Error message when accessing the mailbox being proxied by a CAS server in other than the mailbox AD site:
The page must be viewed over a secure channel
The page you are trying to access is secured with Secure Sockets Layer (SSL).
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 – Forbidden: SSL is required to view this resource.
Note that the URL is /exchange. It should be /OWA, because the user is located on a Exchange 2007 Mailbox / CAS server
This error was caused by the CAS server in the secondary AD site, requiring SSL on the /Exchange virtual directory. (or in other words, the solution was to set the IIS not to require SSL on the Exchange virtual directory only) The problem was that the Exchange 2007 CAS server was not redirecting to the /OWA virtual directory, but after changing the config, it is redirected (and still using SSL)
Another error was found in the same setup, but this was easier to figure out:
Error message in IE:
Outlook Web Access is not currently available for the user mailbox that you are trying to access. If the problem continues, contact technical support for your organization and tell them the following: The Microsoft Exchange Client Access server that is proxying the Outlook Web Access requests is running an older version of Microsoft Exchange than the Client Access server in the mailbox Active Directory site.
The Event Viewer on the Internet facing CAS server shows this event:
Event Type: Error
Event Source: MSExchange OWA
Event Category: Proxy Event ID: 46
Computer: CAS Server
Client Access server “https://webmail.domain.com/owa“, running Microsoft Exchange version “22.214.171.124”, is proxying Outlook Web Access traffic to Client Access server “second-CAS.domain.com”, which runs Exchange version “8.1.278.2”. To ensure reliable interoperability, the proxying Client Access server needs to be running a newer version of Exchange than the Client Access server it is proxying to. If the proxying Client Access server is running a newer version of Exchange than the Client Access server it is proxying to, the proxying Client Access server needs to have an Outlook Web Access resource folder (for example, “<Exchange Server installation path>)ClientAccessowa8.0.498.0″ that contains all the same versioned resource files as the Client Access server it is proxying to. If you will be running Outlook Web Access proxying with mismatched server versions, you can manually copy this resource folder to the proxying Client Access server.
Update all Exchange servers to the same build number (service pack & Patch level)