kitster510
asked on
OWA 2003 Access denied from outside the network
Hi folks,
I am relatively green to MS Exchange 2003, so please bear with me.
Right now we have two Exchange 2003 servers running using Win2k3. The first server, xA, is the "main" exchange server and routes mail to employees at one location and is the gateway to email.
xB is another Exchange 2003 server in another location that uses xA as the host to send and receive mail to and from the outside.
Right now, we have SSL running on the main site "xA" and xA employees who use this server has access to email using OWA from outside the network. xB employees cannot access email from the outside.
We only have one website name https://outlook.xA.com and from inside the network, we are able to access both xA and xB employees mailboxes from the two servers.
Outside the network, only xA employees work. It brings a "Page cannot be displayed" error after the login to xA.
Any advice would be extremely helpful,
Thanks in advance
I am relatively green to MS Exchange 2003, so please bear with me.
Right now we have two Exchange 2003 servers running using Win2k3. The first server, xA, is the "main" exchange server and routes mail to employees at one location and is the gateway to email.
xB is another Exchange 2003 server in another location that uses xA as the host to send and receive mail to and from the outside.
Right now, we have SSL running on the main site "xA" and xA employees who use this server has access to email using OWA from outside the network. xB employees cannot access email from the outside.
We only have one website name https://outlook.xA.com and from inside the network, we are able to access both xA and xB employees mailboxes from the two servers.
Outside the network, only xA employees work. It brings a "Page cannot be displayed" error after the login to xA.
Any advice would be extremely helpful,
Thanks in advance
ASKER
Hi Kidego-
Yes, both of these boxes are mailbox servers. No front end or backend.. should we configure it frontend and backend instead or is there a way is there another way to go about this?
Thanks
Wilson
Yes, both of these boxes are mailbox servers. No front end or backend.. should we configure it frontend and backend instead or is there a way is there another way to go about this?
Thanks
Wilson
Just wondering about the Windows auth that you must have enabled internally. It works for both internally, because both server can authenticate the user. but if the user is on another server,and windows auth takes precedent, which I believe it does, then it wouldn't refer the 443 request to another server/site. Are both Exchange servers in the same AG?
D
D
The other server is configured to allow basic and windows integrated auth, yes?
D
D
ASKER
D-
What do you mean by "Are both Exchange servers in the same AG?" ? what is an AG? Sorry, but I am new to Exchange 2003 after migrating from 5.5.
I believe the other server you are refering to, xB, has basic and windows integrated auth enabled under IIS: Exchange website, and annoyomous authentication is off.
What do you mean by "Are both Exchange servers in the same AG?" ? what is an AG? Sorry, but I am new to Exchange 2003 after migrating from 5.5.
I believe the other server you are refering to, xB, has basic and windows integrated auth enabled under IIS: Exchange website, and annoyomous authentication is off.
admin group, is an AG. Were both these sites 5.5 before you migrated? If so, they may be in different AGs....if your ESM doesn't show admin groups, you can enable that, by right clicking the org properties in the ESM, and checking the box.
D
D
ASKER
Yes sir-
They are both under the same AG under servers, Adminstrative Group. These sites are brand new to our set of servers and we still have our old 5.5 servers hanging around doing nothing.
They are both under the same AG under servers, Adminstrative Group. These sites are brand new to our set of servers and we still have our old 5.5 servers hanging around doing nothing.
ok...are the new servers part of the old 5.5 org, like an ADC migration? Or totally new? Just checking...
No forms based authentication in use here, is there?
D
No forms based authentication in use here, is there?
D
ASKER
Opps, I should have been more specific..
the new servers are in a new AD and under a new domain, and are completely independent from the old 5.5 org.
I dont believe we are using a form based authentication.. it's just a login prompt and we have it running SSL.
W
the new servers are in a new AD and under a new domain, and are completely independent from the old 5.5 org.
I dont believe we are using a form based authentication.. it's just a login prompt and we have it running SSL.
W
I had this problem when I was moving from one Exchange 2003 server to another.
The problem was...
My internal domain address is not accessable from outside (unless connected via pptp). i.e. The internal domain names of my exchange servers were something like exchange1.intranet.com and exchange2.intranet.com, while accessing it outside I would use something like Exchange1.FQDN.com and Exchange2.FQDN.com.
My account was on Exchange2, when I would go to the OWA address for Exchange1.FQDN.com, it would forward me to Exchange2.intranet.com because exchange was trying to send me to the name I had on my Active Directory domain, not what I had in my DNS.
I don't know if I make much sense. Anyways, I never figured it out. I was moving everyone off the old server anyways so I didn't bother to fix it.
The problem was...
My internal domain address is not accessable from outside (unless connected via pptp). i.e. The internal domain names of my exchange servers were something like exchange1.intranet.com and exchange2.intranet.com, while accessing it outside I would use something like Exchange1.FQDN.com and Exchange2.FQDN.com.
My account was on Exchange2, when I would go to the OWA address for Exchange1.FQDN.com, it would forward me to Exchange2.intranet.com because exchange was trying to send me to the name I had on my Active Directory domain, not what I had in my DNS.
I don't know if I make much sense. Anyways, I never figured it out. I was moving everyone off the old server anyways so I didn't bother to fix it.
ASKER
Hi Flood_land
This is the same exact problem we are having..., when I login to OWA as a user on the Exchange2 domain from the outside, it looks into an internal dns name (which it would never find because it is unregistered) and it times out from there...
This is the same exact problem we are having..., when I login to OWA as a user on the Exchange2 domain from the outside, it looks into an internal dns name (which it would never find because it is unregistered) and it times out from there...
If you want to use a single address for OWA access with multiple servers then you only have one choice - and that is to get a third machine to be configured as a frontend server.
If you don't want to use that, then you will need to have two different URLs, two different certificates. The users will need to know what the address is.
The reason it works internally is that OWA redirects the user to the correct server - and as that redirection resolves correctly, the redirection works.
Simon.
If you don't want to use that, then you will need to have two different URLs, two different certificates. The users will need to know what the address is.
The reason it works internally is that OWA redirects the user to the correct server - and as that redirection resolves correctly, the redirection works.
Simon.
ASKER
Simon-
Thanks for the response! :) I noticed on the XB server(the server that works only internally) that it redirects with our AD domain name and adds an extension .org to it, but of course it is unregistered as a domain name or DNS.
My question is is there a way to change the name it is pointing to, to have it under a domain that we own?
Wilson
Thanks for the response! :) I noticed on the XB server(the server that works only internally) that it redirects with our AD domain name and adds an extension .org to it, but of course it is unregistered as a domain name or DNS.
My question is is there a way to change the name it is pointing to, to have it under a domain that we own?
Wilson
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
D