OWA 2000 via WebVPN

stuart-anderson · ‎11-17-2005

Hi all,

I am having problems using Outlook Web Access 2000 through a WebVPN session on a Cisco VPN 3005. Once I have connected via WebVPN to the concentrator, I click on the link to my OWA server and get the correct opening page (as I would if not using VPN) where I enter my name to connect to my email account. I then get an "Authentication Required" page from the VPN concentrator where I enter my username, password and domain. I enter these and click on continue, and there appears to be an attempt to connect - the progress bar at the bottom of the page slowly increments, but when it gets to 100% and disappears I still just have the Authentication Required page on screen, complete with the details I have entered.

The VPN 3005 log shows the following (actual username replaced by username, email account user.name@domain_name, actual servername replaced by servername, log annotated with my actions):

Action: clicked on OWA link from WebVPN homepage.

Action: entered user.name on OWA homepage.

10502 11/16/2005 12:04:19.210 SEV=4 WEBVPN/49 RPT=103

WebVPN User [username]

WWW-Authenticate: Basic, received from server servername

10503 11/16/2005 12:04:19.210 SEV=4 WEBVPN/49 RPT=104

WebVPN User [username]

WWW-Authenticate: NTLM, received from server servername

10504 11/16/2005 12:04:19.210 SEV=4 WEBVPN/49 RPT=105

WebVPN User [username]

WWW-Authenticate: Negotiate, received from server servername

10505 11/16/2005 12:04:19.210 SEV=5 WEBVPN/50 RPT=44

WebVPN User [username]

Authentication method NTLM is used with server servername

10506 11/16/2005 12:04:19.220 SEV=4 HTTP/37 RPT=245

Closing socket 6 for invalid connection 0x33AB59C.

10507 11/16/2005 12:04:19.280 SEV=4 WEBVPN/53 RPT=41

WebVPN User [username]

Authentication: realm length = 0, url length = 39, server length = 5

Action: entered credentials username/password/domain_name.

10556 11/16/2005 12:11:29.910 SEV=4 WEBVPN/52 RPT=54

WebVPN User [username]

NTLM Auth. Login: Username [username], Domain [domain_name] to remote server servername

I'm not sure of the significance of the Closing socket 6 for invalid connection line.

The OWA server is in the DMZ, and the Exchange server is on the internal LAN. Direct OWA access (i.e. without VPN) from the outside world is fine; the authentication dialogue box in these circumstances just asks for username and password, not domain.

OWA is configured for https connections only. I am using Internet Explorer 6 (but have found the same problems with Firefox 1.0.7). The VPN 3005 is running 4.7.2B.

I'd be very grateful for any thoughts on what might be causing these difficulties.

Stuart

sloeckle · ‎11-17-2005

Just for giggles, try allowing http connections and see if the problem goes away.

stuart-anderson · ‎11-26-2005

Tried http rather than https on OWA (after persuading my server colleagues to temporarily allow this), and lo and behold authentication is fine BUT I now just get "Loading..." where my inbox should be. I've a feeling I've seen this problem before, but not a resolution to it. Anyone got any thoughts?

stuart-anderson · ‎12-19-2005

I've now also got around the initial authentication problem by turning off Windows authentication (NTLM) on the OWA server, and so using basic authentication instead. This configuration enables successful authentication using https to the OWA server via the VPN3005, but thereafter I get the "Loading..." problem as described in my previous post. This is using Internet Explorer; I get my inbox fine using Firefox! Any ideas?

dmill · ‎02-13-2006

I was having this same issue with OWA 2003, but the solution was adjusting URLSCAN. This was disallowing the header 'transfer-encoding' which apparently is utilized for webvpn connection. Once I disabled this header filter on the exchange server the OWA began working correctly over the webvpn.

[02-13-2006 - 08:27:08] Client at 10.x.x.x: URL contains disallowed header 'transfer-encoding:' Request will be rejected. Site Instance='1', Raw URL='/exchange/john.smith/Inbox/'