Well, finally cracked it tonight!
OWA + EAS running under it's own IIS root, on a DC with no broken DNS, no scary security tweaks and no need to create alternative virtual directories (per mskb Q234022).
OWA is using FBA (Forms Based Authentication) which is by far the best option for OWA and the mobile devices synchronise with EAS (Exchange Active Sync) on the same root.
This was another funny exercise - lots of brain busting, going round in circles, seeing loads of people on the web having the same problem. Once it was all solved though, the solution is relatively simple.
Post me a comment if you want to discuss the solution!
Wednesday, April 26, 2006
Tuesday, April 18, 2006
Offline Files - broken technology
I'm going to start with a copy and paste from the blog of a Microsoft guy called Jonathan Hardwick (http://blogs.msdn.com/jonathanh/archive/2004/10/06/239025.aspx). I'm doing this because I e-mailed the text below in response to one of his blogs. Now when I go on a Google relating to Offline Files problems, I spot this and get excited because I think someone else is seeing the same thing - then I realise it's just me. However, he closed this page to comments before I got a chance to go back and reply to his posting to my e-mail.
Q: For ages we've been battling with the fact that when a laptop user goes to a remote site, they work quite happily with their My Documents directory cached offline. However, because they are offline, the whole server is flagged as offline. They can go online and access the server, but then the My Documents files start getting dragged across the line - not good if you were on a 9.6k GSM mobile connection from the other side of the planet! I finally found this documented in Q320819. My reading is that before April 2002, it didn't work the way it's now designed. We've basically got to start looking for alternatives but I was wondering if you had any idea or can find someone who knows why.
A: Yes, the offline files algorithm maintains connection state on a per-server basis instead of a per-share basis. This is to prevent hidden dependencies between files on the same server manifesting themselves as inconsistencies between different shares. Having said that, there are two possible solutions I would try:
Turn off all automatic synchronization, and force users to synchronize manually. Of course, this may be unacceptable for user-experience reasons, i.e. they forget to ever synchronize and then bitch because "the server lost my files" :-)
Use the new slow-link behavior in XP SP2, or alternatively the QFE for XP SP1, WinSE bug 37222. The earlier behavior from KB263097 was that after going offline it would auto-reconnect if the link speed was above 64 KB, set by HKCU\Software\Microsoft\Windows\ CurrentVersion\NetCache\SlowLinkSpeed. However, this only affected reconnections rather than the initial connection, so users had to use "csccmd /disconnect" to force files offline on slow links, and it used reported NIC speed, instead of actual end-to-end speed. Not good. With the new behavior, you can set slow-link policy as before, create HKLM\Software\Microsoft\Windows\ CurrentVersion\NetCache\GoOfflineOnSlowLink and set it to 1, and reboot. Now, whenever the user logs in, if the connection speed to that server is below their slow link speed setting, they'll remain offline as far as their offline files are concerned.
Now the problem we find is you head offsite to a remote office. You get up online and windows says "OK, slow link, lets go offline". My Documents - nice-n-fast. So you merrily sit and update a few large files, let's say a nice 30Mb power point file.
Then you want to go to your main fileserver back in head office and grab some files to stick on your local drive (maybe to work on them, or perhaps just to refer to them). So you browse off to the share on the server and you see nothing. Windows says "hey bud, I told you - slow link - you're offline and that's the way it is".
So we can get back online - just force a sync off the offline files. Once it successfully completes, we are back online to the server and we can copy the files. However, there's just the small matter of getting that 30Mb power point file back to the copy of your My Documents folder on the server. And there lies the problem. Until you get that successful offline sync complete, you are high and dry (or offline and disconnected).
Now put yourself in the position of the sales guy, half way around the world, working on a GSM 9.6k connection. He's been away a few days, working on a presentation and a quotation, all in his My Documents folder. Just before the big meeting he realises he needs a file from the server. Just a tiny little file (it's all he can realistically manage on a GSM phone without bankruptcy). Well, "we are Windows and Windows say - NO".
Heard a rumour this will be fixed in Vista, but that's still close to a year away before we even have the option to use it. Realistically we'll want another 6 months on that to let the early adopters cry over the spilt milk. Oh - and everyone will need a new computer. Yup, that'll go down a treat.
