Exchange 2003 Migration

  • Article

Recently had the pleasure of helping a friend with an Exchange 2003 move from Exchange 5.5. Went very well and we ended up decommissioning the Exchange 5.5 box well ahead of the plan. We wanted to provide all the great mobility value that Exchange 2003 provides so that they could get mail on their phones etc. We had ISA Server front ending the installation with it reverse proxying the Outlook Web Access and SMTP in but we wanted to ensure it was secured. We had two options. We could install the Thawte cert on the Exchange box behind and provide direct access to it with a server publishing rule or we could put the cert on the ISA Front End and reverse proxy it. We chose the latter for obvious reasons. While I was configuring it in ISA (at the airport lounge!) and enabling the use of SSL I kept running into this problem where as I logged on to OWA, a dialog box would prompt and say "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?". Hey thats not what I expected? Surely ISA should be making a separate (non-SSL) connection internally and doing the right thing?

Then a partner who was with me in the lounge said "Hey I know that one...theres a Q article for it around custom HTTP headers". I found it. It was Q307347 and described my issue perfectly. Heres how you do it:

  1. Obtain and install the latest service pack for ISA Server 2000.For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:

    313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

  2. Stop the Web Proxy service.

  3. Start Registry Editor.

  4. Locate and click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters

  5. Create a new DWORD value that is named AddFrontEndHttpsHeader, and then give this new value a data value of 1.

  6. Start the Web Proxy service.

 It worked! This only works for Exchange though. Of course I could have separately re-encrypted the session from the ISA box to the Exchange box but I didnt have the PKI setup at the time.