I haven't really used
user+client authentication, but I am pretty sure
that OWA wouldn't be able to fully support that kind of authentication method.
You have 2 options you can either use Securemote if
you really need authentication at the firewall before exchange, or you can
allow OWA only through https which is very secure (which is what I
use).
Marwan
Halabi
Security
Engineer
Stockback,
LLC
-----Original
Message-----
From: Tim Holman
[mailto:[email protected]]
Sent: Monday, July 09, 2001 7:28
AM
To:
[email protected]
Subject: [FW1] Fw: User / client
authentication + OWA + xml/dhtml problem ? Inbox not
displayed.
----- Original Message -----
Sent: Monday,
July 09, 2001 12:24 PM
Subject: User /
client authentication + OWA + xml/dhtml problem ? Inbox not
displayed.
Firewall - 2xNokia IP330 IPSO 3.3 Check
Point FW-1 4.1 SP 3 running VRRP
Exchange
server - Exchange 2000 Server (internal
network)
OWA
Server
- OWA 2000 Server (Outlook Web Access)
(DMZ)
Firewall---------DMZ (OWA
server)
Internet
Explorer 5.0 does not load up OWA properly if user/client authenticaiton is
enabled on the firewall.
Using either IE
5 or Netscape 3.0 and a basic Any Any rule so that anyone on the Internet can
access the OWA server on the DMZ, everything works
FINE.
As soon as
there is a user auth rule (http) + client auth rule (any service)
authenticating access to the DMZ (either FW-1 user password or SecurID), OWA
does not load its Inbox, although the rest of the frames load up
correctly. This ONLY happens with IE 5, not Netscape. Netscape
runs OK with this.
OWA 2000 uses
XML and DHTML when accessed with IE 5, which I imagine is the
problem.
However, these
are Application layer protocols embedded in HTTP, and the firewall should not
even be touching them.
There are NO
security servers, content checkers or anything similar. Neither are
there Proxy servers.
To summise, OWA
with IE 5.0 works OK when NOT using authentication, but as soon as it's turned
on, then it fails to load up properly, but at this point, Netscape works
OK.
Looking in the
firewall logs, there are NO DROPS. IE 5.0 uses XML so the logs show lots
of .HTC files loading up, and Netscape just uses plain HTTP, so the logs for
this just show up the odd HTTP requests here and
there.
Again, there
are NO DROPS in the firewall log. Packets are just disappearing.
SYN defender is set to 60 seconds, and no drops are seen with this
either.
Has anyone come
across this problem, or something similar when using user / client auth
(implicit client authenticaiton) + XML + DHTML
?
PS - This is already going to
Check Point support as a potential bug, but they will blame Microsoft,
Microsoft will blame Check Point and there won't be an official answer for
months... trust me !