There are a few third party apps around. We used SecondCopy for a while back in pre-offline files (NT4) days. It was OK, but difficult to administer centrally and to monitor. I'm currently trying out Peersoftware's Sync-n-Save application. It's better than second copy, but currently crashing a bit (after a hibernation of the laptop) and it's still difficult to configure centrally. Neither application has the capability to pop-up and say "OK, you are away from base, but I can still see your server - do you want me to run, or suspend and automatically resume when you get back to base".
It's usually around this time I pick on the Office Assistants - nice slick bit of programming. I can imagine the team that created them are a pretty clever bunch of people. THEY SHOULD HAVE BEEN PROGRAMMING STUFF THAT MATTERED!
Hmm - I should have an Office Assistants / Waste of Space blog entry, then all I need do is link to it :-)
Q: For ages we've been battling with the fact that when a laptop user goes to a remote site, they work quite happily with their My Documents directory cached offline. However, because they are offline, the whole server is flagged as offline. They can go online and access the server, but then the My Documents files start getting dragged across the line - not good if you were on a 9.6k GSM mobile connection from the other side of the planet! I finally found this documented in Q320819. My reading is that before April 2002, it didn't work the way it's now designed. We've basically got to start looking for alternatives but I was wondering if you had any idea or can find someone who knows why.
A: Yes, the offline files algorithm maintains connection state on a per-server basis instead of a per-share basis. This is to prevent hidden dependencies between files on the same server manifesting themselves as inconsistencies between different shares. Having said that, there are two possible solutions I would try:
Turn off all automatic synchronization, and force users to synchronize manually. Of course, this may be unacceptable for user-experience reasons, i.e. they forget to ever synchronize and then bitch because "the server lost my files" :-)
Use the new slow-link behavior in XP SP2, or alternatively the QFE for XP SP1, WinSE bug 37222. The earlier behavior from KB263097 was that after going offline it would auto-reconnect if the link speed was above 64 KB, set by HKCU\Software\Microsoft\Windows\ CurrentVersion\NetCache\SlowLinkSpeed. However, this only affected reconnections rather than the initial connection, so users had to use "csccmd /disconnect" to force files offline on slow links, and it used reported NIC speed, instead of actual end-to-end speed. Not good. With the new behavior, you can set slow-link policy as before, create HKLM\Software\Microsoft\Windows\ CurrentVersion\NetCache\GoOfflineOnSlowLink and set it to 1, and reboot. Now, whenever the user logs in, if the connection speed to that server is below their slow link speed setting, they'll remain offline as far as their offline files are concerned.
Now the problem we find is you head offsite to a remote office. You get up online and windows says "OK, slow link, lets go offline". My Documents - nice-n-fast. So you merrily sit and update a few large files, let's say a nice 30Mb power point file.
Then you want to go to your main fileserver back in head office and grab some files to stick on your local drive (maybe to work on them, or perhaps just to refer to them). So you browse off to the share on the server and you see nothing. Windows says "hey bud, I told you - slow link - you're offline and that's the way it is".
So we can get back online - just force a sync off the offline files. Once it successfully completes, we are back online to the server and we can copy the files. However, there's just the small matter of getting that 30Mb power point file back to the copy of your My Documents folder on the server. And there lies the problem. Until you get that successful offline sync complete, you are high and dry (or offline and disconnected).
Now put yourself in the position of the sales guy, half way around the world, working on a GSM 9.6k connection. He's been away a few days, working on a presentation and a quotation, all in his My Documents folder. Just before the big meeting he realises he needs a file from the server. Just a tiny little file (it's all he can realistically manage on a GSM phone without bankruptcy). Well, "we are Windows and Windows say - NO".
Heard a rumour this will be fixed in Vista, but that's still close to a year away before we even have the option to use it. Realistically we'll want another 6 months on that to let the early adopters cry over the spilt milk. Oh - and everyone will need a new computer. Yup, that'll go down a treat.
There are a few third party apps around. We used SecondCopy for a while back in pre-offline files (NT4) days. It was OK, but difficult to administer centrally and to monitor. I'm currently trying out Peersoftware's Sync-n-Save application. It's better than second copy, but currently crashing a bit (after a hibernation of the laptop) and it's still difficult to configure centrally. Neither application has the capability to pop-up and say "OK, you are away from base, but I can still see your server - do you want me to run, or suspend and automatically resume when you get back to base".
It's usually around this time I pick on the Office Assistants - nice slick bit of programming. I can imagine the team that created them are a pretty clever bunch of people. THEY SHOULD HAVE BEEN PROGRAMMING STUFF THAT MATTERED!
