OWA behind CSS/SSL issue

Unanswered Question
Jun 15th, 2007


trying to setup OWA behind CSS with SSL termination.

http-header static "FRONT-END-HTTPS: on" is in place.

User can access folders and calendar, but can't see body of the messages

The problem seems to be that user at some point tries to use http instead of https,

and because frontend and backend rules have different IP addresses it is impossible

to access OWA via http directly from client.

Tried some other commands around http-header and urlrewrite, didn't work

Any help is appreciated


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (5 ratings)
Syed Iftekhar Ahmed Fri, 06/15/2007 - 15:29


uses several other methods that are not recognized by default on the CSS so you will need

to add the functionality by running

css#script play setup_owa_methods


Gilles Dufour Sun, 06/17/2007 - 00:28


if the users tries to use HTTP at some point, there could be some 302 redirect in your owa server.

You might want to configure a urlrewrite function in order to convert from http to https.

But you should verify first if this is the case.

Try to sniff the client traffic and decode it with ssldump or wireshark using the server key.


a.gesse Sun, 06/17/2007 - 05:30


have tried it already.

Urlrewrite for "*" and explicitly defined frontend and backend ports as 443 and 80.

Sniffer showed 302 types redirects were coming with https.

Clients can see folders, calendar, subjects.

Can't see message bodies only.

Will start with clean config on Monday, what would you say is recommended list of commahds:

1. script play setup_owa_methods

2. static http-header "FRONTEND HTTPS=on"

3. urlerewrite ?

4. ?



Syed Iftekhar Ahmed Sun, 06/17/2007 - 15:35

You should have following two entries under SSL proxy list

ssl-server x http-header static "FRONT-END-HTTPS: ON?

ssl-server x urlrewrite 1 yourdomain.com sslport 443 clearport 80


Gilles Dufour Sun, 06/17/2007 - 22:11


get a sniff and see where the client request the body and if the server sends it.

Your config is fine. Nothing else is needed.

You may want to bypass the css and capture a sniff as well so you can compare the 2.


a.gesse Mon, 06/18/2007 - 09:18

Sorry for big post.

Still doesn't work - users see subjects, folder, calendar, don't see body.

ip route 1

!************************* INTERFACE *************************

interface e1

bridge vlan 131

interface e5

bridge vlan 130

interface e6

bridge vlan 130

!************************** CIRCUIT **************************

circuit VLAN131

ip address

circuit VLAN130

ip address

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list Al#1-list

ssl-server 10

ssl-server 10 rsakey RSAKEYASS#1

ssl-server 10 rsacert RSACERTASS#1

ssl-server 10 vip address

ssl-server 10 cipher rsa-with-3des-ede-cbc-sha 80

ssl-server 10 cipher rsa-with-rc4-128-sha 80

ssl-server 10 cipher rsa-with-rc4-128-md5 80

ssl-server 10 urlrewrite 2

ssl-server 10 http-header static "FRONT-END-HTTPS: on"


!************************** SERVICE **************************

service OWA1

protocol tcp

port 80

ip address

keepalive uri "/adam.html"

keepalive type http

keepalive port 80


service ssl-mod

type ssl-accel

keepalive type none

add ssl-proxy-list Al#1-list

slot 2


!*************************** OWNER ***************************

owner OWA_OWA

content back.owa

add service OWA1

add service OWA2

advanced-balance sticky-srcip

protocol tcp

port 80

url "/*"

sticky-inact-timeout 240

vip address


content front.owa

vip address

protocol tcp

port 443

add service ssl-mod


~~~~~~Server answers to client with HTTPS (static header is working presumably):">

~~~~~ Some other stuff from server alse have HTTPS


height="16" id=idPageControl_PrevPage onclick="idMsgViewer.previousPage()" title="Previous Page"



id=idPageControl_NextPage onclick="idMsgViewer.nextPage()" title="Next Page"


width="16" height="16" id=idPageControl_LastPage onclick="idMsgViewer.page = -1"

~~~~~~ Client requests:

SEARCH /exchange/userone/Inbox/ HTTP/1.1

Accept: */*


translate: f

brief: t

Content-Type: text/xml

~~~~~~ Server responds with

HTTP/1.1 207 Multi-Status

Date: Mon, 18 Jun 2007 16:02:38 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Type: text/xml

Accept-Ranges: rows

Content-Range: rows 0-5; total=6

MS-WebStorage: 6.5.7638

MS-WebStorage: 6.5.7638

Transfer-Encoding: chunked

X-Powered-By: ASP.NET

Cache-Control: no-cache


<?xml version="1.0"?>

xmlns:c="xml:" xmlns:a="DAV:">0-5

HTTP/1.1 200 OK< ~~~ (skipped)

~~~~~~~~~ And here I see HTTP instead of HTTPS (?) Something wrong ?


Gilles Dufour Tue, 06/19/2007 - 00:09

the urlrewrite function does not parse the http body. Only the header.

So, if the server sends http link in the body, that's what the client will see.

I'm not sure why the exchange server is doing this.

But what you can try to do is implement a http rule to redirect the traffic to https.

Try something like

service redirect

keepalive type none

ip address

type redirect

no prepend-http



owner OWA_OWA

content http_redirect

vip address

protocol tcp

port 80

add service redirect


Let me know if this works.


a.gesse Tue, 06/19/2007 - 08:33

Thanks Gilles, very much

It makes it work finally.

The question becomes is it the way how it is supposed to be,

because there still "http://" in the botom line during loading,

and these messages regarding secure/unsecure content mix.



Gilles Dufour Tue, 06/19/2007 - 21:44


yes, we had to adjust the config because the server sends http:// links.

Normally, with the "front-end-https: on" it's supposed to only send https link.

Maybe this is because by default the CSS only insert the header once.

You can try the following command to see if it makes a difference :

ssl-server http-header insert-per-request

I'm glad we finally have a solution.

Sniffer trace is always the best way to troubleshoot :-)



This Discussion