Solved: Configure Sonicwall TZ190 Firewall to allow access to OWA from external clients using IP

you'll want to run the public server wizard. see below for a sonicwall KB on how to set this up.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

for OWA you'll want https, but you may want http also. there is a service group when you run the wizard that will contain both http/https, but if you want just https, there's a service object for that as well.

lscarafile

ASKER

I've followed these steps and still can't get through. Is there a IIS component that needs to be linked some how? How does the firewall know what to do with OWA.

Thanks

lscarafile

ASKER

Internally I connect using https://10.10.10.1/owa

digitap

that should be it. when you put type https://public_ip/owa in a browser, you are requesting https traffic to your exchange server. the public server wizard should have setup the nat policies and firewall access rules to allow that traffic.

do you have the management interface enabled on the WAN? go to network > interfaces and edit the WAN interface. see if management is enabled. if it is, then https will fail to your exchange server unless you changed the default https port for the management interface of the sonicwall.

sunnyc7

digitap
thanks for the heads-up on this.

@luciano
can you output the results of this command from exchange shell

get-owavirtualdirectory | fl

thanks

lscarafile

ASKER

Hi sunnyc7,

As requested, here are the results :

GzipLevel : Off
MetabasePath : IIS://EXCHANGE.int.automa
ted.com/W3SVC/1/ROOT/Publ
ic
FilterWebBeaconsAndHtmlForms :
NotificationInterval :
DefaultTheme :
UserContextTimeout :
ExchwebProxyDestination : NotSpecified
VirtualDirectoryType : PublicFolders
OwaVersion : Exchange2003or2000
RedirectToOptimalOWAServer :
DefaultClientLanguage :
LogonAndErrorLanguage : 0
UseGB18030 :
UseISO885915 :
OutboundCharset :
CalendarEnabled :
ContactsEnabled :
TasksEnabled :
JournalEnabled :
NotesEnabled :
RemindersAndNotificationsEnabled :
PremiumClientEnabled :
SpellCheckerEnabled :
SearchFoldersEnabled :
SignaturesEnabled :
ThemeSelectionEnabled :
JunkEmailEnabled :
UMIntegrationEnabled :
WSSAccessOnPublicComputersEnabled :
WSSAccessOnPrivateComputersEnabled :
ChangePasswordEnabled :
UNCAccessOnPublicComputersEnabled :
UNCAccessOnPrivateComputersEnabled :
ActiveSyncIntegrationEnabled :
AllAddressListsEnabled :
RulesEnabled :
PublicFoldersEnabled :
SMimeEnabled :
RecoverDeletedItemsEnabled :
Path : \\.\BackOfficeStorage\tag
group.ca\Public Folders
Server : EXCHANGE
InternalUrl :
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Public (Default Web Si
te),CN=HTTP,CN=Protocols,
CN=EXCHANGE,CN=Servers,CN
=Exchange Administrative
Group (FYDIBOHF23SPDLT),C
N=Administrative Groups,C
N=Automated,CN=Microsoft
Exchange,CN=Services,CN=C
onfiguration,DC=int,DC=au
tomated,DC=com
Identity : EXCHANGE\Public (Default
Web Site)
Guid : 81ec3e3e-6c13-4a89-b976-4
0963cafe3b0
ObjectCategory : int.automated.com/Configu
ration/Schema/ms-Exch-OWA
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirect
ory, msExchOWAVirtualDire
ctory}
WhenChanged : 25/09/2010 1:00:01 PM
WhenCreated : 25/09/2010 1:00:01 PM
OriginatingServer : server1.int.automated.com
IsValid : True

