If you are looking at implementing remote access to Outlook Web Access 2007 through Citrix Access Gateway Advanced you’ll find that things aren’t going to work as expect and currently this configuration is not supported by Citrix.
After upgrading our internal Exchange organisation to Exchange Server 2007 (we have a single server implementation), I’ve found that Outlook Web Access no longer works through the Access Gateway Advanced Access Navigator interface. Instead of the user being presented with OWA they see this page:
No amount of attempting to log into OWA through this interface will result in a successful login. Looking at a packet capture of the initial logon attempt the Access Gateway sends the initial GET request and the Exchange server responds with a 401 and sends back the authentication options as you can see here:
- HTTP: Response, HTTP/1.1, Status Code = 401 ProtocolVersion: HTTP/1.1 StatusCode: 401, Unauthorized Reason: Unauthorized ContentLength: 1656 ContentType: text/html Server: Microsoft-IIS/6.0 WWWAuthenticate: Negotiate WWWAuthenticate: NTLM WWWAuthenticate: Basic realm="exchange.company.local" X-Powered-By: ASP.NET Date: Wed, 09 May 2007 05:10:18 GMT HeaderEnd: CRLF
One glaring issue with this response is that realm used for Basic authentication is the name of the server, not the domain name as specified in the IIS configuration, but I think that’s another issue. AAC does attempt NTLM authentication in the next packet - this is the GET request (I’ve truncated the Authorisation field):
- HTTP: Request, GET /owa Command: GET + URI: /owa ProtocolVersion: HTTP/1.1 Connection: Keep-Alive Via: 1.1 FW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint Accept-Language: en-au Cookie: LPNAME=/CitrixLogonPoint/navui/; UA-CPU: x86 UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2) Host: exchange.company.local Cache-Control: no-cache Pragma: no-cache Authorization: Negotiate YIIKuAYGKwYBBQUCoIIKrDCCCqigJDAiBgkqhki..
The Exchange server again responds with HTTP 401 and this process then repeats for another round until the AAC gives up on authenticating and displays the page seen above. Unfortunately I can’t work out a reason for this behaviour and don’t have a solution, but it’s something you should be aware of before you start upgrading to Exchange Server 2007. Hopefully we’ll see a resolution from Citrix soon.
UPDATE: I haven’t had an opportunity to test this out yet, but check out this thread at the Citrix Forums for some information on getting the CAG and OWA 2007 working.