----- Original Message -----
Sent: Monday, July 09, 2001 12:24 PM
Subject: User / client authentication + OWA + xml/dhtml problem ?
Inbox not displayed.
Platform:
Firewall
- 2xNokia IP330 IPSO 3.3 Check Point FW-1 4.1 SP 3 running
VRRP
Exchange
server - Exchange 2000 Server (internal
network)
OWA
Server
- OWA 2000 Server (Outlook Web Access) (DMZ)
Topology:
Internet
|
|
Firewall---------DMZ (OWA server)
|
|
Internal LAN
Exchange server
Problem:
Internet Explorer 5.0 does not
load up OWA properly if user/client authenticaiton is enabled on the
firewall.
Description:
Using either IE 5 or Netscape
3.0 and a basic Any Any rule so that anyone on the Internet can access the OWA
server on the DMZ, everything works FINE.
As soon as there is a user auth
rule (http) + client auth rule (any service) authenticating access to the DMZ
(either FW-1 user password or SecurID), OWA does not load its Inbox, although
the rest of the frames load up correctly. This ONLY happens with IE 5, not
Netscape. Netscape runs OK with this.
OWA 2000 uses XML and DHTML when
accessed with IE 5, which I imagine is the problem.
However, these are Application
layer protocols embedded in HTTP, and the firewall should not even be touching
them.
There are NO security servers,
content checkers or anything similar. Neither are there Proxy
servers.
To summise, OWA with IE 5.0
works OK when NOT using authentication, but as soon as it's turned on, then it
fails to load up properly, but at this point, Netscape works OK.
Looking in the firewall logs,
there are NO DROPS. IE 5.0 uses XML so the logs show lots of .HTC files
loading up, and Netscape just uses plain HTTP, so the logs for this just show up
the odd HTTP requests here and there.
Again, there are NO DROPS in the
firewall log. Packets are just disappearing. SYN defender is set to
60 seconds, and no drops are seen with this either.
Has anyone come across this
problem, or something similar when using user / client auth (implicit client
authenticaiton) + XML + DHTML ?
Hope someone can help,
Tim
PS - This is already going to Check Point support
as a potential bug, but they will blame Microsoft, Microsoft will blame Check
Point and there won't be an official answer for months... trust me
!
|