Name : Exchweb (Default Web Site
)
WebSite : Default Web Site
DisplayName : Exchweb
DirectFileAccessOnPublicComputersEnabled :
DirectFileAccessOnPrivateComputersEnabled :
WebReadyDocumentViewingOnPublicComputersEnabled :
WebReadyDocumentViewingOnPrivateComputersEnabled :
ForceWebReadyDocumentViewingFirstOnPublicComputers :
ForceWebReadyDocumentViewingFirstOnPrivateComputers :
RemoteDocumentsActionForUnknownServers :
ActionForUnknownFileAndMIMETypes :
WebReadyFileTypes :
WebReadyMimeTypes :
WebReadyDocumentViewingForAllSupportedTypes :
WebReadyDocumentViewingSupportedMimeTypes :
WebReadyDocumentViewingSupportedFileTypes :
AllowedFileTypes :
AllowedMimeTypes :
ForceSaveFileTypes :
ForceSaveMimeTypes :
BlockedFileTypes :
BlockedMimeTypes :
RemoteDocumentsAllowedServers :
RemoteDocumentsBlockedServers :
RemoteDocumentsInternalDomainSuffixList :
FolderPathname : \\.\BackOfficeStorage\tag
group.ca\ExchWeb
Url :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsInte
grated}
LogonFormat : FullDomain
ClientAuthCleanupLevel : High
DefaultDomain :
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
FormsAuthentication : False
GzipLevel : Off
MetabasePath : IIS://EXCHANGE.int.automa
ted.com/W3SVC/1/ROOT/Exch
web
FilterWebBeaconsAndHtmlForms :
NotificationInterval :
DefaultTheme :
UserContextTimeout :
ExchwebProxyDestination : MailboxServer
VirtualDirectoryType : Exchweb
OwaVersion : Exchange2003or2000
RedirectToOptimalOWAServer :
DefaultClientLanguage :
LogonAndErrorLanguage : 0
UseGB18030 :
UseISO885915 :
OutboundCharset :
CalendarEnabled :
ContactsEnabled :
TasksEnabled :
JournalEnabled :
NotesEnabled :
RemindersAndNotificationsEnabled :
PremiumClientEnabled :
SpellCheckerEnabled :
SearchFoldersEnabled :
SignaturesEnabled :
ThemeSelectionEnabled :
JunkEmailEnabled :
UMIntegrationEnabled :
WSSAccessOnPublicComputersEnabled :
WSSAccessOnPrivateComputersEnabled :
ChangePasswordEnabled :
UNCAccessOnPublicComputersEnabled :
UNCAccessOnPrivateComputersEnabled :
ActiveSyncIntegrationEnabled :
AllAddressListsEnabled :
RulesEnabled :
PublicFoldersEnabled :
SMimeEnabled :
RecoverDeletedItemsEnabled :
Path : \\.\BackOfficeStorage\tag
group.ca\ExchWeb
Server : EXCHANGE
InternalUrl :
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Exchweb (Default Web S
ite),CN=HTTP,CN=Protocols
,CN=EXCHANGE,CN=Servers,C
N=Exchange Administrative
Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,
CN=Automated,CN=Microsoft
Exchange,CN=Services,CN=
Configuration,DC=int,DC=a
utomated,DC=com
Identity : EXCHANGE\Exchweb (Default
Web Site)
Guid : dbae71b8-98cb-4f7a-bf5b-6
d16727322b2
ObjectCategory : int.automated.com/Configu
ration/Schema/ms-Exch-OWA
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirect
ory, msExchOWAVirtualDire
ctory}
WhenChanged : 25/09/2010 1:00:04 PM
WhenCreated : 25/09/2010 1:00:04 PM
OriginatingServer : server1.int.automated.com
IsValid : True

Name : Exadmin (Default Web Site
)
WebSite : Default Web Site
DisplayName : Exadmin
DirectFileAccessOnPublicComputersEnabled :
DirectFileAccessOnPrivateComputersEnabled :
WebReadyDocumentViewingOnPublicComputersEnabled :
WebReadyDocumentViewingOnPrivateComputersEnabled :
ForceWebReadyDocumentViewingFirstOnPublicComputers :
ForceWebReadyDocumentViewingFirstOnPrivateComputers :
RemoteDocumentsActionForUnknownServers :
ActionForUnknownFileAndMIMETypes :
WebReadyFileTypes :
WebReadyMimeTypes :
WebReadyDocumentViewingForAllSupportedTypes :
WebReadyDocumentViewingSupportedMimeTypes :
WebReadyDocumentViewingSupportedFileTypes :
AllowedFileTypes :
AllowedMimeTypes :
ForceSaveFileTypes :
ForceSaveMimeTypes :
BlockedFileTypes :
BlockedMimeTypes :
RemoteDocumentsAllowedServers :
RemoteDocumentsBlockedServers :
RemoteDocumentsInternalDomainSuffixList :
FolderPathname : \\.\BackOfficeStorage
Url :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsInte
grated}
LogonFormat : FullDomain
ClientAuthCleanupLevel : High
DefaultDomain :
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
FormsAuthentication : False
GzipLevel : Off
MetabasePath : IIS://EXCHANGE.int.automa
ted.com/W3SVC/1/ROOT/Exad
min
FilterWebBeaconsAndHtmlForms :
NotificationInterval :
DefaultTheme :
UserContextTimeout :
ExchwebProxyDestination : NotSpecified
VirtualDirectoryType : Exadmin
OwaVersion : Exchange2003or2000
RedirectToOptimalOWAServer :
DefaultClientLanguage :
LogonAndErrorLanguage : 0
UseGB18030 :
UseISO885915 :
OutboundCharset :
CalendarEnabled :
ContactsEnabled :
TasksEnabled :
JournalEnabled :
NotesEnabled :
RemindersAndNotificationsEnabled :
PremiumClientEnabled :
SpellCheckerEnabled :
SearchFoldersEnabled :
SignaturesEnabled :
ThemeSelectionEnabled :
JunkEmailEnabled :
UMIntegrationEnabled :
WSSAccessOnPublicComputersEnabled :
WSSAccessOnPrivateComputersEnabled :
ChangePasswordEnabled :
UNCAccessOnPublicComputersEnabled :
UNCAccessOnPrivateComputersEnabled :
ActiveSyncIntegrationEnabled :
AllAddressListsEnabled :
RulesEnabled :
PublicFoldersEnabled :
SMimeEnabled :
RecoverDeletedItemsEnabled :
Path : \\.\BackOfficeStorage
Server : EXCHANGE
InternalUrl :
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Exadmin (Default Web S
ite),CN=HTTP,CN=Protocols
,CN=EXCHANGE,CN=Servers,C
N=Exchange Administrative
Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,
CN=Automated,CN=Microsoft
Exchange,CN=Services,CN=
Configuration,DC=int,DC=a
utomated,DC=com
Identity : EXCHANGE\Exadmin (Default
Web Site)
Guid : 06de8561-cb2b-4e62-9610-d
eaeb25d596a
ObjectCategory : int.automated.com/Configu
ration/Schema/ms-Exch-OWA
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirect
ory, msExchOWAVirtualDire
ctory}
WhenChanged : 25/09/2010 1:00:06 PM
WhenCreated : 25/09/2010 1:00:06 PM
OriginatingServer : server1.int.automated.com
IsValid : True

