I had an interesting issue put through to me today from our support desk.
Essentially the company that I am working for is running a dual Exchange 2003 and 2007 organisation (interop mode) and gradually moving through the migration process.
This inevitably has led to some users remote users being based on OWA 2003 and OWA 2007. Both OWA 2003 and OWA 2007 are being served up via a pair of Exchange 2007 CAS server running on Windows 2008 (or should I say in the case of OWA 2003 being proxied).
The support call that I received stated that users of OWA 2003 were intermittently getting 404 errors being served up when clicking on random messages within their mailboxes – see below:
The first thing that struck me about this was:
- It was OWA 2003 Users only that had the problem
- The messages that were clicked on were completely random as were the users whom were experiencing the problem
I was getting ready of a long session of reviewing HTTP request logs when I noticed something odd about the subject lines of each message that produced the issue – they all contained a plus (+) symbol – see below:
This rang a bell with me, as it reminded me of an issue that used to occur on Exchange 2003 OWA servers when URLScan was installed. I decided to look up the old article which is located within the article here to reacquaint myself with the exact symptoms.
Now as I have been working with Exchange 2007 installed on Windows 2008 for a little while, I knew that within IIS 7.0 which ships with Windows 2008 there is a new feature called “Request Filtering” which to all intents and purposes an inbuilt version of URLScan.
As per Microsoft:
The new request filtering feature provides powerful lockdown functionality, part of which was available in the popular URLScan tool. You can use request filtering to further lock down your site by rejecting requests containing suspicious data, protecting sensitive resources, or enforcing aggressive request limits.
Essentially the feature of Request Filtering that I was interested in is the “Double Escaping” protection filter (for more information on Request Filtering have a look at the following article: http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/)
Essentially the “Double Escaping” filter rejects URLS that include the “+” symbol, unfortunately OWA 2003 references messages within an Inbox by their subject – for example: “this%20is%20my%20plus+%20example.eml” in order to open them – therefore when a message that contains a “+” in the subject is proxied via an IIS 7.0 based CAS server the URL gets dropped and rejected.
In order to fix this problem I ran the following command on each CAS server within the organisation:
Open a Windows 2008 command prompt on your CAS server then type the following command:
%windir%\system32\inetsrv\appcmd set config “Default Web Site” -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true
After running the above command all e-mails opened without a problem.