Re: [FW1] Fw: User / client authentication + OWA + xml/dhtml problem ? Inbox not displayed.

To: "Andrej Zimsek" <[email protected]>, <[email protected]>

Subject: Re: [FW1] Fw: User / client authentication + OWA + xml/dhtml problem ? Inbox not displayed.

From: "Tim Holman" <[email protected]>

Date: Tue, 10 Jul 2001 09:08:52 +0100

Organization: Dimension Data

References: <E0EDA9CF62DDDC74C7BE3502431@NAVISION2>

Reply-to: "Tim Holman" <[email protected]>

Sender: [email protected]

Thanks for the prompt reply.

I've tried various IE settings, including turning off HTTP 1.1.

Maybe if there was a way to force IE 5.0 NOT to recognise <xml> or <dhtml> tags there could be a way round this, but the end result we require is for users to pick up their emails from anywhere in the world using SecurID tokens for strong authentication, be it from Internet cafes, kiosks in airports etc etc, which I expect are locked down to the extent where IE settings cannot be changed.

Cheers,

Tim

----- Original Message -----

From: Andrej Zimsek

To: [email protected]

Cc: 'Tim Holman'

Sent: Tuesday, July 10, 2001 6:33 AM

Subject: RE: [FW1] Fw: User / client authentication + OWA + xml/dhtml problem ? Inbox not displayed.

Try to unset HTTP1.1 setting in Tools/Internet Options/Advanced in IE.

Andrej

-----Original Message-----
From: Tim Holman [mailto:[email protected]]
Sent: Monday, July 09, 2001 1:28 PM
To: [email protected]
Subject: [FW1] Fw: User / client authentication + OWA + xml/dhtml problem ? Inbox not displayed.

----- Original Message -----
From: Tim Holman

To: '[email protected]'

Sent: Monday, July 09, 2001 12:24 PM

Subject: User / client authentication + OWA + xml/dhtml problem ? Inbox not displayed.

Platform:

    Firewall    -    2xNokia IP330 IPSO 3.3 Check Point FW-1 4.1 SP 3 running VRRP

    Exchange server    -    Exchange 2000 Server (internal network)

    OWA Server            -    OWA 2000 Server (Outlook Web Access) (DMZ)

Topology:



Internet

|

|

Firewall---------DMZ (OWA server)

|

|

Internal LAN

Exchange server

Problem:

    Internet Explorer 5.0 does not load up OWA properly if user/client authenticaiton is enabled on the firewall.

Description:

    Using either IE 5 or Netscape 3.0 and a basic Any Any rule so that anyone on the Internet can access the OWA server on the DMZ, everything works FINE.

    As soon as there is a user auth rule (http) + client auth rule (any service) authenticating access to the DMZ (either FW-1 user password or SecurID), OWA does not load its Inbox, although the rest of the frames load up correctly. This ONLY happens with IE 5, not Netscape. Netscape runs OK with this.

    OWA 2000 uses XML and DHTML when accessed with IE 5, which I imagine is the problem.

    However, these are Application layer protocols embedded in HTTP, and the firewall should not even be touching them.

    There are NO security servers, content checkers or anything similar. Neither are there Proxy servers.

    To summise, OWA with IE 5.0 works OK when NOT using authentication, but as soon as it's turned on, then it fails to load up properly, but at this point, Netscape works OK.

    Looking in the firewall logs, there are NO DROPS. IE 5.0 uses XML so the logs show lots of .HTC files loading up, and Netscape just uses plain HTTP, so the logs for this just show up the odd HTTP requests here and there.

    Again, there are NO DROPS in the firewall log. Packets are just disappearing. SYN defender is set to 60 seconds, and no drops are seen with this either.

    Has anyone come across this problem, or something similar when using user / client auth (implicit client authenticaiton) + XML + DHTML ?



Hope someone can help,

Tim

PS - This is already going to Check Point support as a potential bug, but they will blame Microsoft, Microsoft will blame Check Point and there won't be an official answer for months... trust me !