I am trying to get Outlook Web Access working in a mixed environment (2003 and 2007). If I browse out to https://servername/owa on the externally facing CAS server I get redirected to the server that is hosting my mailbox. If I type in https://servername/exchange I get a "403 - Forbidden: Access is denied" error message. I currently have all the sites on the externally facing CAS server configured to forms authentication. The other servers are setup to use intergrated authentication. The server where my mailbox resides has the roles Mailbox, HUB, CAS...

I actually saw this as well (which is what got me first looking at my "missing" virtual directories which you helped me "resolve"). Today when I tried it, I no longer received the error you described above. Instead it re-directed just fine... Go figure. Can you provide any more detail about your topology? I know that MSFT doesn't expect/support a 2007 CAS/Mailbox in a 2003 Org to proxy OWA to the 2003 servers. I.E. 2007 CAS only proxies to back end 2003 mailbox serverwhen the CAS role is intalled on a server w/o the mailbox role (you can combine the CAS and Hub Transport roles on the same box with no issues for OWA redirection to 2000/2003 back-end servers). http://msexchangeteam.com/archive/2007/02/07/434523.aspx http://msexchangeteam.com/archive/2007/09/10/446957.aspx http://support.microsoft.com/kb/932438 Again though, you aren't crazy as I saw the exact same error which made me go to look for the /exchange directory config so I could confirm what was going on (then I got side tracked trying to find it since it got "moved" by SP1's logic of "oh you have the CAS and Mailbox role on the same box, so I am going to display the virtual directories in a different locaiton"). I don't know why mine just started working recently either as I hadn't made any changes. Anyway the more info you provide, the more I might be able to look at the problem abstractly.

Here is my current setup.Site 1: Exchange 2007 server with CAS role Exchange 2003 server (Backend)Exchange 2003 server (Front End)Site 2: Exchange 2003 server (Backend) Exchanage 2007 Server CAS, HUB, MailboxI am use the CAS server in site 1 to replace the 2003 front end server. When I browse out to https://siteoneex2k7/owa i get this wonderful errorOutlook Web Access is not currently available for this mailbox because it could not authenticate the connection to the Microsoft Exchange Client Access server that should be used for mailbox access. If the problem continues, contact technical support for your organization.if i try it from https://site2ex2k7/owa it works fine.My guess is i have something configured wrong... i just cant figure out what.

Well I triedwww.mydomain.com/exchange again today from the outside and I get an error that looks like it couldn't re-direct me to another website. So VPN into my internal network and try it, and it re-directs me to https://servername/owa. If I try www.mydomain.com/owa it works fine (they note in the links I provided previously that different DLLs are used for /exchange depending on if the CAS and Mailbox role are installed on teh same server. For your site 1, you will need to use /exchange as that is the potential re-direct for 2000/2003. If the mailbox is on 2000/2003, it will proxy the request to the back-end 2000/2003 server, and will not switch it over to /owa. If the mailbox is on 2007, it re-directs to /owa automatically. For mailboxes in site 2, I am pretty sure that CAS server will only service 2007 mailboxes, and not re-direct to 2003 back-end servers since the CAS and mailbox role are installed in the same server. I would expect that /owa would work fine for any mailboxes that live on the same server, and if you encounter what I am encountering then /exchange wont work for this server, and it also won't support back-end 2003 servers. So you have Exchange 2007 deployed in two different was. A CAS role w/o a mailbox role, and a CAS role w/ a mailbox role. The CAS role behaves differently (as you noted when you helped me out) depending on this configuration. Read the following scenarios listed here: http://technet.microsoft.com/en-us/library/bb885041.aspx Does that make sense? And I just figured out my specific issue of /exchange not properly redirecting to /owa. As we knowwhen you have the CAS role and mailbox role on the same server, it doesn't proxy through to itself the same way as when they are separate. Not having figured out what changed since yesterday, I went and looked at my logs and noticed the server rebooted this morning for automatic updates. So... thinking something had changed and hadn't taken until the server rebooted, I started re-examining the CAS settings again. The internal URL on the OWA virtual directory setting was https://hostname/owa. The external URL was https://www.mydomain.com/owa. Thinking I might have changed a setting in there in the last day or so but hadn't restarted any services or anthing, I changed the internal URL to https://www.mydomain.com/owa and restarted the WWW service. Sure enough /exchange redirected to /owa just fine now. So apparently when both roles are installed on the same server, the /exchange will redirect to the internal URL setting (not just /owa). So on your site 2 mailbox, if your internal and external URL settings on the OWA virtudal directory properties are set the same, then you should be able to log on to the /exchange virtualy directory and have it automatically redirect you to the appropriate /owa virtual directory. It still won't serve up users on the 2003 server though.

Turns out my issue is partly due to the CA and Mailbox role on the same server, which i cant do anything about at this point. We will just have to expose to different url's for the users until everything is complete, which will probably be a couple of years at the minimum. The other half of my issue turned out to be one of my backend exchange machines had / still has a messed up OWA setup. Right now i just cant get the toolbar buttons to work when a user is in 2003 OWA.

Well...You may have some ways to deal with this yet. If you have EVERYONE go to your CAS only server in Site 1, then it should services all 2007 mailboxes in site 1 as well as any 2003 mailbox servers anywhere (if I understanding is correct). If a user in site 2 connects to the CAS role in site 1, it is my understanding that either they will be proxied through to the CAS role in site 2, or simply re-directed to the external URL set on the CAS in site 2 (I haven't tested this out). In either case the CAS role in Site 1 should do the trick for you. It's just the issue of trying to use the CAS role in site 2 directly that won't work the way you want since it has the mailbox server roles. Please test this and respond back to us letting us know how it went. And I am not sure what this issue is with your backend 2003 server and OWA. Perhaps someone was changing the default virtual directories on the host?

the issue of using the CA role on the same box as the Mailbox role is that you have to expose two urls for everything to work correctly. If you go to severname/exchange and have a 2007 mailbox it gives an access denied error. Going to OWA works just fine. Things are beign put on hold until we get some training. Which could be a few weeks yet.

I believe the concept behind the two different External URLs was that you could have everybody use http://www.company.com/exchange and it would auto-redirect you to the externally available OWA server closest so your Mailbox role. So there is some logice behind there. Otherwise if you set the External URL and the Internal URL to the same on the box where the CAS and Mailbox roles are installed, it shouldn't try to re-direct you to \\hostname\owa. Good luck with your testing and please let us know how it goes.