Hmm - I should have an Office Assistants / Waste of Space blog entry, then all I need do is link to it :-)
OWA + FBA + EAS + New Root = Brain Bust
Take Exchange Server 2003, Outlook Web Access (OWA), Forms Based Authentication (FBA), Exchange Active Sync (EAS) {also sometimes called Server Active Sync - SAS} and you have one hellufa configuration nightmare. This is especially the case if you have other applications hanging under the Default Web root in IIS. Publishing this lot securely on the Internet is fraught with complexity, pretty difficult to get right and very easy to break.
When it breaks, it can go two ways. You lock everyone out, or they start getting IIS Integrated Security dialogs instead of the nice FBA stuff. Bit of a pain, but very quickly noticeable. The other way is when someone or something accidentally lessens the security on the various roots and that often goes unnoticed for a long time.
Suddenly you are NATing outside traffic into something you really don't want published on the web. I saw someone do this once - not with Exchange specifically, but just a little bit of wrong configuration and they published their company Intranet, with anonymous access to all and sundry. Hey ho - all that very valuable private IPR was suddenly on view to all. Ran like this for about 2-3 months until someone questioned a lot of public connections to an internal ftp server (also hanging off that same IIS box). Like I said - not so easy to spot.
The obvious solution (well, it was to me anyway) was to create a new IIS root plus the relevant Exchange virtual roots and NAT the external traffic into that. We want to use FBA (because quite frankly, using IIS Integrated security for OWA is rather prone to the next person opening up the browser and getting your e-mail) and we want it to work with EAS. Not asking for much!
However, this then takes this relatively complex exercise and turns it into a complete and utter brain bust.
I've been running this sort of configuration in the office for about a year now. EAS works fine (had an XDA, now on an iMate SP5 and neither caused too many problems, over and above the standard raft of problems). However, at the time I didn't get enough time to sort out the FBA, so we use IIS Integrated for the OWA component. The number of people using this is pretty limited and they are all IT people, so they know the issues and logoff, clear cache etc.
I've been back on trying to get FBA working with this config off and on for about a month now. Today (and tonight) it's been getting an onslaught. It's been a pretty dismal experience - there's rafts of people in the newsgroups trying this and almost getting there, but coming up short.
Tonight however, I now have a new root with a new Exchange virtual root, with FBA published over SSL, NATed through the firewall, on a separate IP Address, with the Internal DNS not answering with the wrong IP addresses!
Now all I need to do is factor in the EAS, do some decent testing and then rip the whole thing out to properly document the build process. In the overall scale of OWA/FBA/EAS, the process looks like it should be relatively painless and surprisingly(?) not configured in quite the way it might be expected.
More to come....
When it breaks, it can go two ways. You lock everyone out, or they start getting IIS Integrated Security dialogs instead of the nice FBA stuff. Bit of a pain, but very quickly noticeable. The other way is when someone or something accidentally lessens the security on the various roots and that often goes unnoticed for a long time.
Suddenly you are NATing outside traffic into something you really don't want published on the web. I saw someone do this once - not with Exchange specifically, but just a little bit of wrong configuration and they published their company Intranet, with anonymous access to all and sundry. Hey ho - all that very valuable private IPR was suddenly on view to all. Ran like this for about 2-3 months until someone questioned a lot of public connections to an internal ftp server (also hanging off that same IIS box). Like I said - not so easy to spot.
The obvious solution (well, it was to me anyway) was to create a new IIS root plus the relevant Exchange virtual roots and NAT the external traffic into that. We want to use FBA (because quite frankly, using IIS Integrated security for OWA is rather prone to the next person opening up the browser and getting your e-mail) and we want it to work with EAS. Not asking for much!
However, this then takes this relatively complex exercise and turns it into a complete and utter brain bust.
I've been running this sort of configuration in the office for about a year now. EAS works fine (had an XDA, now on an iMate SP5 and neither caused too many problems, over and above the standard raft of problems). However, at the time I didn't get enough time to sort out the FBA, so we use IIS Integrated for the OWA component. The number of people using this is pretty limited and they are all IT people, so they know the issues and logoff, clear cache etc.
I've been back on trying to get FBA working with this config off and on for about a month now. Today (and tonight) it's been getting an onslaught. It's been a pretty dismal experience - there's rafts of people in the newsgroups trying this and almost getting there, but coming up short.
