----- Original Message -----
Sent: Monday, July 09, 2001 12:24 PM
Subject: User / client authentication + OWA + xml/dhtml problem
? Inbox not displayed.
Platform:
Firewall
- 2xNokia IP330 IPSO 3.3 Check Point FW-1 4.1 SP 3 running
VRRP
Exchange
server - Exchange 2000 Server (internal
network)
OWA
Server
- OWA 2000 Server (Outlook Web Access) (DMZ)
Topology:
Internet
|
|
Firewall---------DMZ (OWA server)
|
|
Internal LAN
Exchange server
Problem:
Internet Explorer 5.0 does
not load up OWA properly if user/client authenticaiton is enabled on the
firewall.
Description:
Using either IE 5 or
Netscape 3.0 and a basic Any Any rule so that anyone on the Internet can
access the OWA server on the DMZ, everything works FINE.
As soon as there is a user
auth rule (http) + client auth rule (any service) authenticating access to
the DMZ (either FW-1 user password or SecurID), OWA does not load its Inbox,
although the rest of the frames load up correctly. This ONLY happens
with IE 5, not Netscape. Netscape runs OK with this.
OWA 2000 uses XML and DHTML
when accessed with IE 5, which I imagine is the problem.
However, these are
Application layer protocols embedded in HTTP, and the firewall should not
even be touching them.
There are NO security
servers, content checkers or anything similar. Neither are there Proxy
servers.
To summise, OWA with IE 5.0
works OK when NOT using authentication, but as soon as it's turned on, then
it fails to load up properly, but at this point, Netscape works
OK.
Looking in the firewall
logs, there are NO DROPS. IE 5.0 uses XML so the logs show lots of
.HTC files loading up, and Netscape just uses plain HTTP, so the logs for
this just show up the odd HTTP requests here and there.
Again, there are NO DROPS in
the firewall log. Packets are just disappearing. SYN defender is
set to 60 seconds, and no drops are seen with this either.
Has anyone come across this
problem, or something similar when using user / client auth (implicit client
authenticaiton) + XML + DHTML ?
Hope someone can help,
Tim
PS - This is already going to Check Point
support as a potential bug, but they will blame Microsoft, Microsoft will
blame Check Point and there won't be an official answer for months...
trust me !