT GET application/x-javascript https webmail.xxx.xx 443 /owa/14.2.247.5/scripts/premium/freadmsg.js - js "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KH
TML, like Gecko) Version/5.1.7 Safari/534.57.2" 192.168.xx.xx 368 993
Solved! Go to Solution.
06-01-2012 08:42 AM
With EV Search and Archive Explorer externally via OWA, the link will always point to the internal EV site i.e. http://VaultSite.mydomain.local/enterprisevault. There is a function called Link translation which translate your internal webappurl to your external webappurl. i.e. http://VaultSite.mydomain.local/enterprisevault --> https://owa.mydomain.com/enterprisevault. As I said before you need TMG or ISA to do the link translation link for you.
If the BC is doing the redirect and you can get to the EV server manually from external then somehow you have to get OWA to do the link stranslation. Have you gone through the doc Configuring External and Internal OWA URL.pdf and setup your web.config? Be careful with changing the web.config as one character wrong your entire OWA will go down.
or you will have to pubish the EV server externally.
05-27-2012 11:25 PM
no one?
05-28-2012 07:06 AM
did you notice that you posted this as private? your audiance is much smaller when you do it this way.
05-29-2012 06:00 AM
thanks AndrewB! I´ll change it
05-29-2012 08:56 AM
Can you enabled OWA logging on the CAS server please? Trace one for internal connection and trace one for external connection and compare the two logs.
Has the BC fireware setup to forward HTTP and HTTPs traffic to/from the CAS servers, EV server and the BC firewall?
05-29-2012 11:30 PM
Thanks for reply LCT.
I will ask the Exchange admin to do so. It´s a single exchange 2010 installation. all roles on one server.
Regarding the BC setup OWA only works fine so forward traffic to the CAS works fine.(webmail.company.com)
The BC admin has also done a forward to the EV (webmail.company.com/enterprisevault) and the adress is in the Ev desktop policy, with proxy setting on. And syncing vault cache works.
One question do I need to publish the EV in the firewall to get this working? dont EV inject data to the CAS server that generate the data correctly? Or does the user client (IE,crome ect.) need to contact EV direct?
05-29-2012 11:53 PM
1. Enable dtrace logging on the Enterprise Vault server for the following processes:
W3WP
Authserver
DirectoryService
ShoppingService
StorageRestore
AgentClientBroker
RetrievalTask
For instructions on enabling dtrace: http://www.symantec.com/docs/TECH38122
2. Reproduce the problem with OWA.
3. Stop dtrace logging on the EV server.
4. Gather the dtrace log and IIS log from the EV server and the OWA log from the CAS server and post here for review.
05-29-2012 11:59 PM
Check the configuration on CAS Server for OWA and verify the settings.
Check the following Technote.
http://www.symantec.com/business/support/index?page=content&id=TECH60712&actp=search&viewlocale=en_US&searchid=1338360912561
http://www.symantec.com/business/support/index?page=content&id=TECH141519
05-30-2012 01:49 AM
As per the logs which you posted below its showing that your are using Mozilla, Please note that only IE is supported by EV to access archive email from OWA, other browsers like Mozilla Firefox, Chrome are not supported.
My college managing the BC proxy also wanted me to post this:
2012-05-24 13:45:01 20 212.247.95.61 - - - PROXIED "none" https://webmail.xxx.xx/owa/?ae=Item&a=Open&t=IPM.Note.EnterpriseVault.Shortcut&id=RgAAAACdqEnpmcmzSo...
AAAxLvrAAAJ&pspid=_1337866556159_518344619 304 TCP_HIT GET application/x-javascript https webmail.xxx.xx 443 /owa/14.2.247.5/scripts/premium/freadmsg.js - js "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KH
TML, like Gecko) Version/5.1.7 Safari/534.57.2" 192.168.xx.xx 368 993
05-30-2012 04:23 AM
Yes I know IE is only supported, but I can sucsessfully use owa with EV ad-on internaly with Chrome.
One question do I need to publish the EV in the firewall to get this working? dont EV inject data to the CAS server that generate the data correctly? Or does the user client (IE,crome ect.) need to contact EV direct?
05-30-2012 08:59 AM
The OWA client i.e. IE or Chrome or whatever only need to connect directly to the EV server if you are using the Search and Archive Explorer via OWA, otherwise the OWA extensions on the CAS server will handle other/normal EV requests. Normally you don't need to publish the EV on the BC firewall as the requests are being handled by the OWA publising rule, as mentioned already unless you are planning to use Search and Archive Explorer.
I would get your BC guys to to check the traffics between EV server, CAS servers and the BC firewall. We had the same issue as we also use BC firewall and after all the rules are checked on the BC firewall everything was working fine. Were you able to enable the OWA log on the CAS server? and compare the working and non-working logs? Also I would be intersted to see yoir web.config on your CAS server as this will be a start to your problem troubleshooting.
internall and external config will depend on what you have configured in the web.config, assuming that the BC firewall is all configured correctly.
