Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header

Article translations Article translations
Article ID: 307347 - View products that this article applies to.
This article was previously published under Q307347
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all

On This Page

SYMPTOMS

When you are using Web Publishing in Internet Security and Acceleration (ISA) Server 2000 to securely publish Microsoft Outlook Web Access (OWA), OWA users may experience one or more of the following symptoms if the SSL connection is terminated at the ISA Server computer:
  • The users may receive security warnings that are similar to the following security warning:
    This page contains both secure and nonsecure items. Do you want to display the nonsecure items?
  • The users may receive multiple authentication prompts from the OWA server because of a mix of HTTP and HTTPS that is being used.
  • No security key lock that indicates a secure connection is shown in the browser.
If the OWA Web Publishing rule is configured to "Require secure channel (SSL) for published site", OWA users may receive the following error message in the browser instead of receiving the preceding symptoms:
403 Forbidden - The page must be viewed over a secure (that is, Secure Sockets Layer (SSL)) channel. Contact the server administrator. (12211) Internet Security and Acceleration Server

CAUSE

This problem may occur because the published OWA server sometimes needs to send the OWA client absolute URL references.

When the OWA client uses SSL to connect to the ISA Server computer (and when you terminate the SSL connection at the ISA Server computer), the type of traffic that is between the ISA Server computer and the OWA server is HTTP. As the OWA server receives HTTP, it dynamically creates the URLs it sends back to the OWA client by using http:// instead of https://. This causes a mix of HTTP and HTTPS to be used between the OWA client and the ISA Server computer, and which may create the symptoms that are described in the "Symptoms" section of this article.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem:
  1. Obtain and install the latest service pack for ISA Server 2000.For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:
    313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
  2. Stop the Web Proxy service.
  3. Start Registry Editor.
  4. Locate and click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters
  5. Create a new DWORD value that is named AddFrontEndHttpsHeader, and then give this new value a data value of 1.
  6. Start the Web Proxy service.

Notes

To revert to the original configuration, either remove the AddFrontEndHttpsHeader registry value, or change its data value to 0 (zero), and then restart the Web Proxy service.

By adding the AddFrontEndHttpsHeader registry value, ISA Server will add the custom HTTP Header "Front-End-Https: On" to all HTTP requests between ISA Server and the published OWA server. However, it only adds the custom header for Web Publishing requests if the incoming connection between the OWA client and the ISA Server computer is HTTPS (SSL). By adding this header, all traffic between the OWA client and the ISA Server computer will be SSL.

WORKAROUND

To work around this problem, use any of the following methods.

Method 1

In ISA Server, publish OWA by using Server publishing instead of Web publishing.

Method 2

Instead of terminating SSL at the ISA Server computer, use SSL Bridging so that a new SSL connection is established between ISA Server and the internal OWA server.

Method 3

Write a Web filter in ISA Server that adds the custom HTTP Header "Front-End-Https: On". Note this procedure has basically the same effect the procedure that is described in the "Resolution" section of this article. For more information about Web Filters, see the ISA Server Software Development Kit.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in ISA Server 2000 SP1.

MORE INFORMATION

If you have the ISA Server computer add the "Front-End-Https: On" custom HTTP header, OWA will recognize this header, and then return its URLs by using https:// instead of http://.

NOTE: "Front-End-Https: On" is a custom HTTP header that is only recognized by OWA and Exchange. If you publish other applications behind ISA in a similar scenario, and experience the same symptoms as described in this article, then adding this custom HTTP header will have no effect.

Properties

Article ID: 307347 - Last Review: October 29, 2007 - Revision: 1.2
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Keywords: 
kbproductlink kbenv kberrmsg kbexchange2000sp3fix kbprb KB307347

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com