[PS] C:\Windows\system32>
[PS] C:\Windows\system32>

lscarafile

ASKER

hi digitap,

I've tried both scenarios (management enabled or disabled) and got the same result.

digitap

ok, lets see what sunny says about output above. we'll get it figured out.

digitap

something else...do you have a web server opened up to the internet as well?

sunnyc7

sorry couldnt post earlier, i was driving back from work.
one important thing which I noticed is - ExternalURL field is blank.

I will post back in a few mins, let me get settled in and verify the config's of my exchange 2007.

thanks

lscarafile

ASKER

digitap,

No I do not have a webserver opened up to the internet.
I have an FTP server.

Thanks,
Luciano

sunnyc7

Luciano
Just wanted to recheck from Sonicwall point of view

Do you have ports 80, 25 and 443 open in sonicwall and forwarded to the static IP of the exchange server ?

digitap

this would be found in the NAT policies. network > nat policies. i'm not sure what address object you used for your exchange server, but you'll want to locate that. find the row that indicates the ingress (WAN > LAN) policy. locate the column for service:original and point to it. you should get a call out that lists the services associated with that policy.

when you run the public server wizard, you get three nat policies created. ingress, egress, and loopback.

lscarafile

ASKER

Hello all,

Until now I had everyone VPN'ing in and then accessing OWA as a temporary solution.
How do I forward Port 443 to address 10.10.10.1?

Thanks,

sunnyc7

Check this guide please.
http://www.sonicwall.com/us/support/2134_3121.html

thanks

digitap

public wizard is the best.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

choose ssl when asked for the service.

lscarafile

ASKER

Hi digitap,

By SSL... Do you mean check the HTTPS (TCP 443) box ?

sunnyc7

Yes @ SSL means HTTPS TCP 443

digitap

sorry...been on support calls all day...thanks sunny. yes, ssl=443.

lscarafile

ASKER

Still no luck.

I type in the following (with my IP): https://0.0.0.0/owa

I get the following error:

Internet Explorer cannot display the webpage.

sunnyc7

from your exchange server try this
https://localhost/owa

see if you can get the OWA prompt

lscarafile

ASKER

Hi Sunnyc7,

Yes. If I enter https://localhost/owa
I get the OWA prompt with no problems.

digitap

great! glad it worked, http:#a34801127.

digitap

@lscarafile :: i don't typically suggest a factory reset. the public server wizard works every time unless there's a pre-existing config that's preventing it from working. it's clear that you had something like that on your sonicwall. i'm frustrated that you indicated none of the solutions worked, when, after a factory reset, running the public server wizard, as i suggested, DID work. credit where credit is due my friend.

lscarafile

ASKER

None of the suggestions worked.
So I decided to reset the firewall to factory defaults and re-enter my configuration.