Tonight however, I now have a new root with a new Exchange virtual root, with FBA published over SSL, NATed through the firewall, on a separate IP Address, with the Internal DNS not answering with the wrong IP addresses!
Now all I need to do is factor in the EAS, do some decent testing and then rip the whole thing out to properly document the build process. In the overall scale of OWA/FBA/EAS, the process looks like it should be relatively painless and surprisingly(?) not configured in quite the way it might be expected.
More to come....
Saturday, April 08, 2006
My Documents - dumping ground?
"My Documents" - to me the definition of this would be "documents created by me", or in other words, the various files I create in applications such as Word, Excel, Visio, Power Point etc. As a laptop user, these are the files I carry around with me for my day to day work and synchronise back on to the server for backup (using peersync from Peersoftware as opposed to XP Offline Files, which cause way too much bother and will be the subject of another post).
However, it seems many software companies have taken the stance that this is actually a good dumping ground for any files which they might consider pertain to me, even loosely. So I edit some video in Premier Elements 2.0 and find a 130Mb work file down in My Documents. I have a couple of PDF Engines on my laptop, one which I purchased and one which arrived with some other software application (possibly Sage Accounts). OK, we'll just dump copies of various PDFs we create in your My Documents.
SQL Server Studio 2005 has its day down there with a pile of settings. I also have a raft of other "My" folders, just to somehow suggest to me that the data is mine. My Pictures, My Videos, My Received Files, My Skype Content, My Skype Pictures, My eBooks, My Music, My Maps.
So I'm working remotely and figure I've created some documents I'd like synchronised back to the server. It's only a few K, so doing a sync over VPN is fine. Except it ends up being a few Meg or a few hundred Meg because of all the apps that have been dumping in My Documents.
Then we get many of the various users we look after, with laptops, complaining about how long it takes to sync their My Documents folder. Well, that'll be the 500 digital photographs you took and the upload application, or the operating system stuck them all in My Pictures, right below My Documents. Hardly their fault - the software decides where it's all going, but they suffer for it.
Of course, the quick solution is just to bin all this "junk", but you've no idea what it might break, or what you might lose.
Much more amazing, is why these applications aren't writing to the Application Data or Local Settings folders. Plus, what hope do we have when the very people who designed all this stuff continue to break their own rules? They even break it the other way and stick these all important PST files (whether they be the main mail store, or merely archive files for Exchange) away down the hidden Local Settings directories. More likely than not, this is because they can't replicate them with the Windows Offline Files "technology", so it's a sort of "out of sight, out of mind" solution.
"My Documents" - nah - should be renamed to "My Dumping Ground, Everyone Welcome"...
However, it seems many software companies have taken the stance that this is actually a good dumping ground for any files which they might consider pertain to me, even loosely. So I edit some video in Premier Elements 2.0 and find a 130Mb work file down in My Documents. I have a couple of PDF Engines on my laptop, one which I purchased and one which arrived with some other software application (possibly Sage Accounts). OK, we'll just dump copies of various PDFs we create in your My Documents.
SQL Server Studio 2005 has its day down there with a pile of settings. I also have a raft of other "My" folders, just to somehow suggest to me that the data is mine. My Pictures, My Videos, My Received Files, My Skype Content, My Skype Pictures, My eBooks, My Music, My Maps.
So I'm working remotely and figure I've created some documents I'd like synchronised back to the server. It's only a few K, so doing a sync over VPN is fine. Except it ends up being a few Meg or a few hundred Meg because of all the apps that have been dumping in My Documents.
Then we get many of the various users we look after, with laptops, complaining about how long it takes to sync their My Documents folder. Well, that'll be the 500 digital photographs you took and the upload application, or the operating system stuck them all in My Pictures, right below My Documents. Hardly their fault - the software decides where it's all going, but they suffer for it.
Of course, the quick solution is just to bin all this "junk", but you've no idea what it might break, or what you might lose.
Much more amazing, is why these applications aren't writing to the Application Data or Local Settings folders. Plus, what hope do we have when the very people who designed all this stuff continue to break their own rules? They even break it the other way and stick these all important PST files (whether they be the main mail store, or merely archive files for Exchange) away down the hidden Local Settings directories. More likely than not, this is because they can't replicate them with the Windows Offline Files "technology", so it's a sort of "out of sight, out of mind" solution.
"My Documents" - nah - should be renamed to "My Dumping Ground, Everyone Welcome"...
Subscribe to:
Posts (Atom)