HiI would really appriciate your assistance, and also to know if someone has deployed the following configuration and found it working.Site A(Internet-facing) - Exchange 2007 SP2 on Win2008 SP2 with CAS/HUB/Mailbox roles installed.OWA virtual directory configured with Integrated AuthenticationSSL certificate was replaced with an existing GoDaddy certificate, and web services configured for the certificate common name properly.Users on this Exchange server can access OWA via SSL.URL forwarding was configured from the root of the web site to /owa as specified by microsoft.OWA URL is configured with internal URL servername and External URL based on the GoDaddy certificate common name.Site B (Not-Internet facing) - Exchange 2007 SP2 on Win2008 SP2 with CAS/HUB/Mailbox roles installed.OWA virtual directory configured with Integrated AuthenticationUsing self-signed Exchange certificate.Users on this Exchange server can access OWA via SSL when connecting directly to the server (also allowed http, and can use http as well).OWA URL is configured with internal URL servername only, no external URL to allow proxying. More info:We can open IE on the Site-A exchange server, and connect to the OWA located directly on Site-B exchange server and access a Site-Bmailbox with both SSL and no SSL (443 and 80) without a problem, so it does not seem to be closed port.Problem:If contacting to Site-A OWA, and authenticating with a user whose mailbox is in Site-B, the proxying fails with the the following error message.(Note that the URL is http since we decided to try using http CAS proxying (with the regisitry key) after SSL failed)Network check discovered that the Site-B exchange server does send a packet back to the Site-A server after the request on port 80.Outlook Web Access is not currently available for the user mailbox that you are trying to access. If the problem continues, contact technical support for your organization and tell them the following: Outlook Web Access could not establish a Secure Sockets Layer (SSL) connection to the Microsoft Exchange Client Access server that should be used to access the mailbox.RequestUrl: https://sgex01:443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequestUser host address: 192.168.221.27User: teamrn2007EX Address: /o=ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=teamrn2007SMTP Address: teamrn2007@org.comOWA version: 8.2.176.2Second CAS for proxy: http://rnex01.org.int/owa ExceptionException type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyExceptionException message: The CAS server is most likely not configured for SSL (it returned a 403) Call stack No callstack availableAny ideas ????? Does anyone have this kind of deployment working ?Thank youLiran Zamir

This might help you http://www.eggheadcafe.com/software/aspnet/31988097/no-owa-access-if-mailbox.aspx.I saw some post which talks about the design that you have. See the links provided by one MVP over there http://forums.msexchange.org/m_1800507815/tm.htmRaj

It really just works out of the box. The internal CAS should have Int and Basic Auth enabled. The InternalURL for the internal CAS should be set to the https:// URL of the internaland you are done. You have no entry in the externalurl, so that is correct.Which registry key did you change?Anything interestingin the IIS logs on the either server when it fails? I would also run ExBpa against both servers.

Hi Andy and thanksI added basic authentication to the already configured Integrated.The internal URL was configured with https, but I changed it to http since I implemented the registry key as specified in error event 42that appears when the proxy fails on the Site-A server, and also based on http://technet.microsoft.com/en-us/library/bb217746.aspxEVENT 42: Microsoft Exchange Client Access server "https://mail-de.org.com/owa" attempted to proxy Outlook Web Access traffic to Client Access server "http://rnex01.org.int/owa". This failed because one of these configuration problems was encountered: 1. "http://rnex01.org.int/owa" has been set to use "http://" (not using SSL) instead of "https://" (using SSL). You can modify this by setting the InternalUrl parameter of the Outlook Web Access virtual directory this proxy traffic is going to. You can set that parameter using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell. 2. The destination virtual directory returned an HTTP 403 error code. This usually means it is not configured to accept SSL access. You can change this configuration by using Internet Services Manager on the Client Access server "http://rnex01.org.int/owa". If you do not want this proxy connection to use SSL, you need to set the registry key "AllowProxyingWithoutSSL" on this Client Access server and set the InternalUrl and SSL settings for the Outlook Web Access virtual directory this proxy traffic is going to accordingly. This is what I'm getting in the IIS log on the Site-B CAS server2009-11-08 14:26:56 172.31.2.201 GET /owa/ping.owa - 80 ORG\SGEX01$ 172.21.30.111 OwaProxy 242 0 0 932009-11-08 14:26:56 172.31.2.201 GET /owa/default.aspx - 80 ORG\SGEX01$ 172.21.30.111 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2) 403 0 0 2652009-11-08 14:27:31 172.31.2.201 GET /owa/ping.owa - 80 ORG\SGEX01$ 172.21.30.111 OwaProxy 242 0 0 932009-11-08 14:27:31 172.31.2.201 GET /owa/default.aspx - 80 ORG\SGEX01$ 172.21.30.111 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2) 403 0 0 2652009-11-08 14:30:37 172.31.2.201 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 ORG\teamrn2007 172.21.30.13 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727) 200 0 0 328BPA did not provide any useful information.Thanks

How about the IIS logs on the Site A CAS? What URL is it trying to connect to? The error you posted before indicates it wants toconnect tothe https:// internalURL of the SiteB CAS, not the http//

Hi,Please understand that the proxying for the second CAS should be SSL. I suggest you enable SSL on theinternalCAS and then check this issue again.http://msexchangeteam.com/archive/2007/09/04/446918.aspxThanksAllen