Solved

Outlook Web Access from the internet

Posted on 2004-10-01
12
302 Views
Last Modified: 2013-11-29
How can I allow for outside/internet users to access my exchange server from outside the office.  Do I need to setup NAT on my Cisco firewall?  Create an A record with my internet provide?  If so what should it say?  (exchange.company_name.com)?  

This seems so simple but has me stumped.  I can access from the inside but not the outside.

0
Comment
Question by:rmefford
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 2

Expert Comment

by:etracsupport
ID: 12203874
well you will need a dns record that is public for internet users to locate the email server, which should be something like mail.company_name.com and you will have to set acl to  open up ports on the firewall to allow them to access the email server. yes you need a static nat from the public address to your email server.

1. create dns records you will need an A Record and MX Record
2. create static nat on firewall and setup access list for 25, 80, 443
3. configure iis for authentication and access.

depending on your network this may or may not work for you.

is exchange on dmz? are you using a spam firewall? do you have a frontend backend configured.
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 12203906
Users connect to OWA through IIS, so you'll have to have IIS up and running - I presume you do since users are accessing OWA from inside the network.  Are you accessing OWA (ie. www.microsoft.com/exchange/owa) via the network in your browser?

Users should be able to connect to Exchange via www.yourwebsite.com/exchange assuming that you have a default website set up and your firewall is forwarding internet traffic on port 80 to your web server.  Do you have a website running on the server that is accessible via the internet?
0
 

Author Comment

by:rmefford
ID: 12203912
I am using a Cisco Pix Firewall 506e and find it a bear to configure.  I am not a Cisco expert, and there PDM interface is hard to understand.  My exchange in not in the DMZ.  

Should the A & MX records both be mail.company.ccom?  or will one be an IP address?

Can you help me understand access list? for my cisco?  Is there a way to easily see which ports are open and which are closed?
0
 

Author Comment

by:rmefford
ID: 12203948
Yes, users can access owa through the browser internally, but outside it doesn't work.  I think my issue may be that firewall is not forwarding port 80 to my exchange box.  How can I set this up on my Cisco?  Specifics would help greatly.

Thanks
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 12204037
If you have OWA working internally via your browser, you can get it working externally.  I agree that it appears that the firewall is the issue.  I'm not familiar with Cisco either, so I can't help you there.

Once you get the router configured, though, you will be able to access OWA by http://<public IP>/exchange or, if you have a domain registered and DNS set up, at http://<your domain>/exchange.  In this case, you don't really need an MX record and you don't need port 25 open, because it's all web-based.  If you have a domain registered, you registrar may offer DNS service.  Otherwise, you can use a free service like www.zoneedit.com.
0
 
LVL 2

Expert Comment

by:etracsupport
ID: 12204045
well you need to setup a translation rule specifying which public ip address and which internal ip address

setup access list
permit
source 0.0.0.0
subnet 0.0.0.0
destination: email server ip
subnet 255.255.255.255
protocol=tcp
port=http

then recreate for https unless you don't care if people are secure accessing there email
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:etracsupport
ID: 12204151
also as a correction humeniuk is correct you don't need the mx record or port 25 open if all this is concerning is owa
sorry for the confusion
0
 
LVL 3

Accepted Solution

by:
oldhamuk earned 400 total points
ID: 12204791
Simple way of doing things is if you put these commands into the command line interface or through PDM under the Tools menu I think there is an option to enter CLI commands.

Where 192.168.0.1 is replace with your public IP on the firewall and where 10.0.0.1 is replace with your internal exchange ip address.

access-list 101 permit tcp any host 192.168.0.1 eq ldap
access-list 101 permit tcp any host 192.168.0.1 eq kerberos
access-list 101 permit tcp any host 192.168.0.1 eq https
access-list 101 permit tcp any host 192.168.0.1 eq www

static (inside,outside) tcp 192.168.0.1 ldap 10.0.0.1 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.1 kerberos 10.0.0.1 kerberos netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.1 www 10.0.0.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.1 https 10.0.0.1 https netmask 255.255.255.255 0 0


The ldap and kerberos are need for the authentication between the client and the exchange server. The other thing I must recommend is that once you got it working get https (SSL) setup on your exchange and just use https and remove the www rule as this is not as secure as https

To remove the plain http use the following commands.

access-list 101 permit tcp any host 192.168.0.1 eq www
no static (inside,outside) tcp 192.168.0.1 www 10.0.0.1 www netmask 255.255.255.255 0 0

Let me know if you need anymore help.

Regards

Mark
0
 
LVL 3

Expert Comment

by:oldhamuk
ID: 12204812
Just noticed a typo on the command to remove the http. You need to put a 'no' command at the from of the 'access-list 101 permit tcp any host 192.168.0.1 eq www' like the command below it.

Sorry.

Regards

Mark

0
 
LVL 13

Expert Comment

by:eatmeimadanish
ID: 12208232
Wow we are making this rediculously complicated.  RPC over HTTP is probably the most secure, and easiest way of setting this up.  OWA is excellent if you setup SSL and can be accessed from anywhere.  You do not want to open your network up anyother way to the internet because you expose yourself to hacking and hijacking.  DO NOT OPEN YOUR EXCHANGE TO THE INTERNET.
0
 
LVL 3

Expert Comment

by:oldhamuk
ID: 12211888
eatmeimadanish has made a valid comment, but I have a lot of customers who want there users to be able to walk up to any computer in the world with an internet connect and be able to read there email. With RPC over HTTP you need an outlook client to connect and pick up your email.

With some of my customer I have put in a front end exchange server and this does all the OWA work and therefore your backend exchange stays nice and safe, but this does mean buying a second exchange license and this is why some of my customers don't go down that route.

At the end of the day you need to way up the pros and cons of each method and pick the one that suits you. If you don't need your users to be able to use any machine in the world with an internet connect to collect your email then look at the RPC over HTTP or even use the Cisco VPN Client and just have them connect to the VPN and then your firewall does not need any ports opening to connect remotly and your exchange will remain safe behind it.

If you have any question give me a shout.


Cheers

Mark
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 12211916
Good comments.  If you have security concerns, consider either of those options - SSL or a VPN setup.  However, those things are moot if we can't get OWA functioning so that it's available via the internet . . . which was the point of the question.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now