05-30-2012 11:29 PM
Once again thanks LCT,
I will post the logs and webconfig as soon as possible.
05-31-2012 10:11 AM
Well after a restart of the servers (ms patch day) all attachement problem worked..Thanks for all the help
But Search vaults /archiveexplorer does not work. It seems that the url is the internal url for the EV in the popupwindow fo archiveexplorer.. I have specified in the desktop policy, advanched OWA settings:
external webapplication url: https://webmail.company.com/enterprisevault and this url is redirected to https://evserver.company.local/enterprisevault
If I try https://webmail.company.com/enterprisevault/search.asp or archiveexplorerui im able to search/browse..
I looked at this: http://www.symantec.com/business/support/index?page=content&id=TECH141519
And took a look in Web.app file and do not find any key:
<add key="EnterpriseVault_UseExternalWebAppUrl" value="true"/>
Do I need to manual populate the web.app file? I´s this not what the desktop policy should do?
Once again I very thankfull for all your awsers!!
06-01-2012 12:26 AM
As the URL - https://webmail.company.com/enterprisevault/search.asp is working externally make sure the following values are correctly set in the Exchange Desktop Policy -> OWA:-
External Web Application URL: <https>/enterprisevault
Furhter add the following lines to the web.config on CAS :-
EnterpriseVault_ExternalHostNames: webmail.company.com
Also ensure the Client Connection is set to 'Direct' in the Desktop Policy.
Refer to the attached document on configuring the OWA External URL.
06-01-2012 02:10 AM
Glad that it's all working as expected now.
As I mentioned to you in my previous replies. In order for you to use the Search and Archive Explore externally via OWA you need to publish the EV server with it's own external IP address via the BC firewall i.e. different IP from from the OWA publishing rule. For example, vaultsite.mydomain.com, this will mean that when you click on Search or Archive Explorer it will connect directly to the EV server via your BC firewall, such as https://vaultsite.mydomain.com/enterprisevault/ and of course redirecting https traffic to you BC firewall to your EV server via http.
Alternatively you can put in an ISA or TMG server (most commonly what alot of people do), publish your OWA and EV server with separate rules and set the link translation then you don't need to publish the EV server separately with its own IP on your BC firewall.
Be careful when you use the
<add key="EnterpriseVault_UseExternalWebAppUrl" value="true"/>
because it will break your internal OWA if you don't set it up correctly.
06-01-2012 04:14 AM
Thanks for all the help.
But I dont really get the part regarding publish the EV server with it's own external IP. The BC Redirect traffic :
https://webmail.company.com/enterprisevault -->http://Internalevserver/enterpisevault
I can use Search/archive explorer externaly by using https://webmail.company.com/enterprisevault/search.asp and archiveexplorerui.asp
So the BC must do a sucsessfull redirect.
What am i missing, regarding one more external IP?
06-01-2012 05:23 AM
So what happens when you click Search or Archive Explorer in OWA? Have you enabled EV logging?
06-01-2012 08:42 AM
With EV Search and Archive Explorer externally via OWA, the link will always point to the internal EV site i.e. http://VaultSite.mydomain.local/enterprisevault. There is a function called Link translation which translate your internal webappurl to your external webappurl. i.e. http://VaultSite.mydomain.local/enterprisevault --> https://owa.mydomain.com/enterprisevault. As I said before you need TMG or ISA to do the link translation link for you.
If the BC is doing the redirect and you can get to the EV server manually from external then somehow you have to get OWA to do the link stranslation. Have you gone through the doc Configuring External and Internal OWA URL.pdf and setup your web.config? Be careful with changing the web.config as one character wrong your entire OWA will go down.
or you will have to pubish the EV server externally.
06-02-2012 04:20 AM
If you have setup firewall other than ISA (Cisco Pix, Lynxes, watchguard,..etc). then you should have separate published host record for EV server.
Example:-
https://web.domain.com/owa (External IP 200.100.1.1 ) https://CAS.domain.local/owa (internal IP 10.0.0.2)
https://EV.domain.com/enterprisevault (External IP 200.100.1.1 )
http://EV.domain.local/enterprisevault (internal IP 10.0.0.3)
you can get the help of Network administrator to publish the host record and configure one to one mapping between external name to internal host name. You need to opened the same ports as you required for RPC over http/https for EV record.
If ISA is in place for link translation, we can use existing published host record of exchange, that can work for EV as well, Example:-
https://host.domain.com/owa (External IP 200.100.1.1 )
Once you get this publish your outlook anwhere will also works.
06-10-2012 10:56 AM
Thanks for all the help guys!
I did read the Configuring External and Internal OWA URL.pdf but could not totaly grasp the info. As I understand now it´s the web.config file that needed to change according to the settings, but the data to add in the web.config was not totaly clear for me. OR go for TMG/ISA with link translation, right?
If someone kind soul got a web.config file with correct configuration added (not for my case, but for education) please publish it for my educational intrest.
At the end the customer, did not whant this changes and did not think search/archive explorer was a big deal.
Once again, Many thanks!